Monday 5 November 2018

Pentesting CMS : Wordpress Joomla Drupal

Hello All, Today we will see how we can pentesting CMS like wordpress, drupal, joomla etc.

Sometimes we might get CMS based website or application to do perform VAPT. Pentesting CMS is just like a head ache, Because in CMS the back-end codes are mostly pre-defined as CMS nature and behaviour, Any one can download the CMS package and create his website or blog in seconds without knowing any knowledge of coding and extra skills.

So finally while Pentesting CMS we have to fight with the pre-define codes or you can Static code which id designed by experts like wordpress, drupal, joomla etc.

First of all we have to map our target for structured view. It will better if we crawl our target using different tools like Burp will be the great option, Apart from this we can use "dirb" present in kali linux which will brute force the URI and directory name for possible existence.

After crawling we can look out for the interesting thing, Now in CMS enumeration is the most important part because as per the CMS default folder and page name will be the same, But it might be possible that developer had also included or added some kind of custom codes according to their need. So looking into the these details might expose sensitive information.

Crawling is also important if we are testing some other CMS like Modx, Exponent , Wolf CMS etc. Because the standard tools are only available for top level CMS like Wordpress, Joomla, Drupal Etc.

Now we are moving to the automated testing of CMS using different tools and scripts.These are many tools available which can help us to quickly look in to existed vulnerability in CMS. According to top CMS there are different tools available for WordPress, Drupal, Joomla. Using them separately will be a head ache, So recently a new tools has released called "CMSMAP" which have all of 3 tools functionality in itself.

Currently we are assuming that our target domain is -

There are many option available in this tool, I will try to summarise them all.

./ -t[target]/wordpress

This command will perform all scan like getting version, existing plugins, directory listing bugs etc.

You can also use the an another tool which we do similar test like given.

After getting this information, Our first approach should concentrate on version of the CMS and the installed plugin.

If the version is older then present and if it was vulnerable by some kind of vulnerabilities which can help you out to get some meal.

Some times due to some security plugins this scanner will not work and stop after execution, So you need to give user agent value by yourself using --user-agent ( look for the other option as well )

For example i would be suggest you this post, That was one of my finding . Suppose while scanning you fingered out that Wolf CMS  Version Is 0.8.2, Then you can look/google for his ready-made exploit or vulnerability like this.

These types of exploits have step by step information which you can use to exploit your target. Keep in mind the exploit can be of anything like CMS Version, Theme/Module/Extension, Third Party App Etc. You have to look into every details for the possible exploit.

Admin panel would be a great place to get some meal. Every CMS have his default location for admin panel like wordpress cms hace site/wp-login.php like others.If you didn't find any admin panel then it might possible that developer has create some smart move against attacker, So now we can also try to brute for admin location using "Dirbuster" and Burp.

For demonstration i had used 5 location as payloads in burp, Here is the preview

So we can try to find out the admin panel, Now we have to guess/enumerate the username for brute forcing.

Most probably you will see that many cms provide Post Time & Post By Link on top of the every page.

When you will click on that Name it will send you to the author page. In url of the same page you can found out the username in front of /author/ Ex. the user name of this site is "iamthetargetuseradmin"

This url value can be change by developer so this an alternate option to found out the username of our target along with you can CMSMap which we seen in top will also helpful to found the username as well.

This is a wordpress cmc example, But if you are facing other cms then you can look for similar way.

Now its time to brute the admin panel. For brute forcing you can different tools, I mostly preferred CMSMAp and Burp Suite.

I am showing the example of CMSMap.

./ -t -u admin -p /root/wpcrack.txt

This command will by default take the default login page of wordpress and start brute forcing as per the option,

-i standforusername/usernamelist & -p passwordlist

As you can in this screen shot, I already created a txt file with some password [ username is admin & password is also admin for demonstration] . Now you can see that CMSMap failed to found valid credentials! Because CMSMap by default using "xmlrpc" file which is used by Wordpress for API calls to perform brute forcing.

In my example given wordpress is not using "xmlrcp" is depend on the functionality of the wordpress like wordpress popular plugin called "jetpack" use xmlrcp to be enable for working perfectly.

So we have to instruct CMSMap to do not use xmlrcp for brute forcing.So we can an option "--noxmlrpc" for this .Example is given below

./ -t -u admin -p /root/wpcrack.txt --noxmlrpc

We found valid credentials, Now CMSMap will ask you for the upload a shell, After pressing "Y" it will try to upload a custom shell in writable theme pages. If he succeed it will prompt you with the Shell URL.

Given example might not work on most cases, Because mostly theme may not be writeable by an admin.So you can try the 2nd option. Just try to find a vulnerable plugin/module/extension depends on cms which kind of third party tools/script it accept in or somewhere else which store vulnerable applications exploit for other pentesters/hackers and upload it to target website after login, Then follow the steps given in exploit details. Keep in mind before uploading the vulnerable plugin make sure that it is also compatible with version which you are pentesting right now, because it might cause your target site down or unavailable due to non-compatibility.

Here is some useful information which might useful while pentesting wordpress, drupal & joomla

Default files: “readme.html”, “license.txt”
Configuration file location: []/wp-config.php
Administrator login location: []/wp-login.php
Plugin location: []/wp-content/plugins

Default files: “CHANGELOG.txt”, “UPGRADE.txt”, “README.txt”
Configuration file location: []/sites/default/settings.php
Plugin location: []/?q=[pluginname]

Default files: “joomla.xml”, “README.txt”, “htaccess.txt”
Configuration file location: []/configuration.php
Administrator login location: []/administrator
Plugin location: []/index.php?option=[pluginname]

If you have any other idea or something to improve kindly comment below. :)

No comments:

Post a Comment