CMS's: Content Management Systems

Wordpress

- Version and other details

README.html to try getting CMS version

wpscan -u "http://192.168.1.x"

wpscan -u "http://192.168.1.x"--wp-content-dir "wordpress-directory" (If wordpress is in other directory)

- Enumerate Users

wpscan -u "http://192.168.1.x"--enumerate u

- Bypass User Enumeration plugin

stop_user_enumeration_bypass.rb de wpscan (/usr/share/wpscan/stop_user_enumeration_bypass.rb)

ruby stop_user_enumeration_bypass.rb http://192.168.1.x

- Plugin Enumeration

We can use the following dictionary from SecLists https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt or through wpscan

- Brute force

Once we have a valid username we can try brute-forcing with rockyou.txt or creating our own dictionary with cewl:

cewl -w diccionario http://192.168.1.x

- Wordpress panel RCE

Modifying a php from the theme used (admin credentials needed)

Appearance -> Editor -> 404 Template (at the right) Change the content for a php shell https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php http://<IP>/wp-content/themes/twentytwelve/404.php

To get to that file we can:

• http://192.168.1.x/?p=404.php

• http://192.168.1.x/recursoinexistente (To cause an error that loads 404.php)

• http://192.168.1.x/404.php

Joomla

joomscan -u {ulr}

./joomlavs.rb --url {url} -a -v

- Joomla panel RCE

Modifying a php from the theme used (admin credentials needed)

Templates > In Template select one of them > Create new file (Upload web-sehll.php) > verify template directory and load other item to check its correct > load your web-shell

Drupal

Magneto

Moodle