Tuesday, 18 October 2011

CMS Explorer : Reveal CMS Components out of the Site



CMS Explorer is basically used to find out and thus reveal the different modules, plugins, components and themes a particular CMS based site is using.

Moreover, CMS Explorer can be used as an effective tool in security testing. However it is not having any kind of specific thing targeted to Security Checks, but yeah, The "ExplorE" options can be used to find out the hidden or library files that can never be accessed by the normal web clients. The whole process includes retrieving the current source's hierarchical sturctur, followed by the request for fnding the file names from the target system. These requests are sent by some specific proxy and thus can be used any further in the tools like Web inspect, Burp, etc..

It currenty supprts module/theme discovery with the Drupal, Wordpress, Joomla, Mambo.
Drupal and Wordpress can be explored further as well.

Options:

This explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module’s current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
CMS Explorer can also search OSVDB for vulnerabilities with the installed components.
CMS Explorer currently supports module/theme discovery with the following products:
Drupal
Wordpress
Joomla!
Mambo
And exploration of the following products:
Drupal
Wordpress
In order to install it, first of all Unpack the Archive, Then Create a file "osvdb.key" in the CMS explorer directory, and the put the OSVDB key at the first line. :)
You can also run " ./cms-explorer.pl" to ensure that no errors are coming.

Usage:

In order to use CMS Explorer, You had to at least specify the url to "ROOT" of the CMS along with the type of that CMS. So, why ROOT?  basically ROOT is the base \URL of any kind of CMS. For an instance, root level of Wordpress are wp-content and wp-admin directories.

In case you specify an incorrect root level, one which actually doesnot exists at all, CMS epxlorer would not stop :P. In fact it would keep running but however with no results.

Swicthes:

bsproxy (requires value): The proxy to route any found files through. Format can be like 'http://host:port/', 'host:port' or just 'host'. If port is not specified, the default is 80.
explore: Look for additional theme/plugin files. Only supported for Drupal and Wordpress.
osvdb: Check osvdb.org for vulnerabilities in the installed components. Requires an API key be in a file called osvdb.key.
plugins: Look for plugins/module/component files. By default this is enabled and both plugins and themes will be checked.
pluginfile+ (requires value): Alternative plugin file list.
proxy+ (requires value): Proxy for base requests. Format can be like 'http://host:port/', 'host:port' or just 'host'. If port is not specified, the default is 80.
themes (requires value): Look for themes. By default this is enabled and both plugins and themes will be checked.
themefile+ (requires value): Alternative theme file list.
type+ (required, requires value): The CMS type to be tested: Drupal, Wordpress, Joomla/Mambo.
update: Update the default lists from Wordpress and Drupal. This over-writes the current files with fresh copies.
url+ (required, requires value): Full URL to application's root directory (where the CMS is installed)
-verbosity+ (requires value): 1-3 in increasing levels of output.

perl cms-explorer.pl -url http://somesite.com/ -v 1 -bsproxy localhost:8080 -explore -type wordpress
Port 8080 can be something else as well, so on the basis of scanning and your observations regarding the ports, give it as "localhost:portnumber" . :)

By the way, lets be ready to have fun.

Download It Here :)

Other Required Things:
Getopt::Basically a Long perl module
LibWhisker (LW2) included, or Download from  http://www.wiretrip.net/rfp/lw.asp.
OSVDB API Key (optional): http://osvdb.org/api/about.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...