Vulnerability, to begin with, are the potential holes in the security in the system, using which anyone can exploit & enable the access to system. Over time, as a countermeasure lot of software has come up like WPscan (WordPress) and JoomlaScan(Joomla). Among them is CMSmap, let see an overview of the results, functions, and features that CMSmap can give.
What is CMSmap?
CMSmap is a Simple Python Open-source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool. At the moment, CMSmap supports WordPress, Joomla, and Drupal.
The core of this Scanner is to detect vulnerable plugins and provide a list of potential exploits by querying the Exploit Database website (www.exploit-db.com). Because, unless a really old version of the core CMS is installed, the easiest way to take over a CMS website is by exploiting a vulnerable plugin. In order to do that, it identifies plugins by scanning the web directory, and then for each plugin, it queries the Exploit Database. In this way, whenever a new exploit is published on the Exploit Database, CMSmap would be able to report it.
Features of CMSmap
- First of all, CMSmap detects the CMS type of the target website. So for example, if the target website is running a WordPress installation, CMSmap will run all scans tailored for WordPress.
- CMSmap comes with a list of default WordPress, Joomla and Drupal plugins. You don’t need to find a list of plugins for the corresponding CMS type. This tool saves time during a penetration test when you come across a CMS.
- For each type, CMSmap runs a bunch of tests, from the simplest ones such as detection of CMS version, theme and default files to the more time-consuming ones such as detection of plugins.
- It is a multithreading tool, and by default is set to 5 threads. This is to reduce the likelihood of causing a denial of service on the target website. However, there is an option that allows a user to increase the number of threads, and thus the speed of scanning.
- It includes a brute-forcing module as well. If the user wants to run a brute-forcing attack, password/username files must be provided along with the URL.
Now, let’s have a look at how a simple scan against a WordPress site looks like:
cmsmap.py https://example.com cmsmap.py https://example.com -f W -F --noedb -d cmsmap.py https://example.com -i targets.txt -o output.txt
From the picture above, we can see that it has identified a temp configuration file, probably generated by text editor Nano, available anonymously on the website. These files usually contain clear text credentials to the login page of the website.
It has a brute-forcing module during a scan. When a valid username is detected via a vulnerability then, by default it will try short (5 attempt brute-force attack. This comes in handy when at least one is using a very weak password.
In addition to having valid credentials, at this point, the attacker accessing the web shell is able to execute operating system commands and attempts further compromises.
It comes with web shells for WordPress, Joomla, and Drupal. In case CMSmap is not able to upload them automatically, a user can do it manually.
Finally, CMSmap supports offline brute force attack of WordPress and Joomla password hashes. via HashCAT which could be useful to see if users, including admins, are using weak passwords.
For a more comprehensive list of all features supported by CMSmap, you can read the CHANGELOG.txt file.
Project hosted on GitHub (test phase):
Hopefully, you will find this tool quite handy and save time to check the security of your website.
Helpful? Read more related articles.