Content management systems (CMS) such as wordpress,drupal,and joomla make up the vast majority of the internet. According to a survey performed by W3Techs 62% of the internet is run on a CMS and 39.1% percent of the internet is run on wordpress. As an attacker this means the vast majority of the sites you are going to be going up against will be run by a CMS.
As of right now over a quarter (25%) of the internet is built using WordPress. This is useful to know because that means a single exploit has the potential to impact a large portion of your target’s assets. There are in fact hundreds of exploits and misconfigurations impacting WordPress and its associated plugins. One common tool to scan for these vulnerabilities is wpscan:
The only thing that’s annoying about this tool is that it’s written in ruby, I prefer tools written in python or Golang. During the fingerprinting phase you should’ve discovered the technologies running on your target’s assets so it should be easy to search for sites running WordPress. Once you find a site scan it with wpscan as shown below:
● wpscan –URL<URL>
● “/wp- content/uploads/”
Drupal is the third most popular CMS yet I seem to run into Drupal sites more than Joomla. If you find a Drupal site you want to use droopescan to scan it. This scanner also has the ability to scan additional CMSs as well:
● python3 droopescan scan Drupal -u<URL Here> -t 32
WordPress is by far the most popular CMS with over 60% of the market share. Joomla comes in second so you can expect to run into this CMS as well. Unlike WordPress sites who seem to be fairly locked down Joomla is a mess. If you want to scan for vulnerabilities the most popular tool is Joomscan:
● perl joomscan.pl -u<URL Here>
If you ever run into the Adobe AEM CMS you’re about to find a whole bunch of vulnerabilities. 99% of the time this is an instant win! This CMS is riddled with public vulnerabilities and I’m 100% positive there are hundreds more zero days. Seriously this is one of the worst CMSs I have ever seen. If you want to scan an AEM application for vulnerabilities use the tool aemhacker:
● python aem_hacker.py -u<URL Here> –host<YOUR PUBLIC IP>
Note that in order to test for the SSRF vulnerabilities you need to have a public IP that the target server can connect back to.
There are hundreds of different CMSs so it wouldn’t be practical for me to mention every single one of them. The vast majority of sites are going to be running WordPress, Joomla, and Drupal but you still might run into other CMSs.
For instance, if I discover a CMS named “Magento” I would perform the following search on exploit-db:
Over half of the internet is being run by a CMS framework. So, you are almost guaranteed to run into a CMS at one point or another. When you do find a CMS, you don’t want to waste time manually testing the endpoint, you want to test for known CVEs and misconfigurations. The best way to do this is to find some sort of CMS specific vulnerability scanner. If you can find that you can try searching exploit-db and
google for known CVEs. If you still come up empty handed it’s probably best to move on unless you’re hunting for zero days.