Page cover

CMS

Content Management Systems are most vulnerable from plugins they use.

Wordpress

The WordPress version is shown in the "generator" meta tag (unless removed by the site).

You may search the source code (CTRL-F) for "generator" to see the version.

This curl command will also show it. The "-s" flag is for "silent"

curl -s http://example.com/wordpress/ | grep generator

Basic information

wpscan --url https://192.168.26.141

Check for vulnerable plugins

wpscan --url https://192.168.26.141:12380/blogblog --enumerate vp

Check for exploits that match the version of wordpress

wpscan --no-update --url http://www.example.com/wordpress/
wpscan --no-update --url http://www.example.com/wordpress/ | grep Title
wpscan --no-update --url http://www.example.com/wordpress/ | grep Title | wc -l

Vulnerability and plugin scan

wpscan --url sandbox.local --enumerate ap,at,cb,dbe

Enumerate usernames

wpscan --url http://192.168.56.149/wordpress/ --enumerate u --force --wp-content-dir wp-content

Password attack on discovered usernames

wpscan --url http://192.168.56.149/wordpress/ --passwords /usr/share/wordlists/fasttrack.txt --usernames userlist -t 25

Enumerate everything

wpscan --url https://192.168.26.141

Scan with nmap NSE scripts

nmap -sV --script http-wordpress-enum 10.11.1.234
nmap -Pn --script http-wordpress-enum --script-args check-latest=true,search-limit=10 10.11.1.234
nmap -sV 10.11.1.234 --script http-wordpress-enum --script-args limit=25

Drupal

Droopscan

Installation:

apt-get install python-pip
pip install droopescan

Scanning:

droopescan scan drupal -u example.org        
droopescan scan -u example.org
droopescan scan -U list_of_urls.txt

Joomla

Joomscan

joomscan --url http://192.168.56.126 -ec

Get components running on the website

joomscan --url http://10.10.10.150/ --random-agent --enumerate-components

You can also check

/administrator/manifests/files/joomla.xml

If you find components, you can often access the configuration file

JCE component → /components/com_jce/jce.xml

Joomlavs

Check for vulnerabilities affecting components

LogoGitHub - rastating/joomlavs: A black box, Ruby powered, Joomla vulnerability scannerGitHub

Nikto

A free web application vulnerability scanner preinstalled on kali linux.

nikto -host example.com
PreviousSSL CertsNextWAF Detection