# CMS
## Herramientas para CMS
[CMSmap](https://github.com/dionach/CMSmap)
```
cmsmap.py domain
```
## WordPress
### 1. Directorios/rutas por defecto
* /wp-admin/
* /wp-admin/install.php
* /wp-admin/admin-ajax.php
* /wp-includes/version.php
* /wp-includes/cache.php
* /wp-activate.php
* /wp-update/
* /wp-cron.php
* /wp-blog-header.php
* /wp-links-opml.php
* /wp-content/uploads/db-backup
* /wp-content/debug.log
* /wp-json/
* /wp-json/wp/v2/settings
* /wp-json/wp/v2/users
* /wp-login.php
* /xmlrpc.php
* /wp-cron.php
* /readme.html
* /license.txt
* /author-sitemap.xml
### 2. Enumeración de usuarios
* /?author\[]=
* /?author=0
* /?author=1
* /blog/
* Fuerza bruta a través del domain/login y funcionalidad "contraseña olvidada"
### 3. WP Version
* /readme.html
* /license.txt
* / source code ->
* /wp-includes/version.php
* /wp-admin/upgrade.php
* /wp-links-opml.php
* /feed/rdf/
* /feed/atom/
* /feed/ => source code && XML
### 4. Análisis
* [WPScan](https://github.com/wpscanteam/wpscan)
```bash
wpscan --disable-tls-checks --detection-mode aggressive --url domain --password-attack xmlrpc-multicall --plugins-detection passive --themes-detection passive --timthumbs-detection passive --db-exports-detection passive --users-detection passive --usernames username.txt --passwords /usr/share/wordlists/rockyou.txt
```
{% hint style="info" %}
Recurso:
[Explotación del fichero xmlrpc.php](https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32)
{% endhint %}
## Drupal
### 1. Directorios/rutas por defecto
* robots.txt
* CHANGELOG.txt
* cron.php
* INSTALL.mysql.txt
* INSTALL.pgsql.txt
* INSTALL.txt
* LICENSE.txt
* MAINTAINERS.txt
### 2. Análisis
```
nmap --script=http-drupal-enum,http-drupal-enum-users
```
[Droopescan](https://github.com/droope/droopescan)
```
droopescan scan drupal -u dominio
```
Drupalggedon - [Vulnerabilidad de RCE](https://www.incibe-cert.es/alerta-temprana/vulnerabilidades/cve-2018-7600)
{% hint style="info" %}
Recurso:
{% endhint %}
## Liferay
### 1. Directorios/rutas por defecto
* /api/jsonws
* /tunnel-web/secure/webdav/
* /data/document\_library
* /web/guest/
* /web/guest/community/wiki/
* /web/guest/community/blogs/
* /\_vti\_bin/shtml.dll/\_vti\_rpc
### 2. Credenciales por defecto
* 2:test
* :test
* :password
* :bitnami
### 3. Portlets
* /html/portlet/NOMBRE\_PORTLET/view\.jsp
* /?p\_p\_id=ID\_PORTLET\&p\_p\_lifecycle=0\&p\_p\_state=maximized\&p\_p\_mode=view&\_3\_struts\_action=%2Fsearch%2Fsearch
{% hint style="info" %}
Recursos:\
\
{% endhint %}
## Joomla
### 1. Directorios/rutas por defecto
### 2. Análisis
usuario por defecto - admin2:secret
## Magento
### 1. Directorios/rutas por defecto
* Magento 1.9 and older:
* app/etc/local.xml
* Magento 2:
* app/etc/env.php
### 2. Análisis
usuario por defecto --> user:bitnami1
## Moodle
### 1. Directorios/rutas por defecto
* admin/ - code to administrate the whole server
* auth/ - plugin modules to authenticate users
* blocks/ - plugin modules for the little side blocks on many pages
* calendar/ - all the code for managing and displaying calendars
* course/ - code to display and manage courses
* files/ - code to display and manage uploaded files
* lang/ - texts in different languages, one directory per language
* lib/ - libraries of core Moodle code
* login/ - code to handle login and account creation
* mod/ - all the main Moodle course modules are here
* pix/ - generic site graphics
* repository/ - code to handle the 2.x file handling system
* theme/ - theme packs/skins to change the look of the site
* user/ - code to display and manage users
### 2. Análisis
* Comprobar versión -> [RCE en versiones inferiores a 3.5.0](https://blog.ripstech.com/2018/moodle-remote-code-execution/)
## PrestaShop
### 1. Directorios/rutas por defecto
* /api/configurations
* /admin
* /store/admin
* app/AppKernel.php
* config/settings.inc.php
* /config/autoload.php
* config/settings.inc.php (in PrestaShop v1.6)
* config/autoload.php (in PrestaShop v1.7) and check the value of *PS\_VERSION*
## Recursos
* Payloads de directorios: