CMS Explorer In Back Track

So I am studying for the OSCP (Offensive Security Certified Professional) certification and I’ve been playing around with some of the more obscure items in the Back Track Linux Distribution. One such item is CMS Explorer that enumerates through content management systems plug-ins and themes to look for vulnerabilities in the Drupal, WordPress, Joomla!, Mambo CMS.

The syntax is fairly straightforward and the results are fairly accurate. The cool thing is that it can tie in to the OSVDB database but you need to do two things to make it work properly.

  1. Sign up for a OSVDB api account.
  2. Navigate to the /pentest/enumeration/web/cms-explorer directory and create a blank file called osvdb.key
  3. In that file place your api key.
  4. Run it! ./cms-explorer.pl -url http://eric.ness.net -type wordpress -osvdb

Here are the results for my blog. As you can see this site is fairly light and all the vulnerabilities according to OSVDB are “unknown impact and attack vectors ” or listed as “flagged as being a Myth/Fake”.

  1. http://osvdb.org/37290
  2. http://osvdb.org/62683
  3. http://osvdb.org/56762

Only downside for this enumeration is that it is fairly slow and can take up to an hour or more to run.

root@bt:/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://eric.ness.net -type wordpress -osvdb
*******************************************************
Beginning run against http://eric.ness.net/...
Testing themes from wp_themes.txt...
Theme Installed:        wp-content/themes/monochrome/
Testing plugins...
Plugin Installed:        wp-content/plugins/akismet/
Plugin Installed:        wp-content/plugins/all-in-one-seo-pack/
Plugin Installed:        wp-content/plugins/codesnippet-20/
Plugin Installed:        wp-content/plugins/contact-form-7/
Plugin Installed:        wp-content/plugins/sexybookmarks/
Plugin Installed:        wp-content/plugins/syntaxhighlighter/
Plugin Installed:        wp-content/plugins/tweet-blender/
Plugin Installed:        wp-content/plugins/wp-cache/
Plugin Installed:        wp-content/plugins/wp-pagenavi/
*******************************************************
Summary:
Theme Installed:        wp-content/themes/monochrome/
    URL            http://eric.ness.net/wp-content/themes/monochrome/
    SVN            http://themes.svn.wordpress.org/wp-content/themes/monochrome/
Plugin Installed:        wp-content/plugins/akismet/
    URL            http://eric.ness.net/wp-content/plugins/akismet/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/akismet/trunk/
    http://osvdb.org/37290    Akismet for WordPress akismet.php Unspecified Issue
    http://osvdb.org/62683    WordPress wp-content/plugins/akismet/akismet.php add_action() Function Path Disclosure
Plugin Installed:        wp-content/plugins/all-in-one-seo-pack/
    URL            http://eric.ness.net/wp-content/plugins/all-in-one-seo-pack/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/all-in-one-seo-pack/trunk/
Plugin Installed:        wp-content/plugins/codesnippet-20/
    URL            http://eric.ness.net/wp-content/plugins/codesnippet-20/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/codesnippet-20/trunk/
Plugin Installed:        wp-content/plugins/contact-form-7/
    URL            http://eric.ness.net/wp-content/plugins/contact-form-7/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/contact-form-7/trunk/
Plugin Installed:        wp-content/plugins/sexybookmarks/
    URL            http://eric.ness.net/wp-content/plugins/sexybookmarks/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/sexybookmarks/trunk/
Plugin Installed:        wp-content/plugins/syntaxhighlighter/
    URL            http://eric.ness.net/wp-content/plugins/syntaxhighlighter/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/syntaxhighlighter/trunk/
Plugin Installed:        wp-content/plugins/tweet-blender/
    URL            http://eric.ness.net/wp-content/plugins/tweet-blender/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/tweet-blender/trunk/
Plugin Installed:        wp-content/plugins/wp-cache/
    URL            http://eric.ness.net/wp-content/plugins/wp-cache/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/wp-cache/trunk/
    http://osvdb.org/56762    WP Super Cache for WordPress wp-cache-phase1.php plugin Parameter Remote File Inclusion
Plugin Installed:        wp-content/plugins/wp-pagenavi/
    URL            http://eric.ness.net/wp-content/plugins/wp-pagenavi/
    SVN            http://svn.wp-plugins.org/wp-content/plugins/wp-pagenavi/trunk/
本文摘自网络网络安全攻防研究室(www.91ri.org) 信息安全小组收集整理.