Cms-Explorer
CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
Additionally, CMS Explorer can be used to aid in security testing.
While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible.
This is done by retrieving the module's current source tree and then requesting those file names from the target system.
These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
CMS Explorer can also search OSVDB for vulnerabilities with the installed components.
CMS Explorer currently supports module/theme discovery with the following products:
* Drupal
* Wordpress
* Joomla!
* Mambo
And exploration of the following products:
* Drupal
* Wordpress
backbox@backbox:~$ cms-explorer
*****************************************************************
WARNING: No osvdb.org API key defined, searches will be disabled.
*****************************************************************
ERROR: Missing -url
backbox@backbox:~$ cms-explorer -url url -type type [options]
Options:
-bsproxy+ Proxy to route findings through (fmt: host:port)
-explore Look for files in the theme/plugin dir
-help This screen
-osvdb Do OSVDB check for finds
-plugins Look for plugins (default: on)
-pluginfile+ Plugin file list
-proxy+ Proxy for requests (fmt: host:port)
-themes Look for themes (default: on)
-themefile+ Theme file list (default: themes.txt)
-type+* CMS type: Drupal, Wordpress, Joomla, Mambo
-update Update lists from Wordpress/Drupal (over-writes text files)
-url+* Full url to app's base directory
-verbosity+ 1-3
*Requires value
* Required option
Options
* bsproxy (requires value): The proxy to route any found files through. Format can be like 'http://host:port/', 'host:port' or just 'host'. If port is not specified, the default is 80.
* explore: Look for additional theme/plugin files. Only supported for Drupal and Wordpress.
* osvdb: Check osvdb.org for vulnerabilities in the installed components. Requires an API key be in a file called osvdb.key.
* plugins: Look for plugins/module/component files. By default this is enabled and both plugins and themes will be checked.
* pluginfile+ (requires value): Alternative plugin file list.
* proxy+ (requires value): Proxy for base requests. Format can be like 'http://host:port/', 'host:port' or just 'host'. If port is not specified, the default is 80.
* themes (requires value): Look for themes. By default this is enabled and both plugins and themes will be checked.
* themefile+ (requires value): Alternative theme file list.
* type+ (required, requires value): The CMS type to be tested: Drupal, Wordpress, Joomla/Mambo.
* update: Update the default lists from Wordpress and Drupal. This over-writes the current files with fresh copies.
* url+ (required, requires value): Full URL to application's root directory (where the CMS is installed)
* -verbosity+ (requires value): 1-3 in increasing levels of output.
Example Usage
Test for Wordpress plugins and themes against example.com, with low verbosity and explore for additional files. Route all "found" items using the bootstrap proxy running on port 8080 of localhost.
backbox@backbox:~$ cms-explorer -url http://example.com/ -v 1 -bsproxy localhost:8080 -explore -type wordpress
Test for Wordpress themes on example.com using themelist.txt, with full verbosity and explore using the bootstrap proxy on port 80 of localhost.
backbox@backbox:~$ cms-explorer -url http://example.com/ -v 3 -bsproxy localhost -explore -themes -themefile themelist.txt -type wordpress
Test for Drupal plugins/themes on example.com, with normal verbosity and no exploration.
backbox@backbox:~$ cms-explorer -url http://example.com/ -type drupal
Test for Mambo (or Joomla) components/modules and templates, and search OSVDB.
backbox@backbox:~$ cms-explorer -url http://example.com/ -type joomla -osvdb