CMS Explorer In Back Track

August 12th, 2011  |  Published in Security  |  1 Comment

Print Friendly

Disclaimer: This is for educational purposes only in the hopes you will use it to secure your own site and code. I take no responsibility for any malicious use of the following technology or approach. In short don’t be dumb.

So I am studying for the OSCP (Offensive Security Certified Professional) certification and I’ve been playing around with some of the more obscure items in the Back Track Linux Distribution. One such item is CMS Explorer that enumerates through content management systems plug-ins and themes to look for vulnerabilities in the Drupal, WordPress, Joomla!, Mambo CMS.

The syntax is fairly straightforward and the results are fairly accurate. The cool thing is that it can tie in to the OSVDB database but you need to do two things to make it work properly.

  1. Sign up for a OSVDB api account.
  2. Navigate to the /pentest/enumeration/web/cms-explorer directory and create a blank file called osvdb.key
  3. In that file place your api key.
  4. Run it! ./cms-explorer.pl -url http://eric.ness.net -type wordpress -osvdb

Here are the results for my blog. As you can see this site is fairly light and all the vulnerabilities according to OSVDB are “unknown impact and attack vectors ” or listed as “flagged as being a Myth/Fake”.

  1. http://osvdb.org/37290
  2. http://osvdb.org/62683
  3. http://osvdb.org/56762

Only downside for this enumeration is that it is fairly slow and can take up to an hour or more to run.

root@bt:/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://eric.ness.net -type wordpress -osvdb

*******************************************************
Beginning run against http://eric.ness.net/...
Testing themes from wp_themes.txt...
Theme Installed:		wp-content/themes/monochrome/
Testing plugins...
Plugin Installed:		wp-content/plugins/akismet/
Plugin Installed:		wp-content/plugins/all-in-one-seo-pack/
Plugin Installed:		wp-content/plugins/codesnippet-20/
Plugin Installed:		wp-content/plugins/contact-form-7/
Plugin Installed:		wp-content/plugins/sexybookmarks/
Plugin Installed:		wp-content/plugins/syntaxhighlighter/
Plugin Installed:		wp-content/plugins/tweet-blender/
Plugin Installed:		wp-content/plugins/wp-cache/
Plugin Installed:		wp-content/plugins/wp-pagenavi/

*******************************************************
Summary:
Theme Installed:		wp-content/themes/monochrome/
	URL			http://eric.ness.net/wp-content/themes/monochrome/
	SVN			http://themes.svn.wordpress.org/wp-content/themes/monochrome/
Plugin Installed:		wp-content/plugins/akismet/
	URL			http://eric.ness.net/wp-content/plugins/akismet/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/akismet/trunk/
	http://osvdb.org/37290	Akismet for WordPress akismet.php Unspecified Issue
	http://osvdb.org/62683	WordPress wp-content/plugins/akismet/akismet.php add_action() Function Path Disclosure
Plugin Installed:		wp-content/plugins/all-in-one-seo-pack/
	URL			http://eric.ness.net/wp-content/plugins/all-in-one-seo-pack/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/all-in-one-seo-pack/trunk/
Plugin Installed:		wp-content/plugins/codesnippet-20/
	URL			http://eric.ness.net/wp-content/plugins/codesnippet-20/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/codesnippet-20/trunk/
Plugin Installed:		wp-content/plugins/contact-form-7/
	URL			http://eric.ness.net/wp-content/plugins/contact-form-7/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/contact-form-7/trunk/
Plugin Installed:		wp-content/plugins/sexybookmarks/
	URL			http://eric.ness.net/wp-content/plugins/sexybookmarks/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/sexybookmarks/trunk/
Plugin Installed:		wp-content/plugins/syntaxhighlighter/
	URL			http://eric.ness.net/wp-content/plugins/syntaxhighlighter/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/syntaxhighlighter/trunk/
Plugin Installed:		wp-content/plugins/tweet-blender/
	URL			http://eric.ness.net/wp-content/plugins/tweet-blender/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/tweet-blender/trunk/
Plugin Installed:		wp-content/plugins/wp-cache/
	URL			http://eric.ness.net/wp-content/plugins/wp-cache/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/wp-cache/trunk/
	http://osvdb.org/56762	WP Super Cache for WordPress wp-cache-phase1.php plugin Parameter Remote File Inclusion
Plugin Installed:		wp-content/plugins/wp-pagenavi/
	URL			http://eric.ness.net/wp-content/plugins/wp-pagenavi/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/wp-pagenavi/trunk/

Responses

Feed Trackback Address
  1. lukesun629 says:

    September 13th, 2011at 10:19 pm(#)

    so i got these vulnerable plugins. what to do next !

Leave a Response

Recent Posts

Archives

Calendar

May 2012
S M T W T F S
« Apr    
 12345
6789101112
13141516171819
20212223242526
2728293031