CMS Vulnerability Scanners

CMS (Content Management System) is very popular, easy to install and mostly setup once and forget by “admins”.

In general, there are quite serious vulnerabilities in popular CMS, as is the case with any software. Bugs are patched fairly quickly. Responsible companies and administrators install patches ASAP. Due to the fact that anyone without knowledge can build a website based on one of the popular CMS, there are millions of them on the web. Unfortunately, most not updated. Each CMS also has the ability to install themes and addons, which are also vulnerable. Often, themes and addons are abandoned after few years if not developed by professionals.

Thanks to this, you can get access to many servers and a mass of data. Private blogs, educational systems, small and large communities, small and medium-sized companies but also, unfortunately, government institutions. How many times has a political group, state institution or health service put a website on WordPress, Joomla or Drupal, and don’t give a fuck for service or support, leaking out data for each script kiddie.

The beginnings of my career are private companies supporting the public sector. I even worked for a state-owned company once. I do not know if in all countries, but in Poland, the public sector is a poor salary, too many obligations and lack of training or development path. Plus, no money for anything, so if something works, don’t touch it. Safety is by definition the same as accepting the risk. Besides, you always have a supervisor over you who has no idea what you are doing, he will give out senseless orders and is your boss only because his uncle is from the party that is in charge of the country at the moment. At the next election, another idiot replaces him. Uhh, bad memories, and that’s not what the article was supposed to be about :)

Now, that we know all those WordPreses, Joomlas, Drupals, Moodles and other CMS-ish shit, are old and leaky, we can spoil them. Also without much knowledge, using ready-made scripts. Freedom for $crIpT kIddI3$!

It is known that when using Burp or OWASP ZAP you will always find something, but there are already solutions to help you find weak spots. Lets check them.

Multi scanners

All in one solutions. Worth to start with these for popular CMS.

Droopescan

A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.

https://github.com/SamJoan/droopescan

Specified CMS scan:

droopescan scan drupal -u example.org

Auto detect:

droopescan scan -u example.org

Mass scan:

droopescan scan -U list_of_urls.txt

CMSeeK

CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs

https://github.com/Tuhinshubhra/CMSeeK

Usage:

python3 cmseek.py (for guided scanning) OR
python3 cmseek.py [OPTIONS] <Target Specification>

CMSScan

CMS Scanner: Scan Wordpress, Drupal, Joomla, vBulletin websites for Security issues. It is using centralized Security Dashboard for CMS Security scans. It is powered by wpscan, droopescan, vbscan and joomscan.

https://github.com/ajinabraham/CMSScan

Run web interface:

./run.sh

Wordpress

WordPress CMS vulnerability scanners.

WPScan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

https://github.com/wpscanteam/wpscan

Default scan:

wpscan --url example.com

To use WPScan’s enumeration capabilities supply the -e option.

The following enumeration options exist:

• vp (Vulnerable plugins)

• ap (All plugins)

• p (Popular plugins)

• vt (Vulnerable themes)

• at (All themes)

• t (Popular themes)

• tt (Timthumbs)

• cb (Config backups)

• dbe (Db exports)

• u (User IDs range. e.g: u1-5)

• m (Media IDs range. e.g m1-15)

If no option is supplied to the -e flag, then the default will be: vp,vt,tt,cb,dbe,u,m

Password brute force attack:

wpscan --url example.com -e u --passwords /path/to/password_file.txt

WPForce

WPForce is a suite of Wordpress Attack tools.

https://github.com/n00py/WPForce

python wpforce.py -i usr.txt -w pass.txt -u "http://www.example.com"

Online Scanners

There are also free online WordPress scanners.

• https://www.malcare.com/wordpress-malware-scan/
• https://gf.dev/wordpress-security-scanner
• https://wpsec.com/

Joomla

Joomla CMS vulnerability scanners.

JoomScan

OWASP Joomla Vulnerability Scanner Project.

https://github.com/OWASP/joomscan

Default checks:

perl joomscan.pl --url www.example.com

Enumerate installed components:

perl joomscan.pl --url www.example.com --enumerate-components

Drupal

Drupal CMS vulnerability scanners.

Drupwn

Drupal enumeration & exploitation tool.

https://github.com/immunIT/drupwn

Enumeration:

python3 ./drupwn --mode enum --target http://example.com/drupal

Exploitation:

python3 ./drupwn --mode exploit --target http://example.com/drupal

Typo3

Typo3 CMS vulnerability scanners.

Typo3Scan

Enumerate Typo3 version and extensions.

https://github.com/whoot/Typo3Scan

To get a list of all options use:

python3 typo3scan.py -h

Example:

python3 typo3scan.py -d http://example.com/ --vuln

vBulletin

vBulletin CMS vulnerability scanners.

VBScan

OWASP VBScan is a Black Box vBulletin Vulnerability Scanner.

./vbscan.pl <target>
./vbscan.pl http://example.com/vbulletin