Joomla Reverse Shell Plugin

by Vince
in Blog
Hits: 2638

I thought I'd written about this previously but a quick search yields zero results.  Basically, the idea here is that we've compromised a Joomla system and we want to get a reverse shell on the underlying system.  We could modify the existing site but that's a lot more destructive, and sometimes more difficult, than just figuring out how to make a plugin.  In the example below, I've used the instructions for creating a plugin for an older version of Joomla but I've deployed it on Joomla 4 so it's still a valid method.

Let's start with brute forcing the Joomla login.  We find a Joomla server, we move to the admin page and we enter in a bogus username and password.  



We capture that request and we move it over to Burp Intruder.  We identify the parameter we want to brute force:



We then feed our password list into the payloads:



We add the failed login message.  The idea here is that sometimes we can get a HTTP status code change and that will identify the password.  However, that is not the case with this Joomla instance.



When we launch the attack, we are going to focus on the content length.  Note -- they are all the same length.



That is -- until we get to the actual password.  That's when the length changes.



Great, we have a password.  Prior to logging in, we need to setup our reverse shell plugin.  We need three files.  First, we need an xml file to describe the plugin:



Next, we need our PHP which contains the line for the reverse shell:



Finally, we need an empty index.html file.  We zip up all three files.



We upload the file to Joomla:



We have our plugin installed -- all that remains is to enable it.



We enable the plugin and we catch our shell.