Skip to content

Discovery and Enum

  • second after wordpress - uses php and mysql
  • eBay, Yamaha, Harvard University, and the UK government

Discovery

  • again, check the meta tags <meta> for Joomla
    • curl -s http://dev.inlanefreight.local/ | grep Joomla
  • /robots.txt files for Joomla as usually huge
  • we can also see the joomla favicon -
  • find the version from the readme.txt file
    • curl -s http://dev.inlanefreight.local/README.txt | head -n 5
  • In certain Joomla installs, we may be able to fingerprint the version from JavaScript files in the media/system/js/ directory or by browsing to administrator/manifests/files/joomla.xml.
    • curl -s http://dev.inlanefreight.local/administrator/manifests/files/joomla.xml | xmllint --format -
  • The cache.xml file can help to give us the approximate version. It is located at plugins/system/cache/cache.xml.

Using droopescan

  • source ~/tools/droopescan/bin/activate
  • droopescan scan joomla --url http://dev/inlanefreight.local/
  • returns possible version numbers and some url paths

using JoomlaScan

  • https://github.com/drego85/JoomlaScan 
    sudo python2.7 -m pip install urllib3
sudo python2.7 -m pip install certifi
sudo python2.7 -m pip install bs4
  • Installed in ~/tools
  • python2.7 joomlascan.py -u http://dev.inlanefreight.local

brute force using jomla-bruteforce

  • python3 joomla-brute.py -u http://10.10.10.150 -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin 
    -p or --proxy http://127.0.0.1:8080
-v or --verbose
-U or --userlist /usr/share/wordlists/SecLists/Usernames/Names/names.txt