🧞‍♂️CMS

Herramientas para CMS

CMSmap

cmsmap.py domain

WordPress

1. Directorios/rutas por defecto

  • /wp-admin/

    • /wp-admin/install.php

    • /wp-admin/admin-ajax.php

  • /wp-includes/version.php

  • /wp-includes/cache.php

  • /wp-activate.php

  • /wp-update/

  • /wp-cron.php

  • /wp-blog-header.php

  • /wp-links-opml.php

  • /wp-content/uploads/db-backup

  • /wp-content/debug.log

  • /wp-json/

    • /wp-json/wp/v2/settings

    • /wp-json/wp/v2/users

  • /wp-login.php

  • /xmlrpc.php

  • /wp-cron.php

  • /readme.html

  • /license.txt

  • /author-sitemap.xml

2. Enumeración de usuarios

  • /?author[]=

  • /?author=0

  • /?author=1

  • /blog/

  • Fuerza bruta a través del domain/login y funcionalidad "contraseña olvidada"

3. WP Version

  • /readme.html

  • /license.txt

  • / source code ->

  • /wp-includes/version.php

  • /wp-admin/upgrade.php

  • /wp-links-opml.php

  • /feed/rdf/

  • /feed/atom/

  • /feed/ => source code && XML

4. Análisis

wpscan --disable-tls-checks --detection-mode aggressive --url domain --password-attack xmlrpc-multicall --plugins-detection passive --themes-detection passive --timthumbs-detection passive --db-exports-detection passive --users-detection passive --usernames username.txt --passwords /usr/share/wordlists/rockyou.txt

Recurso:

Explotación del fichero xmlrpc.php

Drupal

1. Directorios/rutas por defecto

  • robots.txt

  • CHANGELOG.txt

  • cron.php

  • INSTALL.mysql.txt

  • INSTALL.pgsql.txt

  • INSTALL.txt

  • LICENSE.txt

  • MAINTAINERS.txt

2. Análisis

nmap --script=http-drupal-enum,http-drupal-enum-users

Droopescan

droopescan scan drupal -u dominio

Drupalggedon - Vulnerabilidad de RCE

Recurso:

https://hackertarget.com/drupal-security-scan/

Liferay

1. Directorios/rutas por defecto

  • /api/jsonws

  • /tunnel-web/secure/webdav/

  • /data/document_library

  • /web/guest/

  • /web/guest/community/wiki/

  • /web/guest/community/blogs/

  • /_vti_bin/shtml.dll/_vti_rpc

2. Credenciales por defecto

  • 2:test

  • test@liferay.com:test

  • default@liferay.com:password

  • user@liferay.com:bitnami

3. Portlets

  • /html/portlet/NOMBRE_PORTLET/view.jsp

  • /?p_p_id=ID_PORTLET&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_3_struts_action=%2Fsearch%2Fsearch

Recursos: https://web.liferay.com/es/community/wiki/-/wiki/Main/Portlet+IDs https://github.com/bcoles/LiferayScan/blob/master/data/portlets.txt

Joomla

1. Directorios/rutas por defecto

2. Análisis

usuario por defecto - admin2:secret

Magento

1. Directorios/rutas por defecto

  • Magento 1.9 and older:

    • app/etc/local.xml

  • Magento 2:

    • app/etc/env.php

2. Análisis

usuario por defecto --> user:bitnami1

Moodle

1. Directorios/rutas por defecto

  • admin/ - code to administrate the whole server

  • auth/ - plugin modules to authenticate users

  • blocks/ - plugin modules for the little side blocks on many pages

  • calendar/ - all the code for managing and displaying calendars

  • course/ - code to display and manage courses

  • files/ - code to display and manage uploaded files

  • lang/ - texts in different languages, one directory per language

  • lib/ - libraries of core Moodle code

  • login/ - code to handle login and account creation

  • mod/ - all the main Moodle course modules are here

  • pix/ - generic site graphics

  • repository/ - code to handle the 2.x file handling system

  • theme/ - theme packs/skins to change the look of the site

  • user/ - code to display and manage users

2. Análisis

PrestaShop

1. Directorios/rutas por defecto

  • /api/configurations

  • /admin

  • /store/admin

  • app/AppKernel.php

  • config/settings.inc.php

  • /config/autoload.php

  • config/settings.inc.php (in PrestaShop v1.6)

  • config/autoload.php (in PrestaShop v1.7) and check the value of PS_VERSION

Recursos

Previous7. LFI/RFINextAPIs

Last updated