# CMS

## Herramientas para CMS

[CMSmap](https://github.com/dionach/CMSmap)

```
cmsmap.py domain
```

## WordPress

### 1. Directorios/rutas por defecto

* /wp-admin/
  * /wp-admin/install.php
  * /wp-admin/admin-ajax.php
* /wp-includes/version.php
* /wp-includes/cache.php
* /wp-activate.php
* /wp-update/
* /wp-cron.php
* /wp-blog-header.php
* /wp-links-opml.php
* /wp-content/uploads/db-backup
* /wp-content/debug.log
* /wp-json/
  * /wp-json/wp/v2/settings
  * /wp-json/wp/v2/users
* /wp-login.php
* /xmlrpc.php
* /wp-cron.php
* /readme.html
* /license.txt
* /author-sitemap.xml

### 2. Enumeración de usuarios

* /?author\[]=
* /?author=0
* /?author=1
* /blog/
* Fuerza bruta a través del domain/login y funcionalidad "contraseña olvidada"

### 3. WP Version

* /readme.html
* /license.txt
* / source code ->
* /wp-includes/version.php
* /wp-admin/upgrade.php
* /wp-links-opml.php
* /feed/rdf/
* /feed/atom/
* /feed/ => source code && XML

### 4. Análisis

* [WPScan](https://github.com/wpscanteam/wpscan)

```bash
wpscan --disable-tls-checks --detection-mode aggressive --url domain --password-attack xmlrpc-multicall --plugins-detection passive --themes-detection passive --timthumbs-detection passive --db-exports-detection passive --users-detection passive --usernames username.txt --passwords /usr/share/wordlists/rockyou.txt
```

{% hint style="info" %}
Recurso: 

[Explotación del fichero xmlrpc.php](https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32)
{% endhint %}

## Drupal

### 1. Directorios/rutas por defecto

* robots.txt
* CHANGELOG.txt
* cron.php
* INSTALL.mysql.txt
* INSTALL.pgsql.txt
* INSTALL.txt
* LICENSE.txt
* MAINTAINERS.txt

### 2. Análisis

```
nmap --script=http-drupal-enum,http-drupal-enum-users
```

[Droopescan](https://github.com/droope/droopescan)

```
droopescan scan drupal -u dominio
```

Drupalggedon - [Vulnerabilidad de RCE](https://www.incibe-cert.es/alerta-temprana/vulnerabilidades/cve-2018-7600) 

{% hint style="info" %}
Recurso: 

<https://hackertarget.com/drupal-security-scan/>
{% endhint %}

## Liferay

### 1. Directorios/rutas por defecto

* /api/jsonws
* /tunnel-web/secure/webdav/
* /data/document\_library
* /web/guest/
* /web/guest/community/wiki/
* /web/guest/community/blogs/
* /\_vti\_bin/shtml.dll/\_vti\_rpc

### 2. Credenciales por defecto

* 2:test
* <test@liferay.com>:test
* <default@liferay.com>:password
* <user@liferay.com>:bitnami

### 3. Portlets

* /html/portlet/NOMBRE\_PORTLET/view\.jsp
* /?p\_p\_id=ID\_PORTLET\&p\_p\_lifecycle=0\&p\_p\_state=maximized\&p\_p\_mode=view&\_3\_struts\_action=%2Fsearch%2Fsearch

{% hint style="info" %}
Recursos:\
<https://web.liferay.com/es/community/wiki/-/wiki/Main/Portlet+IDs>\
<https://github.com/bcoles/LiferayScan/blob/master/data/portlets.txt>
{% endhint %}

## Joomla

### 1. Directorios/rutas por defecto

### 2. Análisis

usuario por defecto - admin2:secret

## Magento

### 1. Directorios/rutas por defecto

* Magento 1.9 and older:
  * app/etc/local.xml
* Magento 2:
  * app/etc/env.php

### 2. Análisis

usuario por defecto --> user:bitnami1

## Moodle

### 1. Directorios/rutas por defecto

* admin/ - code to administrate the whole server
* auth/ - plugin modules to authenticate users
* blocks/ - plugin modules for the little side blocks on many pages
* calendar/ - all the code for managing and displaying calendars
* course/ - code to display and manage courses
* files/ - code to display and manage uploaded files
* lang/ - texts in different languages, one directory per language
* lib/ - libraries of core Moodle code
* login/ - code to handle login and account creation
* mod/ - all the main Moodle course modules are here
* pix/ - generic site graphics
* repository/ - code to handle the 2.x file handling system
* theme/ - theme packs/skins to change the look of the site
* user/ - code to display and manage users

### 2. Análisis

* Comprobar versión -> [RCE en versiones inferiores a 3.5.0](https://blog.ripstech.com/2018/moodle-remote-code-execution/)

## PrestaShop

### 1. Directorios/rutas por defecto

* /api/configurations
* /admin
* /store/admin
* app/AppKernel.php
* config/settings.inc.php
* /config/autoload.php
* config/settings.inc.php (in PrestaShop v1.6)
* config/autoload.php (in PrestaShop v1.7) and check the value of *PS\_VERSION*

## Recursos

* Payloads de directorios: <https://github.com/payloadbox/directory-payload-list/tree/master/Intruder>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.securiters.com/securiters-wiki/web/cms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.