CMS (Content Management System) is very popular, easy to install and mostly setup once and forget by “admins”.
In general, there are quite serious vulnerabilities in popular CMS, as is the case with any software. Bugs are patched fairly quickly. Responsible companies and administrators install patches ASAP. Due to the fact that anyone without knowledge can build a website based on one of the popular CMS, there are millions of them on the web. Unfortunately, most not updated. Each CMS also has the ability to install themes and addons, which are also vulnerable. Often, themes and addons are abandoned after few years if not developed by professionals.
Thanks to this, you can get access to many servers and a mass of data. Private blogs, educational systems, small and large communities, small and medium-sized companies but also, unfortunately, government institutions. How many times has a political group, state institution or health service put a website on WordPress, Joomla or Drupal, and don’t give a fuck for service or support, leaking out data for each script kiddie.
The beginnings of my career are private companies supporting the public sector. I even worked for a state-owned company once. I do not know if in all countries, but in Poland, the public sector is a poor salary, too many obligations and lack of training or development path. Plus, no money for anything, so if something works, don’t touch it. Safety is by definition the same as accepting the risk. Besides, you always have a supervisor over you who has no idea what you are doing, he will give out senseless orders and is your boss only because his uncle is from the party that is in charge of the country at the moment. At the next election, another idiot replaces him. Uhh, bad memories, and that’s not what the article was supposed to be about 🙂
Now, that we know all those WordPreses, Joomlas, Drupals, Moodles and other CMS-ish shit, are old and leaky, we can spoil them. Also without much knowledge, using ready-made scripts. Freedom for $crIpT kIddI3$!
It is known that when using Burp or OWASP ZAP you will always find something, but there are already solutions to help you find weak spots. Lets check them.
Multi scanners
All in one solutions. Worth to start with these for popular CMS.
Droopescan
A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
https://github.com/SamJoan/droopescan
Specified CMS scan:
1 |
droopescan scan drupal -u example.org |
Auto detect:
1 |
droopescan scan -u example.org |
Mass scan:
1 |
droopescan scan -U list_of_urls.txt |
CMSeeK
CMS Detection and Exploitation suite – Scan WordPress, Joomla, Drupal and over 180 other CMSs
https://github.com/Tuhinshubhra/CMSeeK
Usage:
1 |
python3 cmseek.py (for guided scanning) OR |
CMSScan
CMS Scanner: Scan WordPress, Drupal, Joomla, vBulletin websites for Security issues. It is using centralized Security Dashboard for CMS Security scans. It is powered by wpscan, droopescan, vbscan and joomscan.
https://github.com/ajinabraham/CMSScan
Run web interface:
WordPress
WordPress CMS vulnerability scanners.
WPScan
WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.
https://github.com/wpscanteam/wpscan
Default scan:
1 |
wpscan --url example.com |
To use WPScan’s enumeration capabilities supply the -e option.
The following enumeration options exist:
If no option is supplied to the -e flag, then the default will be: vp,vt,tt,cb,dbe,u,m
Password brute force attack:
1 |
wpscan --url example.com -e u --passwords /path/to/password_file.txt |
WPForce
WPForce is a suite of WordPress Attack tools.
https://github.com/n00py/WPForce
1 |
python wpforce.py -i usr.txt -w pass.txt -u "http://www.example.com" |
Online Scanners
There are also free online WordPress scanners.
Joomla
Joomla CMS vulnerability scanners.
JoomScan
OWASP Joomla Vulnerability Scanner Project.
https://github.com/OWASP/joomscan
Default checks:
1 |
perl joomscan.pl --url www.example.com |
Enumerate installed components:
1 |
perl joomscan.pl --url www.example.com --enumerate-components |
Drupal
Drupal CMS vulnerability scanners.
Drupwn
Drupal enumeration & exploitation tool.
https://github.com/immunIT/drupwn
Enumeration:
1 |
python3 ./drupwn --mode enum --target http://example.com/drupal |
Exploitation:
1 |
python3 ./drupwn --mode exploit --target http://example.com/drupal |
Typo3
Typo3 CMS vulnerability scanners.
Typo3Scan
Enumerate Typo3 version and extensions.
https://github.com/whoot/Typo3Scan
To get a list of all options use:
Example:
1 |
python3 typo3scan.py -d http://example.com/ --vuln |
vBulletin
vBulletin CMS vulnerability scanners.
VBScan
OWASP VBScan is a Black Box vBulletin Vulnerability Scanner.
1 |
./vbscan.pl <target> |
