☠️
smadi0x86 Playground
  • 💀Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • 🎓Certifications
    • 📌Pinned
    • ❓Questions
    • 📞Contact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • 🔨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • 👾Architecture
    • Computer Organization
      • Mathematics
    • C Language
      • Introduction
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • 🛩️Cyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • 🏴‍☠️Offensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Techniques
        • COFF Loader
      • Sektor7
        • Essentials
        • Common Techniques & APIs
  • 💌Certifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • 📜Blog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • Wordpress
  • Basic information
  • Check for vulnerable plugins
  • Check for exploits that match the version of wordpress
  • Vulnerability and plugin scan
  • Enumerate usernames
  • Password attack on discovered usernames
  • Enumerate everything
  • Scan with nmap NSE scripts
  • Drupal
  • Droopscan
  • Joomla
  • Joomscan
  • Joomlavs
  • Nikto
  1. Offensive Security
  2. Recon
  3. Web Applications

CMS

Content Management Systems are most vulnerable from plugins they use.

Wordpress

The WordPress version is shown in the "generator" meta tag (unless removed by the site).

You may search the source code (CTRL-F) for "generator" to see the version.

This curl command will also show it. The "-s" flag is for "silent"

curl -s http://example.com/wordpress/ | grep generator

Basic information

wpscan --url https://192.168.26.141

Check for vulnerable plugins

wpscan --url https://192.168.26.141:12380/blogblog --enumerate vp

Check for exploits that match the version of wordpress

wpscan --no-update --url http://www.example.com/wordpress/
wpscan --no-update --url http://www.example.com/wordpress/ | grep Title
wpscan --no-update --url http://www.example.com/wordpress/ | grep Title | wc -l

Vulnerability and plugin scan

wpscan --url sandbox.local --enumerate ap,at,cb,dbe

Enumerate usernames

wpscan --url http://192.168.56.149/wordpress/ --enumerate u --force --wp-content-dir wp-content

Password attack on discovered usernames

wpscan --url http://192.168.56.149/wordpress/ --passwords /usr/share/wordlists/fasttrack.txt --usernames userlist -t 25

Enumerate everything

wpscan --url https://192.168.26.141

Scan with nmap NSE scripts

nmap -sV --script http-wordpress-enum 10.11.1.234
nmap -Pn --script http-wordpress-enum --script-args check-latest=true,search-limit=10 10.11.1.234
nmap -sV 10.11.1.234 --script http-wordpress-enum --script-args limit=25

Drupal

Droopscan

Installation:

apt-get install python-pip
pip install droopescan

Scanning:

droopescan scan drupal -u example.org        
droopescan scan -u example.org
droopescan scan -U list_of_urls.txt

Joomla

Joomscan

joomscan --url http://192.168.56.126 -ec

Get components running on the website

joomscan --url http://10.10.10.150/ --random-agent --enumerate-components

You can also check

/administrator/manifests/files/joomla.xml

If you find components, you can often access the configuration file

JCE component → /components/com_jce/jce.xml

Joomlavs

Check for vulnerabilities affecting components

Nikto

A free web application vulnerability scanner preinstalled on kali linux.

nikto -host example.com
PreviousSSL CertsNextWAF Detection
🏴‍☠️
Page cover image
LogoGitHub - rastating/joomlavs: A black box, Ruby powered, Joomla vulnerability scannerGitHub