CMS
Content Management Systems are most vulnerable from plugins they use.
Wordpress
You may search the source code (CTRL-F) for "generator" to see the version.
This curl command will also show it. The "-s" flag is for "silent"
curl -s http://example.com/wordpress/ | grep generator
wpscan --url https://192.168.26.141
Check for vulnerable plugins
wpscan --url https://192.168.26.141:12380/blogblog --enumerate vp
Check for exploits that match the version of wordpress
wpscan --no-update --url http://www.example.com/wordpress/
wpscan --no-update --url http://www.example.com/wordpress/ | grep Title
wpscan --no-update --url http://www.example.com/wordpress/ | grep Title | wc -l
Vulnerability and plugin scan
wpscan --url sandbox.local --enumerate ap,at,cb,dbe
Enumerate usernames
wpscan --url http://192.168.56.149/wordpress/ --enumerate u --force --wp-content-dir wp-content
Password attack on discovered usernames
wpscan --url http://192.168.56.149/wordpress/ --passwords /usr/share/wordlists/fasttrack.txt --usernames userlist -t 25
Enumerate everything
wpscan --url https://192.168.26.141
Scan with nmap NSE scripts
nmap -sV --script http-wordpress-enum 10.11.1.234
nmap -Pn --script http-wordpress-enum --script-args check-latest=true,search-limit=10 10.11.1.234
nmap -sV 10.11.1.234 --script http-wordpress-enum --script-args limit=25
Drupal
Droopscan
Installation:
apt-get install python-pip
pip install droopescan
Scanning:
droopescan scan drupal -u example.org
droopescan scan -u example.org
droopescan scan -U list_of_urls.txt
Joomla
Joomscan
joomscan --url http://192.168.56.126 -ec
Get components running on the website
joomscan --url http://10.10.10.150/ --random-agent --enumerate-components
You can also check
/administrator/manifests/files/joomla.xml
If you find components, you can often access the configuration file
JCE component → /components/com_jce/jce.xml
Joomlavs
Check for vulnerabilities affecting components
Nikto
A free web application vulnerability scanner preinstalled on kali linux.
nikto -host example.com
