Results 1 to 6 of 6

Thread: How to pentest Joomla, Drupal and WordPress Share/Save - My123World.Com!

  1. #1

    Lightbulb How to pentest Joomla, Drupal and WordPress

    Today, a new website is created about every minute. Anybody can be an owner of a website today very easily. Most new websites have the same look,page structure, different colors, only difference is the logo of the website.

    These entire websites are created with the same CMS. The CMS (Content Management System) is a web application system that has many tools for helping the web master to author content, customization of the theme, administration website, user management, etc.

    Although, the web master does not understand anything about web programming, he can still create a beautiful or nice websites because CMS is managed via a web interface. The web master can add a new feature to CMS by installing a new plugin. A web master just has to click, click and click, then valla! the new website has been created. The coin has 2 sides, the bad side is if someone can find a vulnerability in the core of the CMS or well-known plugin, he can then hack all websites that used the vulnerable CMS or vulnerable plugin too. In this article, I will discuss how to pentest 3 well-known CMS: Joomla, Drupal and Wordpress. This tutorial will show you how to get the information for the common CMS websites and how to pentest them.

    Identify the web
    First thing we must know before pentesting the website is what CMS was used? Because each CMS has different default files or structure. All these different things create the signature of each CMS. We can analyze the target website with the following 2 methods.

    By manual testing
    Normally, when a user installed CMS is complete, he often forgets to remove unnecessary files from the website. Those files will be the signature of the CMS and default configurations will let us know what CMS was used.

    • Example of unnecessary files: ‘joomla.xml’, ‘README.txt’, ‘htaccess.txt’
    • Configuration file’s path: <web-app-path>/configuration.php
    • Administrator login path: <web-app-path>/administrator
    • Plugin path: <web-app-path>/index.php?option=<pluginname>

    • Example of unnecessary files: ‘readme.html’, ‘license.txt’
    • Configuration file’s path: <web-app-path>/wp-config.php
    • Administrator login path: <web-app-path>/wp-login.php
    • Plugin path: <web-app-path>/wp-content/plugins

    • Example of unnecessary files: ‘CHANGELOG.txt’, ‘UPGRADE.txt’, ‘README.txt’
    • Configuration file’s path: <web-app-path>/sites/default/settings.php
    • Plugin path: <web-app-path>/?q=<plugins-name>

    From the examples, we can see that each CMS clearly has different structures and important URL, so we can classify each CMS very easily.
    By tools
    If you want to save time to classify a website, we can use some tools to classify it. So in this article, we will use CMS-Explorer and Wappalyzer to classify them.

    CMS Explorer
    CMS Explorer is a tool to check and search all plugins, modules, component and themes that was used in a website. But in this article, we will use it to identify the CMS only. The official website of CMS-Explorer is The syntax of CMS Explorer is:

    $ ./ –url <target-website> -type <cms-type> Example, Identify a website to be Joomla or


    $ ./ –url <target-website> -type joomla

    Wappalyzer is a browser extension in Firefox and Chrome that is used to uncover the technologies of a website. We will see the information of the website like type of CMS, web server information, Javascript frameworks, etc. You can download and install wappalyzer from Pentest the CMS After we know what the CMS is, you can use some tools to find the vulnerabilities of a website by the category of CMS.

    Joomscan (OWASP Joomla Security Scanner) is one of OWASP’s tools. Joomscan will detect a web server, check Joomla version, every modules that used in website. When the tools get the module list, then it will test all modules with many different types of attacks like SQL Injection, File Inclusion, and Command Execution. The Official website of Joomscan is

    Example of Joomscan’s Usage

    Update Joomscan

    $ ./ update

    Use Joomscan scan

    $ ./ -u

    Use Joomscan scan via proxy:

    $ ./ -u -x

    Use joomscan scan with user agent “Mozilla/5.0 (Windows NT 6.1; rv:6.0.1) Gecko/20110101 Firefox/11.0.1”

    $ ./ -u -g “Mozilla/5.0

    (Windows NT 6.1; rv:6.0.1) Gecko/20110101 Firefox/11.0.1”


    WPScan (Wordpress Security Scanner) is a tool used to test and scan for vulnerabilities in Wordpress. WPscan can do many security tests like search for a user from a website, Brute Force the administrator’s page, check version of Wordpress and etc. The official website of wpscan is

    Example of WPScan’s Usage

    Update WPScan

    $ ./wpscan.rb --update

    Use WPScan scan

    $ ./wpscan.rb --url

    Use WPScan scan via proxy:

    $ ./wpscan.rb --url --proxy

    Use wpscan search a list of user and check version of Wordpress of

    $ ./wpscan.rb --enumerate uv --url “”

    Source: Register for the version with pictures and 15 other free tutorials and arts

  2. #2
    Great post, thanks for the info.
    When the way comes to an end, then change - having changed, you pass through

  3. #3
    Hey.. Thanks. That was useful

  4. #4

  5. #5
    thanks, this usefull for me...

  6. #6

    Thumbs up follow this link here

    here you can find what are you searching about, just pick your system Version

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts