CMS

Herramientas para CMS
​CMSmap​
cmsmap.py domain
WordPress
1. Directorios/rutas por defecto
/wp-admin/
/wp-admin/install.php
/wp-admin/admin-ajax.php
/wp-includes/version.php
/wp-includes/cache.php
/wp-activate.php
/wp-update/
/wp-cron.php
/wp-blog-header.php
/wp-links-opml.php
/wp-content/uploads/db-backup
/wp-content/debug.log
/wp-json/
/wp-json/wp/v2/settings
/wp-json/wp/v2/users
/wp-login.php
/xmlrpc.php
/wp-cron.php
/readme.html
/license.txt
/author-sitemap.xml
2. Enumeración de usuarios
/?author[]=
/?author=0
/?author=1
/blog/
Fuerza bruta a través del domain/login y funcionalidad "contraseña olvidada"
3. WP Version
/readme.html
/license.txt
/ source code ->
/wp-includes/version.php
/wp-admin/upgrade.php
/wp-links-opml.php
/feed/rdf/
/feed/atom/
/feed/ => source code && XML
4. Análisis
​WPScan​
wpscan --disable-tls-checks --detection-mode aggressive --url domain --password-attack xmlrpc-multicall --plugins-detection passive --themes-detection passive --timthumbs-detection passive --db-exports-detection passive --users-detection passive --usernames username.txt --passwords /usr/share/wordlists/rockyou.txt
Recurso: 
​Explotación del fichero xmlrpc.php​
Drupal
1. Directorios/rutas por defecto
robots.txt
CHANGELOG.txt
cron.php
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.txt
LICENSE.txt
MAINTAINERS.txt
2. Análisis
nmap --script=http-drupal-enum,http-drupal-enum-users
​Droopescan​
droopescan scan drupal -u dominio
Drupalggedon - Vulnerabilidad de RCE 
Recurso: 
​https://hackertarget.com/drupal-security-scan/​
Liferay
1. Directorios/rutas por defecto
/api/jsonws
/tunnel-web/secure/webdav/
/data/document_library
/web/guest/
/web/guest/community/wiki/
/web/guest/community/blogs/
/_vti_bin/shtml.dll/_vti_rpc
2. Credenciales por defecto
2:test
[email protected]:test
[email protected]:password
[email protected]:bitnami
3. Portlets
/html/portlet/NOMBRE_PORTLET/view.jsp
/?p_p_id=ID_PORTLET&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_3_struts_action=%2Fsearch%2Fsearch
​
Recursos:
https://web.liferay.com/es/community/wiki/-/wiki/Main/Portlet+IDs
https://github.com/bcoles/LiferayScan/blob/master/data/portlets.txt​
Joomla
1. Directorios/rutas por defecto
2. Análisis
usuario por defecto - admin2:secret
Magento
1. Directorios/rutas por defecto
Magento 1.9 and older:
app/etc/local.xml
Magento 2:
app/etc/env.php
2. Análisis
usuario por defecto --> user:bitnami1
Moodle
1. Directorios/rutas por defecto
admin/ - code to administrate the whole server
auth/ - plugin modules to authenticate users
blocks/ - plugin modules for the little side blocks on many pages
calendar/ - all the code for managing and displaying calendars
course/ - code to display and manage courses
files/ - code to display and manage uploaded files
lang/ - texts in different languages, one directory per language
lib/ - libraries of core Moodle code
login/ - code to handle login and account creation
mod/ - all the main Moodle course modules are here
pix/ - generic site graphics
repository/ - code to handle the 2.x file handling system
theme/ - theme packs/skins to change the look of the site
user/ - code to display and manage users
2. Análisis
Comprobar versión -> RCE en versiones inferiores a 3.5.0​
PrestaShop
1. Directorios/rutas por defecto
/api/configurations
/admin
/store/admin
app/AppKernel.php
config/settings.inc.php
/config/autoload.php
config/settings.inc.php (in PrestaShop v1.6)
config/autoload.php (in PrestaShop v1.7) and check the value of PS_VERSION
​
Recursos
Payloads de directorios: https://github.com/payloadbox/directory-payload-list/tree/master/Intruder​

Web

APIs

Last modified 1yr ago