CMS Explorer In Back Track
August 12th, 2011 | Published in Uncategorized
So I am studying for the OSCP (Offensive Security Certified Professional) certification and I’ve been playing around with some of the more obscure items in the Back Track Linux Distribution. One such item is CMS Explorer that enumerates through content management systems plug-ins and themes to look for vulnerabilities in the Drupal, WordPress, Joomla!, Mambo CMS.
The syntax is fairly straightforward and the results are fairly accurate. The cool thing is that it can tie in to the OSVDB database but you need to do two things to make it work properly.
- Sign up for a OSVDB api account.
- Navigate to the /pentest/enumeration/web/cms-explorer directory and create a blank file called osvdb.key
- In that file place your api key.
- Run it! ./cms-explorer.pl -url http://eric.ness.net -type wordpress -osvdb
Here are the results for my blog. As you can see this site is fairly light and all the vulnerabilities according to OSVDB are “unknown impact and attack vectors ” or listed as “flagged as being a Myth/Fake”.
Only downside for this enumeration is that it is fairly slow and can take up to an hour or more to run.
root@bt:/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://eric.ness.net -type wordpress -osvdb ******************************************************* Beginning run against http://eric.ness.net/... Testing themes from wp_themes.txt... Theme Installed: wp-content/themes/monochrome/ Testing plugins... Plugin Installed: wp-content/plugins/akismet/ Plugin Installed: wp-content/plugins/all-in-one-seo-pack/ Plugin Installed: wp-content/plugins/codesnippet-20/ Plugin Installed: wp-content/plugins/contact-form-7/ Plugin Installed: wp-content/plugins/sexybookmarks/ Plugin Installed: wp-content/plugins/syntaxhighlighter/ Plugin Installed: wp-content/plugins/tweet-blender/ Plugin Installed: wp-content/plugins/wp-cache/ Plugin Installed: wp-content/plugins/wp-pagenavi/ ******************************************************* Summary: Theme Installed: wp-content/themes/monochrome/ URL http://eric.ness.net/wp-content/themes/monochrome/ SVN http://themes.svn.wordpress.org/wp-content/themes/monochrome/ Plugin Installed: wp-content/plugins/akismet/ URL http://eric.ness.net/wp-content/plugins/akismet/ SVN http://svn.wp-plugins.org/wp-content/plugins/akismet/trunk/ http://osvdb.org/37290 Akismet for WordPress akismet.php Unspecified Issue http://osvdb.org/62683 WordPress wp-content/plugins/akismet/akismet.php add_action() Function Path Disclosure Plugin Installed: wp-content/plugins/all-in-one-seo-pack/ URL http://eric.ness.net/wp-content/plugins/all-in-one-seo-pack/ SVN http://svn.wp-plugins.org/wp-content/plugins/all-in-one-seo-pack/trunk/ Plugin Installed: wp-content/plugins/codesnippet-20/ URL http://eric.ness.net/wp-content/plugins/codesnippet-20/ SVN http://svn.wp-plugins.org/wp-content/plugins/codesnippet-20/trunk/ Plugin Installed: wp-content/plugins/contact-form-7/ URL http://eric.ness.net/wp-content/plugins/contact-form-7/ SVN http://svn.wp-plugins.org/wp-content/plugins/contact-form-7/trunk/ Plugin Installed: wp-content/plugins/sexybookmarks/ URL http://eric.ness.net/wp-content/plugins/sexybookmarks/ SVN http://svn.wp-plugins.org/wp-content/plugins/sexybookmarks/trunk/ Plugin Installed: wp-content/plugins/syntaxhighlighter/ URL http://eric.ness.net/wp-content/plugins/syntaxhighlighter/ SVN http://svn.wp-plugins.org/wp-content/plugins/syntaxhighlighter/trunk/ Plugin Installed: wp-content/plugins/tweet-blender/ URL http://eric.ness.net/wp-content/plugins/tweet-blender/ SVN http://svn.wp-plugins.org/wp-content/plugins/tweet-blender/trunk/ Plugin Installed: wp-content/plugins/wp-cache/ URL http://eric.ness.net/wp-content/plugins/wp-cache/ SVN http://svn.wp-plugins.org/wp-content/plugins/wp-cache/trunk/ http://osvdb.org/56762 WP Super Cache for WordPress wp-cache-phase1.php plugin Parameter Remote File Inclusion Plugin Installed: wp-content/plugins/wp-pagenavi/ URL http://eric.ness.net/wp-content/plugins/wp-pagenavi/ SVN http://svn.wp-plugins.org/wp-content/plugins/wp-pagenavi/trunk/