CMS

Herramientas para CMS

cmsmap.py domain

WordPress

1. Directorios/rutas por defecto

• /wp-admin/

  • /wp-admin/install.php

  • /wp-admin/admin-ajax.php

• /wp-includes/version.php

• /wp-includes/cache.php

• /wp-activate.php

• /wp-update/

• /wp-cron.php

• /wp-blog-header.php

• /wp-links-opml.php

• /wp-content/uploads/db-backup

• /wp-content/debug.log

• /wp-json/

  • /wp-json/wp/v2/settings

  • /wp-json/wp/v2/users

• /wp-login.php

• /xmlrpc.php

• /wp-cron.php

• /readme.html

• /license.txt

• /author-sitemap.xml

2. Enumeración de usuarios

• /?author[]=

• /?author=0

• /?author=1

• /blog/

• Fuerza bruta a través del domain/login y funcionalidad "contraseña olvidada"

3. WP Version

• /readme.html

• /license.txt

• / source code ->

• /wp-includes/version.php

• /wp-admin/upgrade.php

• /wp-links-opml.php

• /feed/rdf/

• /feed/atom/

• /feed/ => source code && XML

4. Análisis

wpscan --disable-tls-checks --detection-mode aggressive --url domain --password-attack xmlrpc-multicall --plugins-detection passive --themes-detection passive --timthumbs-detection passive --db-exports-detection passive --users-detection passive --usernames username.txt --passwords /usr/share/wordlists/rockyou.txt

Drupal

1. Directorios/rutas por defecto

• robots.txt

• CHANGELOG.txt

• cron.php

• INSTALL.mysql.txt

• INSTALL.pgsql.txt

• INSTALL.txt

• LICENSE.txt

• MAINTAINERS.txt

2. Análisis

nmap --script=http-drupal-enum,http-drupal-enum-users

droopescan scan drupal -u dominio

Liferay

1. Directorios/rutas por defecto

• /api/jsonws

• /tunnel-web/secure/webdav/

• /data/document_library

• /web/guest/

• /web/guest/community/wiki/

• /web/guest/community/blogs/

• /_vti_bin/shtml.dll/_vti_rpc

2. Credenciales por defecto

• 2:test

• test@liferay.com:test

• default@liferay.com:password

• user@liferay.com:bitnami

3. Portlets

• /html/portlet/NOMBRE_PORTLET/view.jsp

• /?p_p_id=ID_PORTLET&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_3_struts_action=%2Fsearch%2Fsearch

Joomla

1. Directorios/rutas por defecto

2. Análisis

usuario por defecto - admin2:secret

Magento

1. Directorios/rutas por defecto

• Magento 1.9 and older:

  • app/etc/local.xml

• Magento 2:

  • app/etc/env.php

2. Análisis

usuario por defecto --> user:bitnami1

Moodle

1. Directorios/rutas por defecto

• admin/ - code to administrate the whole server

• auth/ - plugin modules to authenticate users

• blocks/ - plugin modules for the little side blocks on many pages

• calendar/ - all the code for managing and displaying calendars

• course/ - code to display and manage courses

• files/ - code to display and manage uploaded files

• lang/ - texts in different languages, one directory per language

• lib/ - libraries of core Moodle code

• login/ - code to handle login and account creation

• mod/ - all the main Moodle course modules are here

• pix/ - generic site graphics

• repository/ - code to handle the 2.x file handling system

• theme/ - theme packs/skins to change the look of the site

• user/ - code to display and manage users

2. Análisis

PrestaShop

1. Directorios/rutas por defecto

• /api/configurations

• /admin

• /store/admin

• app/AppKernel.php

• config/settings.inc.php

• /config/autoload.php

• config/settings.inc.php (in PrestaShop v1.6)

• config/autoload.php (in PrestaShop v1.7) and check the value of PS_VERSION

Recursos