Attacking Common Applications

During engagements, you'll often encounter popular web applications that can provide valuable entry points or insights into the target environment.

Discovery

nmap: Use nmap to scan for common web ports and gather initial data about the services running on a target host.
After scanning with nmap, tools like EyeWitness and Aquatone can process the results to create detailed reports with screenshots of each discovered web page.

Content Management Systems (CMS)

CMS platforms are widely used and can be a rich target for enumeration and exploitation. Below, we detail approaches for attacking WordPress, Joomla, and Drupal.

WordPress

Identification & Enumeration:

Recognizing a WordPress Site:
- Check the /robots.txt file; it may include entries like Disallow: /wp-admin/
- View the page source for meta tags such as:
  htmlCopyEdit<meta name="generator" content="WordPress 5.8" />
Key Information to Gather:
- WordPress version
- Installed themes and plugins (look for readme.txt files in /wp-content/plugins/<Plugin-Name>/)
- Published user names (e.g., via author archives or meta tags)
- Files in /wp-content/uploads/

Attacking WordPress:

WPScan:
- WPScan is an automated WordPress enumeration tool. It can scan for outdated themes, plugins, and known vulnerabilities.
- It can be used to:
  - Enumerate users, plugins, and themes
  - Perform vulnerability assessments by integrating with WPVulnDB via an API token
  - Example Command to Enumerate Plugins:
    wpscan --url <Target> --enumerate p --api-token <API-Token>
Login Bruteforce:
- WPScan supports brute-forcing using either the standard wp-login page or the faster /xmlrpc.php endpoint.
- Both types of attack can be automated using wpscan.
Code Execution via Theme Editor:
- With administrative access, you can modify PHP files via the Theme Editor which can be used to deploy a webshell (found in /wp-content/themes/<Theme-Name>).
- Exploitation Steps:
  - Login to the wp-admin page.
  - Access the Theme editor.
  - Find a php page.
  - Edit the page to add a webshell.
  - Access the page using: /wp-content/themes/<Theme-Name>
Exploiting Vulnerable Plugins:
- Always check for the installed plugins, there is a chance that some of them might be vulnerable.

Joomla

Identification & Enumeration:

Recognizing a Joomla Site:
- Check /robots.txt for directory hints (e.g., references to /joomla/)
- Look in the page source for meta tags such as:
  <meta name="generator" content="Joomla! - Open Source Content Management" />
- Files like README.txt or administrator manifests can provide version details.
Tools for Enumeration:
- droopescan and JoomlaScan can help enumerate Joomla-specific configurations and vulnerabilities.
- joomla-bruteforce can be used to perform login brute-forcing.

Attacking Joomla:

Login Bruteforce:
- Use tools like joomla-bruteforce to test common credentials against the Joomla login page.
Code Execution via Template Editing:
- With administrative access, you can modify PHP files via the Template Editor which can be used to deploy a webshell.
- Exploitation Steps:
  - Login to the admin panel.
  - Access the template editor.
  - Find a php page.
  - Edit the page to add a webshell.
  - Access the page using: /templates/<Page-Name>
Vulnerable Versions:
- Always verify if the target Joomla version is outdated or known to be vulnerable to specific exploits.

Drupal

Identification & Enumeration:

Recognizing a Drupal Site:
- Look for clues in the header or footer such as “Powered by Drupal”
- Check for the presence of files like CHANGELOG.txt, README.txt, or a typical Drupal logo
- Notice URIs of the form /node/<nodeid> which indicate content indexing by Drupal
Tools for Enumeration:
- droopescan can be used to enumerate Drupal sites and gather version information.

Attacking Drupal:

PHP Filter Module Exploitation (Pre-Drupal 8):
- In older Drupal versions, an admin might enable the PHP filter module, which allows the insertion of PHP code into pages. Leading to the chance of executing arbitrary PHP code on the server.
Uploading a Malicious Module:
- Drupal allows the upload of new modules. By creating a backdoored module, you can inject a web shell.
- Modules can be found in Drupal website.
- Download the archive and extract its contents.
- Create a PHP web shell with the payload contents.
- Ensure to add a .htaccess file to gain access to the module folder. (The configuration below will apply rules for the / folder when we request a file in /modules.)
- Copy both of these files to the module folder and create an archive of the module.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

Vulnerable Versions:
- Always verify if the target Drupal version is outdated or known to be vulnerable to specific exploits (e.g. Drupalgeddon)

Servlet Containers/Software Development

Tomcat

PreviousWeb Attacks (Check)NextPost-Exploitation

Last updated 13 days ago

Content Management Systems (CMS)

CMS platforms are widely used and can be a rich target for enumeration and exploitation. Below, we detail approaches for attacking WordPress, Joomla, and Drupal.

WordPress

Identification & Enumeration:

Recognizing a WordPress Site:

Check the /robots.txt file; it may include entries like Disallow: /wp-admin/

View the page source for meta tags such as:

htmlCopyEdit<meta name="generator" content="WordPress 5.8" />

Key Information to Gather:

WordPress version
Installed themes and plugins (look for readme.txt files in /wp-content/plugins/<Plugin-Name>/)
Published user names (e.g., via author archives or meta tags)
Files in /wp-content/uploads/

Attacking WordPress:

WPScan:

WPScan is an automated WordPress enumeration tool. It can scan for outdated themes, plugins, and known vulnerabilities.
It can be used to:
- Enumerate users, plugins, and themes
- Perform vulnerability assessments by integrating with WPVulnDB via an API token
- Example Command to Enumerate Plugins:
  wpscan --url <Target> --enumerate p --api-token <API-Token>

Login Bruteforce:

WPScan supports brute-forcing using either the standard wp-login page or the faster /xmlrpc.php endpoint.
Both types of attack can be automated using wpscan.

Code Execution via Theme Editor:

With administrative access, you can modify PHP files via the Theme Editor which can be used to deploy a webshell (found in /wp-content/themes/<Theme-Name>).
Exploitation Steps:
- Login to the wp-admin page.
- Access the Theme editor.
- Find a php page.
- Edit the page to add a webshell.
- Access the page using: /wp-content/themes/<Theme-Name>

Exploiting Vulnerable Plugins:

Always check for the installed plugins, there is a chance that some of them might be vulnerable.

Joomla

Identification & Enumeration:

Recognizing a Joomla Site:

Check /robots.txt for directory hints (e.g., references to /joomla/)

Look in the page source for meta tags such as:

<meta name="generator" content="Joomla! - Open Source Content Management" />

Files like README.txt or administrator manifests can provide version details.

Tools for Enumeration:

droopescan and JoomlaScan can help enumerate Joomla-specific configurations and vulnerabilities.
joomla-bruteforce can be used to perform login brute-forcing.

Attacking Joomla:

Login Bruteforce:

Use tools like joomla-bruteforce to test common credentials against the Joomla login page.

Code Execution via Template Editing:

With administrative access, you can modify PHP files via the Template Editor which can be used to deploy a webshell.
Exploitation Steps:
- Login to the admin panel.
- Access the template editor.
- Find a php page.
- Edit the page to add a webshell.
- Access the page using: /templates/<Page-Name>

Vulnerable Versions:

Always verify if the target Joomla version is outdated or known to be vulnerable to specific exploits.

Drupal

Identification & Enumeration:

Recognizing a Drupal Site:

Look for clues in the header or footer such as “Powered by Drupal”
Check for the presence of files like CHANGELOG.txt, README.txt, or a typical Drupal logo
Notice URIs of the form /node/<nodeid> which indicate content indexing by Drupal

Tools for Enumeration:

droopescan can be used to enumerate Drupal sites and gather version information.

Attacking Drupal:

PHP Filter Module Exploitation (Pre-Drupal 8):

In older Drupal versions, an admin might enable the PHP filter module, which allows the insertion of PHP code into pages. Leading to the chance of executing arbitrary PHP code on the server.

Uploading a Malicious Module:

Drupal allows the upload of new modules. By creating a backdoored module, you can inject a web shell.
Modules can be found in Drupal website.
Download the archive and extract its contents.
Create a PHP web shell with the payload contents.
Ensure to add a .htaccess file to gain access to the module folder. (The configuration below will apply rules for the / folder when we request a file in /modules.)
Copy both of these files to the module folder and create an archive of the module.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>

Vulnerable Versions:

Always verify if the target Drupal version is outdated or known to be vulnerable to specific exploits (e.g. Drupalgeddon)