Wednesday, March 31, 2010

CMS Explorer (or: what's that CMS running?)

As a developer, as well as a penetration tester, it's often helpful to know what components a site uses to turn it from a vanilla content management system (CMS) into a more useful site. Besides Mediawiki, I'm not aware of any CMS which publicly lists installed components--so the only way you can figure it out is manually or through small clues on the site.

CMS Explorer is an attempt to automate this component discovery. By brute-force requesting directory names for plugins and themes (and with "normal" HTTP responses--at least for now), we can determine which directories exist, and thus which components are installed. The end result is a list of installed items:


What makes CMS Explorer powerful for penetration testing is what happens next. If you use the -explore option with Drupal or Wordpress, the program will pull a list of potentially-existing files directly from the respective CMS code repositories, and then request those files from your target

And just to make it a little more useful (especially "explore" mode), you can also specify a "bootstrap" proxy. If defined, any found file will be requested a second time using this proxy--so you can prime up your favorite proxy (such as Burp or Paros) for doing actual security testing of those files. This proxy is distinct for found items rather than your main scanning proxy, in case you have one of those setups.

And lastly, if you supply an OSVDB.org API key, it can search and report back a list of potential issues in the installed component.

CMS Explorer is currently set up to test Drupal, Wordpress and Joomla!/Mambo, with exploration support for Drupal and Wordpress. It is written in PERL and licensed under the GNU GPLv3.