Comment on page
🧞♂

CMS

Herramientas para CMS

​CMSmap​
cmsmap.py domain

WordPress

1. Directorios/rutas por defecto

  • /wp-admin/
    • /wp-admin/install.php
    • /wp-admin/admin-ajax.php
  • /wp-includes/version.php
  • /wp-includes/cache.php
  • /wp-activate.php
  • /wp-update/
  • /wp-cron.php
  • /wp-blog-header.php
  • /wp-links-opml.php
  • /wp-content/uploads/db-backup
  • /wp-content/debug.log
  • /wp-json/
    • /wp-json/wp/v2/settings
    • /wp-json/wp/v2/users
  • /wp-login.php
  • /xmlrpc.php
  • /wp-cron.php
  • /readme.html
  • /license.txt
  • /author-sitemap.xml

2. Enumeración de usuarios

  • /?author[]=
  • /?author=0
  • /?author=1
  • /blog/
  • Fuerza bruta a través del domain/login y funcionalidad "contraseña olvidada"

3. WP Version

  • /readme.html
  • /license.txt
  • / source code ->
  • /wp-includes/version.php
  • /wp-admin/upgrade.php
  • /wp-links-opml.php
  • /feed/rdf/
  • /feed/atom/
  • /feed/ => source code && XML

4. Análisis

wpscan --disable-tls-checks --detection-mode aggressive --url domain --password-attack xmlrpc-multicall --plugins-detection passive --themes-detection passive --timthumbs-detection passive --db-exports-detection passive --users-detection passive --usernames username.txt --passwords /usr/share/wordlists/rockyou.txt

Drupal

1. Directorios/rutas por defecto

  • robots.txt
  • CHANGELOG.txt
  • cron.php
  • INSTALL.mysql.txt
  • INSTALL.pgsql.txt
  • INSTALL.txt
  • LICENSE.txt
  • MAINTAINERS.txt

2. Análisis

nmap --script=http-drupal-enum,http-drupal-enum-users
​Droopescan​
droopescan scan drupal -u dominio
Drupalggedon - Vulnerabilidad de RCE

Liferay

1. Directorios/rutas por defecto

  • /api/jsonws
  • /tunnel-web/secure/webdav/
  • /data/document_library
  • /web/guest/
  • /web/guest/community/wiki/
  • /web/guest/community/blogs/
  • /_vti_bin/shtml.dll/_vti_rpc

2. Credenciales por defecto

3. Portlets

  • /html/portlet/NOMBRE_PORTLET/view.jsp
  • /?p_p_id=ID_PORTLET&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_3_struts_action=%2Fsearch%2Fsearch
​

Joomla

1. Directorios/rutas por defecto

2. Análisis

usuario por defecto - admin2:secret

Magento

1. Directorios/rutas por defecto

  • Magento 1.9 and older:
    • app/etc/local.xml
  • Magento 2:
    • app/etc/env.php

2. Análisis

usuario por defecto --> user:bitnami1

Moodle

1. Directorios/rutas por defecto

  • admin/ - code to administrate the whole server
  • auth/ - plugin modules to authenticate users
  • blocks/ - plugin modules for the little side blocks on many pages
  • calendar/ - all the code for managing and displaying calendars
  • course/ - code to display and manage courses
  • files/ - code to display and manage uploaded files
  • lang/ - texts in different languages, one directory per language
  • lib/ - libraries of core Moodle code
  • login/ - code to handle login and account creation
  • mod/ - all the main Moodle course modules are here
  • pix/ - generic site graphics
  • repository/ - code to handle the 2.x file handling system
  • theme/ - theme packs/skins to change the look of the site
  • user/ - code to display and manage users

2. Análisis

PrestaShop

1. Directorios/rutas por defecto

  • /api/configurations
  • /admin
  • /store/admin
  • app/AppKernel.php
  • config/settings.inc.php
  • /config/autoload.php
  • config/settings.inc.php (in PrestaShop v1.6)
  • config/autoload.php (in PrestaShop v1.7) and check the value of PS_VERSION
​

Recursos

Last modified 1yr ago