Pentesting CMS : Wordpress Joomla Drupal
Pentesting CMS : Wordpress Joomla Drupal
Sometimes we might get CMS based website or application to do perform VAPT. Pentesting CMS is just like a head ache, Because in CMS the back-end codes are mostly pre-defined as CMS nature and behaviour, Any one can download the CMS package and create his website or blog in seconds without knowing any knowledge of coding and extra skills.
So finally while Pentesting CMS we have to fight with the pre-define codes or you can Static code which id designed by experts like wordpress, drupal, joomla etc.
First of all we have to map our target for structured view. It will better if we crawl our target using different tools like Burp will be the great option, Apart from this we can use "dirb" present in kali linux which will brute force the URI and directory name for possible existence.
After crawling we can look out for the interesting thing, Now in CMS enumeration is the most important part because as per the CMS default folder and page name will be the same, But it might be possible that developer had also included or added some kind of custom codes according to their need. So looking into the these details might expose sensitive information.
Crawling is also important if we are testing some other CMS like Modx, Exponent , Wolf CMS etc. Because the standard tools are only available for top level CMS like Wordpress, Joomla, Drupal Etc.
Now we are moving to the automated testing of CMS using different tools and scripts.These are many tools available which can help us to quickly look in to existed vulnerability in CMS. According to top CMS there are different tools available for WordPress, Drupal, Joomla. Using them separately will be a head ache, So recently a new tools has released called "CMSMAP" which have all of 3 tools functionality in itself.
Currently we are assuming that our target domain is - http://192.168.65.131/wordpress/
There are many option available in this tool, I will try to summarise them all.
./cmsmap.py -t http://192.168.65.131[target]/wordpress
This command will perform all scan like getting version, existing plugins, directory listing bugs etc.
You can also use the an another tool which we do similar test like given.
After getting this information, Our first approach should concentrate on version of the CMS and the installed plugin.
If the version is older then present and if it was vulnerable by some kind of vulnerabilities which can help you out to get some meal.
Some times due to some security plugins this scanner will not work and stop after execution, So you need to give user agent value by yourself using --user-agent ( look for the other option as well )
For example i would be suggest you this post, That was one of my finding . Suppose while scanning you fingered out that Wolf CMS Version Is 0.8.2, Then you can look/google for his ready-made exploit or vulnerability like this.
https://www.exploit-db.com/exploits/38000/
These types of exploits have step by step information which you can use to exploit your target. Keep in mind the exploit can be of anything like CMS Version, Theme/Module/Extension, Third Party App Etc. You have to look into every details for the possible exploit.
Admin panel would be a great place to get some meal. Every CMS have his default location for admin panel like wordpress cms hace site/wp-login.php like others.If you didn't find any admin panel then it might possible that developer has create some smart move against attacker, So now we can also try to brute for admin location using "Dirbuster" and Burp.
For demonstration i had used 5 location as payloads in burp, Here is the preview
So we can try to find out the admin panel, Now we have to guess/enumerate the username for brute forcing.
Most probably you will see that many cms provide Post Time & Post By Link on top of the every page.
When you will click on that Name it will send you to the author page. In url of the same page you can found out the username in front of /author/ Ex. the user name of this site is "iamthetargetuseradmin"
This url value can be change by developer so this an alternate option to found out the username of our target along with you can CMSMap which we seen in top will also helpful to found the username as well.
This is a wordpress cmc example, But if you are facing other cms then you can look for similar way.
Now its time to brute the admin panel. For brute forcing you can different tools, I mostly preferred CMSMAp and Burp Suite.
I am showing the example of CMSMap.
./cmsmap.py -t http://192.168.65.131/wordpress/ -u admin -p /root/wpcrack.txt
This command will by default take the default login page of wordpress and start brute forcing as per the option,
-i standforusername/usernamelist & -p passwordlist
As you can in this screen shot, I already created a txt file with some password [ username is admin & password is also admin for demonstration] . Now you can see that CMSMap failed to found valid credentials! Because CMSMap by default using "xmlrpc" file which is used by Wordpress for API calls to perform brute forcing.
In my example given wordpress is not using "xmlrcp" is depend on the functionality of the wordpress like wordpress popular plugin called "jetpack" use xmlrcp to be enable for working perfectly.
So we have to instruct CMSMap to do not use xmlrcp for brute forcing.So we can an option "--noxmlrpc" for this .Example is given below
./cmsmap.py -t http://192.168.65.131/wordpress/ -u admin -p /root/wpcrack.txt --noxmlrpc
We found valid credentials, Now CMSMap will ask you for the upload a shell, After pressing "Y" it will try to upload a custom shell in writable theme pages. If he succeed it will prompt you with the Shell URL.
Given example might not work on most cases, Because mostly theme may not be writeable by an admin.So you can try the 2nd option. Just try to find a vulnerable plugin/module/extension depends on cms which kind of third party tools/script it accept in exploit-db.com or somewhere else which store vulnerable applications exploit for other pentesters/hackers and upload it to target website after login, Then follow the steps given in exploit details. Keep in mind before uploading the vulnerable plugin make sure that it is also compatible with version which you are pentesting right now, because it might cause your target site down or unavailable due to non-compatibility.
Here is some useful information which might useful while pentesting wordpress, drupal & joomla
Wordpress
Default files: “readme.html”, “license.txt”
Configuration file location: [examplesitefortesting.com]/wp-config.php
Administrator login location: [examplesitefortesting.com]/wp-login.php
Plugin location: [examplesitefortesting.com]/wp-content/plugins
Drupal
Default files: “CHANGELOG.txt”, “UPGRADE.txt”, “README.txt”
Configuration file location: [examplesitefortesting.com]/sites/default/settings.php
Plugin location: [examplesitefortesting.com]/?q=[pluginname]
Joomla
Default files: “joomla.xml”, “README.txt”, “htaccess.txt”
Configuration file location: [examplesitefortesting.com]/configuration.php
Administrator login location: [examplesitefortesting.com]/administrator
Plugin location: [examplesitefortesting.com]/index.php?option=[pluginname]
If you have any other idea or something to improve kindly comment below. :)
ReplyDeletethis article is very useful for me to know about web development...,
thank you for sharing this article..,
Apple Infoway Pvt Ltd
Indian Web Developers is the best Website Development Company India which specializes in web designing and developing custom websites at affordable rates. IWD are the top web development company in India with experience on Wordpress Development, Laravel Development and magento development. We have expert website developers and Web design India who can work full time, part time or hourly to design custom websites.
ReplyDeleteThe information you shared in the blog about CMS is very helpful for my future endeavors. Its highly recommended, I appreciate your writing style its awesome!
ReplyDeleteTo Hire Drupal Developer visit Mobiwebtech.com
This comment has been removed by the author.
ReplyDeletePenetration Testing Services in chennai
ReplyDeleteVAPT Services in Chennai
BCP services in chennai
Soc Service Provider In chennai
Business Continuity management service in chennai
Cyber attack recovery services in chennai
Thanks for sharing this information.
ReplyDeleteApptians is the Best Staffing Company in Delhi and top Resource Augmentation company in Delhi NCR, Noida, Faridabad, Gurgaon, India. Dedicated React JS Developers and React Native developers can be hired from Apptians.
Thanks for sharing this information.
ReplyDeleteApptians is the Best Staffing Company in Delhi and top Resource Augmentation company in Delhi NCR, Noida, Faridabad, Gurgaon, India. Dedicated React JS Developers and React Native developers can be hired from Apptians.
Penetration Testing A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post.
ReplyDeleteThanks for sharing this information.
ReplyDeleteBiharapps is the best website design agency and mobile app development company in Dubai, UAE. Top andoid app developers and iOS app developers , web designers in Dubai, UAE and Software development company in Dubai, UAE. We are Digital Marketing Agency and SEO Company in UAE.
Apptians is the best digital marketing agency in Delhi NCR, Noida, Gurgaon, Faridabad, India providing digital marketing services to its customers. We are top digital marketing company in New Delhi NCR. We do SEO, SMO, PPC campaign and email marketing.
ReplyDeleteApptians is a leading SEO Agency in Delhi, Noida, Gurgaon, Faridabad, NCR, India and Website Development Company in New Delhi, India providing custom web design and development, magento website development, and ecommerce website development. We are also one of the reputed software companies in Delhi NCR dealing in Mobile app development including Android applications, iOS applications and Windows applications. We are trusted SEO Agency in Delhi, India. We are doing SEO, SMO, email marketing, digital marketing and running PPC campaigns for our customers.
ACE Infra is the Best Construction Material Wholesaler in Jaipur and a leading Aggregate and Concrete Supplier in Jaipur, Rajasthan. We provide different Wholesale Building Material like M-Sand, P-Sand, Grit , Dust, brick, Bajri, TMT, ACC Block, Concrete Paver and Block as well as Cement.
ReplyDeleteI am really happy to say it’s an interesting post to read. I learn new information from your article, you are doing a great job. Keep it up
ReplyDeleteHire Dedicated HTML5 Developers
Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. Wordpress Brisbane
ReplyDelete