Content Management Systems

00:01

content management systems

00:03

are learning objectives are to understand what content management systems CMS are and why people use them

00:10

as well as identify how to enumerate and exploit the CMS.

00:14

If you've been on the internet, you've run into A CMS.

00:18

So when I was um an agent, I was trying to figure out how to build websites. Um

00:26

and I went to school for building websites with html and CSS

00:32

and javascript and basically learned how to build websites from the ground up. And it's hard. It's very hard.

00:39

Um so why do we have content management systems? We have them because it's a user friendly way to build a website if you have an e commerce site, um or if you're a small business or even a large business that wants to stand up a website quickly and in a user friendly way and have multiple people have access to be able to manage that, that content within that site,

01:02

the CMS is the way to go, and that's why you see them all over the place.

01:07

So it typically has a dashboard that a user an administrator can log into

01:12

and deal with things like blogs and plug ins and themes and make it look nice and add plug ins to it.

01:21

So it's really because it's so user friendly, so many people use them, making it such a big target for people to find zero days in them. Because if everyone is using the same technology across the internet,

01:34

it's profitable for an attacker to find a vulnerability in that content management system.

01:40

Because then you could exploit multiple sites, hundreds of sites, thousands of sites. If you see the news about wordpress and finding a vulnerable plug in, it says it affects, you know, 20,000 users plus. You know, it's just these large number of sites using these plug ins and that's why

01:59

is such a big target

02:01

for both us as good hackers um as well as a criminal element.

02:08

So popular CMS

02:10

Wordpress by far is the most popular. It's about 40% of all websites are using Wordpress. I have a Wordpress site for my son's blog. Um, so I can appreciate using Word having Wordpress

02:25

that uses themes and plug ins and that's what will target as Attackers as we will look at themes and plug ins and see if they're vulnerable.

02:35

Um, and you you have to make sure that these themes and plug ins are updated

02:38

because if they're not and you're just sitting there on the internet with an outdated theme or plug in that has a vulnerability, An attacker is going to find it and exploit it

02:47

very user friendly. You don't need a lot of technical knowledge in order to know how to use it

02:53

and it's written in PHP and you'll see with each of these, they're all written in PHP So you should be thinking Web Shell needs to be PHP

03:00

once I get access to the administrator database or if I can upload a file it needs to be PHP

03:07

droop droop. Als also very, very popular. Um it requires a little bit more technical knowledge than Wordpress. It uses themes and modules. Each of these, you know, Wordpress triple in june will use some form of themes and plug ins modules, extensions, whatever you wanna call them. Just a way to upload

03:27

things onto the website to make it easier for you to run things like blogs

03:30

or commerce or whatever it may be. You can upload things like zip files and it just deploys it very easily. That's why so many people like CMS is the thing withdrew Apple is there have been various versions of something called Drew Apple getting

03:46

Um, which just means it affects every drew pull you every triple user who is using that version of droop ellipse. Like a core vulnerability that affects like drew Apple 7.1.

03:59

Um, for like a unauthenticated sequel injection and you can add um whatever user and pass where you want to to log into

04:10

the administrator dashboard. So all of these Drew pool gardens are various vulnerabilities that affect all of droop a little for that version.

04:17

So when there is a core issue that affects a particular version of each of these. Wordpress triple in Jumla.

04:24

It means every single version running that every single website running that version of the CMS is vulnerable. So that's why these things were so awful for people running these sites is because they were all vulnerable just by the nature of what version of droop, all they were running

04:40

june look, honestly I know the least about and it's open source, which means the license cost is free. I have to pay every month for Wordpress.

04:48

Um again, it uses templates and extensions and it's written in PHP.

04:54

Yeah.

04:56

How do we enumerate these? How do we figure out what's going on on these sites or what's vulnerable? What themes and plug ins are vulnerable Is we use for Wordpress, WP scan, which is already installed in Cali

05:10

go and get an account at WP skin dot com. You will need an api token for the lab.

05:17

It's a clue. It's a foot stomper.

05:19

So they told us in the police academy, so make sure you go out and get it. It makes it a whole lot easier to find vulnerable themes. And plug ins is getting the api token and using it when you use WP scan it's actively maintained.

05:35

Um it does cost money depending on how many uh how many times you want to use their a. p. I. I used the free version, I think it's 40 per day which is fine for me.

05:48

There's also a droop scan.

05:51

You can use it for Drew Apple Wordpress and silver stripe.

05:55

I've used this on Drew Apple and Wordpress. I really like WP scan for wordpress because it tells you you'll see in red when it finds something concerning.

06:06

Um But whereas like groups can it will do some enumeration but it's not going to like show you that red exclamation saying this is outdated.

06:15

So when you do it you kinda have to manually enumerate things a little bit more than you would with WP scan.

06:23

But I think it's better than nothing. You can use end map for wordpress but I've used it for wordpress and nothing beats WP skin for wordpress. So I'm not even gonna talk about end map and and Wordpress but know that you can also use

06:38

and map for wordpress

06:40

if worse comes to worse

06:43

troops can written in python. Um try it, give it a go and compare it to WP scan with Wordpress sites.

06:50

Yeah.

06:51

So what should our attack path be with content management systems?

06:57

Enumeration is always key. So we use our tools, we use WP scan. We used groups can or whatever else you find out there that you might like for enumerating these content management systems. Typically you'll find it by either finding their logo. That's why I show you the logos of each of them on the site or you'll you know, look at the source of the website

07:15

and see it's a Wordpress or Drew people or Jumla

07:20

and from there, figure out what tool you need to enumerate it for vulnerable themes and plug ins.

07:26

And once you do that, once you find a vulnerability depending on what it is, our goal is to get onto the dashboard. Of course, if you can upload a file with PHP, you can upload a shell and get on the server that way.

07:39

But also if you get on the dashboard, figure out how you can add PHP PHP file or modify an existing file to to make it vulnerable so we can get a shell from there and I'll show you that in the demo here next.

07:54

Once you do that, once once you get into the dashboard,

07:58

you can also try to figure out a lot of these CMS is have a my sequel database or some kind of sequel database

08:05

where you can get information about people who have registered as users and passwords and sensitive data. So

08:11

it's great to have access to the dashboard. It's also great to have access to the underlying database and I will also show you that in the demo coming up here.

08:22

So in summary, we should now understand what content management systems are and why people use them as well as identify how to enumerate and exploit A CMS. Hang on for the demo. I think you're gonna like it.