# CMS ## Wordpress #### The WordPress version is shown in the "generator" meta tag (unless removed by the site). #### You may search the source code (CTRL-F) for "generator" to see the version. #### This curl command will also show it. The "-s" flag is for "silent" ``` curl -s http://example.com/wordpress/ | grep generator ``` ### Basic information ``` wpscan --url https://192.168.26.141 ``` ### Check for vulnerable plugins ``` wpscan --url https://192.168.26.141:12380/blogblog --enumerate vp ``` ### Check for exploits that match the version of wordpress ``` wpscan --no-update --url http://www.example.com/wordpress/ wpscan --no-update --url http://www.example.com/wordpress/ | grep Title wpscan --no-update --url http://www.example.com/wordpress/ | grep Title | wc -l ``` ### Vulnerability and plugin scan ``` wpscan --url sandbox.local --enumerate ap,at,cb,dbe ``` ### Enumerate usernames ``` wpscan --url http://192.168.56.149/wordpress/ --enumerate u --force --wp-content-dir wp-content ``` ### Password attack on discovered usernames ``` wpscan --url http://192.168.56.149/wordpress/ --passwords /usr/share/wordlists/fasttrack.txt --usernames userlist -t 25 ``` ### Enumerate everything ``` wpscan --url https://192.168.26.141 ``` ### Scan with nmap NSE scripts ``` nmap -sV --script http-wordpress-enum 10.11.1.234 nmap -Pn --script http-wordpress-enum --script-args check-latest=true,search-limit=10 10.11.1.234 nmap -sV 10.11.1.234 --script http-wordpress-enum --script-args limit=25 ``` ## Drupal ### Droopscan #### Installation: ``` apt-get install python-pip pip install droopescan ``` #### Scanning: ``` droopescan scan drupal -u example.org droopescan scan -u example.org droopescan scan -U list_of_urls.txt ``` ## Joomla ### Joomscan ``` joomscan --url http://192.168.56.126 -ec ``` #### Get components running on the website ``` joomscan --url http://10.10.10.150/ --random-agent --enumerate-components ``` #### You can also check ``` /administrator/manifests/files/joomla.xml ``` #### If you find components, you can often access the configuration file ``` JCE component → /components/com_jce/jce.xml ``` ### Joomlavs #### Check for vulnerabilities affecting components {% embed url="" %} ## Nikto #### A free web application vulnerability scanner preinstalled on kali linux. ``` nikto -host example.com ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://smadi0x86-blog.gitbook.io/smadi0x86-playground/offensive-security/recon/web-applications/cms.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.