Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Joomla is a popular CMS that is similar to Wordpress. Finding vulnerabilities in a CMS usually ends up being extremely impactful because of the amount of sites that are affected by the issue.

The first vulnerability is a host header injection on the password reset link. When the password reset link is sent out to the user, it uses the host header for the URL to send to. However, because an attacker can control this, they can send the user to their own website, if the link is clicked on, to steal the reset token.

The password reset functionality does not work on the super admin user just for situations like this. So, we need to reset an admin user then find another vulnerability to escalate the privileges.

The second vulnerability was XSS but it is not a standard one. As an administrator, files can be uploaded to the server. The Joomla team has restrictions on what files can be uploaded by allows for .html files. When the file content gets rendered on the admin portal, it creates XSS.

Once the attacker became the Super Admin, RCE could be achieved by uploading a custom plugin. These vulnerabilities are quite simple! It is surprising that these stayed within Joomla for so many years.