CMS Explorer In Back Track

CMS Explorer In Back Track

August 12th, 2011  |  Published in Security

Disclaimer: This is for educational purposes only in the hopes you will use it to secure your own site and code. I take no responsibility for any malicious use of the following technology or approach. In short don’t be dumb.

So I am studying for the OSCP (Offensive Security Certified Professional) certification and I’ve been playing around with some of the more obscure items in the Back Track Linux Distribution. One such item is CMS Explorer that enumerates through content management systems plug-ins and themes to look for vulnerabilities in the Drupal, WordPress, Joomla!, Mambo CMS.

The syntax is fairly straightforward and the results are fairly accurate. The cool thing is that it can tie in to the OSVDB database but you need to do two things to make it work properly.

  1. Sign up for a OSVDB api account.
  2. Navigate to the /pentest/enumeration/web/cms-explorer directory and create a blank file called osvdb.key
  3. In that file place your api key.
  4. Run it! ./cms-explorer.pl -url http://eric.ness.net -type wordpress -osvdb

Here are the results for my blog. As you can see this site is fairly light and all the vulnerabilities according to OSVDB are “unknown impact and attack vectors ” or listed as “flagged as being a Myth/Fake”.

  1. http://osvdb.org/37290
  2. http://osvdb.org/62683
  3. http://osvdb.org/56762

Only downside for this enumeration is that it is fairly slow and can take up to an hour or more to run.

root@bt:/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://eric.ness.net -type wordpress -osvdb

*******************************************************
Beginning run against http://eric.ness.net/...
Testing themes from wp_themes.txt...
Theme Installed:		wp-content/themes/monochrome/
Testing plugins...
Plugin Installed:		wp-content/plugins/akismet/
Plugin Installed:		wp-content/plugins/all-in-one-seo-pack/
Plugin Installed:		wp-content/plugins/codesnippet-20/
Plugin Installed:		wp-content/plugins/contact-form-7/
Plugin Installed:		wp-content/plugins/sexybookmarks/
Plugin Installed:		wp-content/plugins/syntaxhighlighter/
Plugin Installed:		wp-content/plugins/tweet-blender/
Plugin Installed:		wp-content/plugins/wp-cache/
Plugin Installed:		wp-content/plugins/wp-pagenavi/

*******************************************************
Summary:
Theme Installed:		wp-content/themes/monochrome/
	URL			http://eric.ness.net/wp-content/themes/monochrome/
	SVN			http://themes.svn.wordpress.org/wp-content/themes/monochrome/
Plugin Installed:		wp-content/plugins/akismet/
	URL			http://eric.ness.net/wp-content/plugins/akismet/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/akismet/trunk/
	http://osvdb.org/37290	Akismet for WordPress akismet.php Unspecified Issue
	http://osvdb.org/62683	WordPress wp-content/plugins/akismet/akismet.php add_action() Function Path Disclosure
Plugin Installed:		wp-content/plugins/all-in-one-seo-pack/
	URL			http://eric.ness.net/wp-content/plugins/all-in-one-seo-pack/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/all-in-one-seo-pack/trunk/
Plugin Installed:		wp-content/plugins/codesnippet-20/
	URL			http://eric.ness.net/wp-content/plugins/codesnippet-20/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/codesnippet-20/trunk/
Plugin Installed:		wp-content/plugins/contact-form-7/
	URL			http://eric.ness.net/wp-content/plugins/contact-form-7/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/contact-form-7/trunk/
Plugin Installed:		wp-content/plugins/sexybookmarks/
	URL			http://eric.ness.net/wp-content/plugins/sexybookmarks/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/sexybookmarks/trunk/
Plugin Installed:		wp-content/plugins/syntaxhighlighter/
	URL			http://eric.ness.net/wp-content/plugins/syntaxhighlighter/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/syntaxhighlighter/trunk/
Plugin Installed:		wp-content/plugins/tweet-blender/
	URL			http://eric.ness.net/wp-content/plugins/tweet-blender/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/tweet-blender/trunk/
Plugin Installed:		wp-content/plugins/wp-cache/
	URL			http://eric.ness.net/wp-content/plugins/wp-cache/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/wp-cache/trunk/
	http://osvdb.org/56762	WP Super Cache for WordPress wp-cache-phase1.php plugin Parameter Remote File Inclusion
Plugin Installed:		wp-content/plugins/wp-pagenavi/
	URL			http://eric.ness.net/wp-content/plugins/wp-pagenavi/
	SVN			http://svn.wp-plugins.org/wp-content/plugins/wp-pagenavi/trunk/


Related Posts

Sql Injection Testing With SqlMap

Archives