Pentest Tools

Published on February 22nd, 2015 📆 | 3500 Views ⚑

0

CMSmap – A simple CMS vulnerability Scanner


iSpeech
CMSmap is a simple Python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool. At the moment of writing, CMSmap supports WordPress, Joomla and Drupal.

This tool saves time during a penetration test when you come across a CMS. CMSmap runs a variety of tests in order to highlight plenty of possible misconfigurations and vulnerabilities that the target website may suffer.

Please note that this project is an early stage. As such, you might find bugs, flaws or malfunctions. In short, use it at your own risk.

The purpose of this blog entry is to provide an overview about the results, functions and features that CMSmap does when it is executed. There are a number of tools that scan CMSs in order to find vulnerabilities, such as WPscan for WordPress and JoomlaScan for Joomla. The goal of CMSmap is not to replicate these tools, but to combine scanning of different CMSs into one single tool; you could say that I was inspired by the other tools.

[adsense size='1']

First of all, CMSmap detects the CMS type of the target website. So for example, if the target website is running a WordPress installation, CMSmap will run all scans tailored for WordPress.

CMSmap comes with a list of default WordPress, Joomla and Drupal plugins. You don’t need to find a list of plugins for the corresponding CMS type. This is quite useful for Drupal and Joomla, since their websites don’t provide a list of vulnerable plugins in a such nice format which could be exported in a text file and use it. However, if the user wants to use a specific list rather than the default one, they can easily edit one of the CMSmap default files.

For each CMS type, CMSmap run a bunch of tests, from the simplest ones such as detection of CMS version, theme and default files to the more time consuming ones such as detection of plugins.

CMSmap is a multithreading tool, and by default is set to 5 threads. This is to reduce the likelihood of causing denial of service on the target website. However, there is an option that allows a user to increase the number of threads, and thus the speed of scanning.





CMSmap is meant to be easy to use, in sense that the only mandatory option is the target URL. However, CMSmap includes a brute-forcing module as well. If the user wants to run a brute-forcing attack, password/username files must be provided along with the URL. By default, Drupal is the only CMS that will lockout user accounts after a certain number of failed attempts. This means that unless a specific security plugin is installed you are pretty much free to brute force WordPress and Joomla login forms.

The core of CMSmap is to detect vulnerable plugins and provide a list of potential exploits by querying the Exploit Database website (www.exploit-db.com). This is because, unless a really old version of the core CMS is installed, the easiest way to take over a CMS website is by exploiting a vulnerable plugin . In order to do that CMSmap identifies plugins by scanning the web directory, and then for each plugin it queries the Exploit Database. In this way, whenever a new exploit is published on the Exploit Database, CMSmap would be able to report it.

This project is ongoing so please remember to run the update option whenever you have the intention to use it. The project is hosted on GitHub and you can easily install it by cloning the repository:

git clone https://github.com/dionach/CMSmap[/codefilter_code]

For a more comprehensive list of all features supported by CMSmap you can read the CHANGELOG.txt file.

Hopefully you will find this tool quite handy and save time when you face a CMS during a penetration test.

 

Read More Here

Tagged with:



Comments are closed.