Bagi para pengguna web berbasis CMS (Content Management System) seperti Joomla, Drupal, WordPress harus semakin waspada. Karena tools untuk meretas website berbasis CMS sudah ada. Ya itu dia.. ‘cms-explorer‘. Cara kerjanya sebenarnya simple saja. Program ini akan melakukan pencocokan dengan URL yang ada di file tertentu. Jika halaman pada target exist, berarti ada fitur tertentu yang diinstall olehnya. Kemudian tinggal mencocokkan (query) ke OSVDB.org (Open Source Vulnerability Data Base) terkait fitur CMS tersebut di OSVDB.org. Nanti akan kita praktekkan contohnya..
Untuk menjalankan cms-explorer dibutuhkan PERL, karena program ini di progamnya pake bahasa PERL tentu saja hahah. Struktur dari aplikasi ini dapat dilihat sebagai berikut:
- cms-explorer.pl – Program utama yang di eksekusi oleh user
- drupal_plugins.txt – berisi list plugin Drupal dan URL lokasi pluginnya (misalnya baris: modules/actions/)
- drupal_themes.txt – berisi list themes Drupal dan URL lokasi themesnya (misalnya baris: themes/bluemarine)
- joomla_plugins.txt – s.d.a (sama dengan di atas) tetapi khusus untuk CMS Joomla
- joomla_themes.txt – s.d.a (sama dengan di atas) tetapi khusus untuk CMS Joomla
- wp_plugins.txt – s.d.a (sama dengan di atas) tetapi khusus untuk CMS WordPress
- wp_themes.txt – s.d.a (sama dengan di atas) tetapi khusus untuk CMS WordPress
- dan beberapa file2 lain seperti LICENSE.txt, README.txt
Cara penggunaannya, seperti sudah dijelaskan di atas adalah tinggal menggunakan file executable cms-explorer.pl
root@eniac:/opt/cms-explorer-1.0# ./cms-explorer.pl -url http://192.168.0.12 -type Joomla -osvdb
(maksud syntax di atas: jalankan cms-explorer untuk URL http://192.168.0.12 type CMS nya adalah Joomla dan gunakan OSVDB matching untuk mengetahui detail jenis vulnerability-nya)
Itu pake OSVDB matching ya.. Jadi seperti yang sebelumnya sudah saya bilang, objek yang di dapat sama tools ini dicocokkan/di-query ke osvdb.org, menggunakan OSVDP API key.. Oh ya, cara dapat API keynya jadi member dulu di OSVDB
Untuk hasilnya bisa dilihat seperti di bawah ini:
Testing themes from joomla_themes.txt…
Theme Installed: templates/atomic/
Theme Installed: templates/ja_purity/
Theme Installed: templates/rhuk_milkyway/
Theme Installed: templates/system/
Testing plugins…
Plugin Installed: components/com_banners/
Plugin Installed: components/com_contact/
Plugin Installed: components/com_content/
Plugin Installed: components/com_mailto/
Plugin Installed: components/com_media/
Plugin Installed: components/com_newsfeeds/
Plugin Installed: components/com_search/
Plugin Installed: components/com_users/
Plugin Installed: components/com_weblinks/
Plugin Installed: components/com_wrapper/
Plugin Installed: components/com_wrapper/
Plugin Installed: components/com_wrapper/
Plugin Installed: modules/mod_articles_archive/
Plugin Installed: modules/mod_articles_category/
Plugin Installed: modules/mod_articles_latest/
Plugin Installed: modules/mod_articles_news/
Plugin Installed: modules/mod_articles_popular/
Plugin Installed: modules/mod_banners/
Plugin Installed: modules/mod_breadcrumbs/
Plugin Installed: modules/mod_custom/
Plugin Installed: modules/mod_feed/
Plugin Installed: modules/mod_footer/
Plugin Installed: modules/mod_login/
Plugin Installed: modules/mod_menu/
Plugin Installed: modules/mod_random_image/
Plugin Installed: modules/mod_related_items/
Plugin Installed: modules/mod_search/
Plugin Installed: modules/mod_stats/
Plugin Installed: modules/mod_syndicate/
Plugin Installed: modules/mod_users_latest/
Plugin Installed: modules/mod_weblinks/
Plugin Installed: modules/mod_whosonline/
Plugin Installed: modules/mod_wrapper/
*******************************************************
Summary:
Theme Installed: templates/atomic/
URL http://192.168.0.12/templates/atomic/
Theme Installed: templates/ja_purity/
URL http://192.168.0.12/templates/ja_purity/
http://osvdb.org/54870 Joomla! JA_Purity Module ja_templatetools.php Multiple Parameter XSS
Theme Installed: templates/rhuk_milkyway/
URL http://192.168.0.12/templates/rhuk_milkyway/
Theme Installed: templates/system/
URL http://192.168.0.12/templates/system/
http://osvdb.org/22116 TinyMCE Compressor tiny_mce_gzip.php Traversal Arbitrary File Access
http://osvdb.org/22117 TinyMCE Compressor Editor Imported Content XSS
http://osvdb.org/23816 Joomla! Poll System mosmsg Variable Malformed HTML Tag DoS
http://osvdb.org/50906 Volunteer Management System Component for Joomla index.php job_id Parameter SQL Injection
http://osvdb.org/50947 Hotel Booking System Component for Joomla index.php Multiple Parameter SQL Injection
http://osvdb.org/51498 WebAmoeba Ticket System Component for Joomla! index.php catid Parameter SQL Injection
http://osvdb.org/51548 Hotel Booking Reservation System (HBS) for Joomla! Multiple Module index.php id Parameter SQL Injection
http://osvdb.org/54659 GridSupport (GS) Ticket System Component for Joomla! index.php catid Parameter SQL Injection
http://osvdb.org/56588 IXXO Cart! index.php parent Parameter SQL Injection
http://osvdb.org/56589 IXXO Cart! Component for Joomla! index.php parent Parameter SQL Injection
http://osvdb.org/58352 Hotel Booking Reservation System (HBS) for Joomla! index.php adult Parameter XSS
http://osvdb.org/58376 Hotel Booking Reservation System Component for Joomla! longDesc.php Multiple Parameter SQL Injection
http://osvdb.org/58377 Hotel Booking Reservation System Component for Joomla! detail*.php Multiple Parameter SQL Injection
http://osvdb.org/62406 Core Design Scriptegrator Plugin for Joomla! plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php files[] Parameter Remote File Inclusion
http://osvdb.org/62484 Core Design Scriptegrator Plugin for Joomla! plugins/system/cdscriptegrator/libraries/jquery/js/ui/jsloader.php file Parameter Traversal Local File Inclusion
http://osvdb.org/62485 Core Design Scriptegrator Plugin for Joomla! plugins/system/cdscriptegrator/libraries/jquery/js/jsloader.php files[] Parameter Remote File Inclusion
http://osvdb.org/70401 Captcha Plugin for Joomla! plugins/system/captcha/playcode.php lng Parameter Traversal Arbitrary File Access
Plugin Installed: components/com_banners/
URL http://192.168.0.12/components/com_banners/
URL http://192.168.0.12/index.php?option=com_banners
Plugin Installed: components/com_contact/
URL http://192.168.0.12/components/com_contact/
URL http://192.168.0.12/index.php?option=com_contact
Plugin Installed: components/com_content/
URL http://192.168.0.12/components/com_content/
URL http://192.168.0.12/index.php?option=com_content
http://osvdb.org/22286 Joomla! Direct Request vCard Information Disclosure
http://osvdb.org/28241 Community Builder for Joomla plugin.class.php mosConfig_absolute_path Parameter Remote File Inclusion
http://osvdb.org/28347 Joomla! emailform com_content Task Unspecified Authentication Bypass
http://osvdb.org/30688 Joomla! com_content $mosConfig_hideEmail Multiple Task Unspecified Issue
http://osvdb.org/32514 Mambo / Joomla /components/com_content/content.php id Parameter SQL Injection
http://osvdb.org/32516 Mambo / Joomla /administrator/components/com_content/admin.content.php limit Parameter SQL Injection
http://osvdb.org/34032 Joomla Content Editor jce.php mosConfig_live_site Parameter XSS
http://osvdb.org/36624 Joomla! rss.php feed Variable Remote DoS
http://osvdb.org/37174 SimpleFAQ Component for Joomla! index.php aid Parameter SQL Injection
http://osvdb.org/37976 NOD32 Antivirus CAB File Handling Arbitrary Code Execution
http://osvdb.org/37977 NOD32 Antivirus Crafted ASPACK Packed File Handling Overflow
http://osvdb.org/37978 NOD32 Antivirus Crafted ASPACK / FSG File handling DoS
http://osvdb.org/38756 Joomla! com_content Component (components/com_content/content.php) order Parameter XSS
http://osvdb.org/39070 Content Component for Joomla! (com_content) archive.php filter Variable archive Action SQL Injection
http://osvdb.org/39071 Content Component for Joomla! (com_content) category.php filter Variable archive Action SQL Injection
http://osvdb.org/39072 Content Component for Joomla! (com_content) section.php filter Variable archive Action SQL Injection
http://osvdb.org/39787 PU Arcade Component for Joomla index.php fid Parameter SQL Injection
http://osvdb.org/41214 AkoGallery Component for Mambo / Joomla! index.php id Parameter SQL Injection
http://osvdb.org/43661 com_content Component for Joomla! index.php view Parameter SQL Injection
http://osvdb.org/49801 com_content Component for Joomla! Article Submission XSS
http://osvdb.org/50942 ESET Smart Security epfw.sys Crafted IRP METHOD_NEITHER IOCTL Handler Local Privilege Escalation
http://osvdb.org/52000 Low Cost Hotels for Joomla! index.php id Parameter SQL Injection
http://osvdb.org/53584 com_content Component for Joomla! Category View XSS
http://osvdb.org/56918 com_content Component for Joomla! index.php Itemid Parameter SQL Injection
http://osvdb.org/58376 Hotel Booking Reservation System Component for Joomla! longDesc.php Multiple Parameter SQL Injection
http://osvdb.org/58377 Hotel Booking Reservation System Component for Joomla! detail*.php Multiple Parameter SQL Injection
http://osvdb.org/59464 Jumi Component for Joomla! Unspecified Issue
http://osvdb.org/59801 Front-End Editor Component in Joomla! Cross-user Front Page Article Manipulation
http://osvdb.org/61455 IMAGIN scripts_ralcr/filesystem/writeToFile.php Multiple Parameter Arbitrary File Creation
http://osvdb.org/61940 JBDiary Component for Joomla! index.php Multiple Parameter SQL Injection
http://osvdb.org/63942 AWDwall Components for Joomla! index.php cbuser Parameter SQL Injection
http://osvdb.org/63943 AWDwall Components for Joomla! index.php controller Parameter Directory Traversal Local File Inclusion
http://osvdb.org/69358 Maian Media Silver for Joomla! index.php cat Parameter SQL Injection
http://osvdb.org/69971 JRadio Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access
http://osvdb.org/69973 JRadio Component for Joomla! Unspecified SQL Injection
Plugin Installed: components/com_mailto/
URL http://192.168.0.12/components/com_mailto/
URL http://192.168.0.12/index.php?option=com_mailto
http://osvdb.org/48227 com_mailto Component for Joomla! Unspecified URL Handling Issue
http://osvdb.org/54198 MailTo Component for Joomla! index.php article Parameter SQL Injection
http://osvdb.org/56714 Joomla! com_mailto Automated Mail Timeout Bypass
Plugin Installed: components/com_media/
URL http://192.168.0.12/components/com_media/
URL http://192.168.0.12/index.php?option=com_media
http://osvdb.org/21044 Joomla! Media Component (com_media) File Management Function Unspecified Injection
http://osvdb.org/53585 com_media Component for Joomla! Authentication Hijack CSRF
http://osvdb.org/56648 MediaLibrary Component for Joomla! toolbar_ext.php mosConfig_absolute_path Parameter Remote File Inclusion
Plugin Installed: components/com_newsfeeds/
URL http://192.168.0.12/components/com_newsfeeds/
URL http://192.168.0.12/index.php?option=com_newsfeeds
http://osvdb.org/64443 Newsfeeds Component for Joomla! index.php feedid SQL Injection
Plugin Installed: components/com_search/
URL http://192.168.0.12/components/com_search/
URL http://192.168.0.12/index.php?option=com_search
http://osvdb.org/38757 Joomla! com_search Component Unspecified XSS
http://osvdb.org/41260 Joomla! CMS com_search Component default_results.php searchword Variable Remote Command Execution
http://osvdb.org/43662 com_search Component for Joomla! index.php Multiple Parameter SQL Injection
http://osvdb.org/53583 com_search Component for Joomla! Unspecified XSS
http://osvdb.org/70369 com_search Module for Joomla! index.php ordering Parameter XSS
Plugin Installed: components/com_users/
URL http://192.168.0.12/components/com_users/
URL http://192.168.0.12/index.php?option=com_users
http://osvdb.org/32517 Mambo / Joomla /administrator/components/com_users/admin.users.php gid Parameter SQL Injection
http://osvdb.org/47476 Joomla! components/com_user/models/reset.php Reset Token Validation Forgery
http://osvdb.org/54869 Joomla! com_users Core Component Unspecified XSS
Plugin Installed: components/com_weblinks/
URL http://192.168.0.12/components/com_weblinks/
URL http://192.168.0.12/index.php?option=com_weblinks
http://osvdb.org/49802 com_weblinks Component for Joomla! Weblink Submission Multiple Parameter XSS
http://osvdb.org/64835 Weblinks Component for Joomla! index.php id Parameter SQL Injection
Plugin Installed: components/com_wrapper/
URL http://192.168.0.12/components/com_wrapper/
URL http://192.168.0.12/index.php?option=com_wrapper
Plugin Installed: components/com_wrapper/
URL http://192.168.0.12/components/com_wrapper/
URL http://192.168.0.12/index.php?option=com_wrapper/
Plugin Installed: components/com_wrapper/
URL http://192.168.0.12/components/com_wrapper/
URL http://192.168.0.12/index.php?option=com_wrapper/
Plugin Installed: modules/mod_articles_archive/
URL http://192.168.0.12/modules/mod_articles_archive/
Plugin Installed: modules/mod_articles_category/
URL http://192.168.0.12/modules/mod_articles_category/
Plugin Installed: modules/mod_articles_latest/
URL http://192.168.0.12/modules/mod_articles_latest/
Plugin Installed: modules/mod_articles_news/
URL http://192.168.0.12/modules/mod_articles_news/
Plugin Installed: modules/mod_articles_popular/
URL http://192.168.0.12/modules/mod_articles_popular/
Plugin Installed: modules/mod_banners/
URL http://192.168.0.12/modules/mod_banners/
Plugin Installed: modules/mod_breadcrumbs/
URL http://192.168.0.12/modules/mod_breadcrumbs/
Plugin Installed: modules/mod_custom/
URL http://192.168.0.12/modules/mod_custom/
Plugin Installed: modules/mod_feed/
URL http://192.168.0.12/modules/mod_feed/
Plugin Installed: modules/mod_footer/
URL http://192.168.0.12/modules/mod_footer/
Plugin Installed: modules/mod_login/
URL http://192.168.0.12/modules/mod_login/
Plugin Installed: modules/mod_menu/
URL http://192.168.0.12/modules/mod_menu/
Plugin Installed: modules/mod_random_image/
URL http://192.168.0.12/modules/mod_random_image/
Plugin Installed: modules/mod_related_items/
URL http://192.168.0.12/modules/mod_related_items/
Plugin Installed: modules/mod_search/
URL http://192.168.0.12/modules/mod_search/
Plugin Installed: modules/mod_stats/
URL http://192.168.0.12/modules/mod_stats/
Plugin Installed: modules/mod_syndicate/
URL http://192.168.0.12/modules/mod_syndicate/
Plugin Installed: modules/mod_users_latest/
URL http://192.168.0.12/modules/mod_users_latest/
Plugin Installed: modules/mod_weblinks/
URL http://192.168.0.12/modules/mod_weblinks/
Plugin Installed: modules/mod_whosonline/
URL http://192.168.0.12/modules/mod_whosonline/
Plugin Installed: modules/mod_wrapper/
URL http://192.168.0.12/modules/mod_wrapper/
Selanjutnya adalah tahap browsing2 ke osvdb.org untuk deskripsi vulnerable nya, cara memanfaatkan celahnya, dkk. Sekian dan waspadalah! Hehe.
kang, penggunaannya gini kan??
./cms-explorer.pl -url http://wordpresstujuan.com -type WordPress -osvdb xxx
xxx = API key ..
ko saya ga bisa terus ya??
pesan yg muncul :
*****************************************************************
WARNING: No osvdb.org API key defined, searches will be disabled.
*****************************************************************
mohon pencerahannya.. 🙂
oh enggak.. si API key-nya disimpen di dalam file osvdb.key yg letaknya sama dengan lokasi cms-explorer.pl nya 🙂
coba tes ah ke website ane sendiri