PRIMARY CATEGORY → CHECKLISTS
WordPress
CMS
Enumeration →
- Gather WP Version → Look for known CVEs and security flaws
e.g. Searchsploit ( i.e. ExploitDB ), Google…
-
List the Installed Plugins
-
Disclose the Installed Plugins’ version → Look for known CVEs and security flaws
-
List the Installed Themes → Look for known CVEs and security flaws
-
Enumerate the existing Users → Bruteforce
-
Supplements the manual enumeration above with an automated scan using WPScan
-
Test dummie credentials on
wp-admin | wp-login.php
e.g. admin:admin, wordpress:wordpress…
WordPress Control Panel Access →
- WP Control Panel Access as an Administrator User → RCE either by editing a disabled theme PHP script or by uploading a malicious plugin ( e.g. an existing one with a PHP script we added )
Sensitive Information Gathering →
-
WordPress Compromised ( e.g. RCE, LFI, SQLi, XXE… ) → Gather Plain DB Credentials from
wp-config.phpand look for sensitive information within the WP database ( e.g. wp_users hashes ) -
Credential Reuse or Password Spraying using the credentials obtained
Joomla
CMS
Enumeration →
- Gather Joomla Version → Look for known CVEs and security flaws
e.g. Searchsploit ( i.e. ExploitDB ), Google…
-
Supplements the manual enumeration above with an automated scan using Droopescan or JoomlaScan
-
Test Dummie Credentials on Control Panel Login Form
e.g. admin:admin, joomla:joomla…
Joomla Control Panel Access →
- As SuperUser → RCE
Sensitive Information Gathering →
-
Joomla Compromised ( e.g. RCE, LFI, SQLi, XXE… ) → Gather Plain DB Credentials from
configuration.phpand look for sensitive information within the Joomla database ( Users table’s hashes) -
Credential Reuse or Password Spraying using the credentials obtained
Drupal
CMS
Enumeration →
- Gather Drupal Version → Look for known CVEs and security flaws
e.g. Searchsploit ( i.e. ExploitDB ), Google…
Drupalgeddon • Drupalgeddon 2 • Drupalgeddon 3
-
Supplements the manual enumeration above with an automated scan using Droopescan
-
Test Dummie Credentials on Control Panel Login Form
e.g. admin:admin, drupal:drupal…
Drupal Control Panel Access →
-
RCE prior to Drupal 8 → PHP Filter Module
-
RCE from Drupal 8 → PHP Filter Module
-
RCE from Drupal 8 → Malicious Module Upload
Sensitive Information Gathering →
-
Drupal Compromised ( e.g. RCE, LFI, SQLi, XXE… ) → Gather Plain DB Credentials from
/sites/default/settings.phpand look for sensitive information within the Drupal database ( Users table’s hashes) -
Credential Reuse or Password Spraying using the credentials obtained
Tomcat
Application Server
Enumeration →
Take a look at Tomcat’s Sensitive Files
- Gather Tomcat Version via 404 Error Pages or Docs Directory → Look for known CVEs and security flaws
e.g. Searchsploit ( i.e. ExploitDB ), Google…
Ghostcat ( Then list WEB-INF Resource )
***Tomcat CGI ( Even if
/cgi/or/cgi-bin/returns 404 ) ***
- Sensitive Endpoints Access with Default Credentials
e.g.
tomcat:tomcat,admin:admin…
- If not, Tomcat Login Bruteforce
Tomcat Manager Access →
Sensitive Information Gathering →
-
Tomcat Compromised ( e.g. RCE, LFI, SQLi, XXE… ) → Gather Plain Credentials from Tomcat Sensitive Files
-
Credential Reuse or Password Spraying using the credentials obtained
Jenkins
Software Development Tool
- No Authentication required to access Jenkins Control Panel
i.e. Anonymous Access
-
Jenkins Control Panel Access → RCE via Script Console using Groovy Scripts
Splunk
SIEM
-
Old Splunk Installation → Default Logon Credentials displayed in the login panel
-
Recent Splunk Installation → Default Credentials
admin:<PASSWORD>
-
Check for Splunk Trial Version
-
Splunk Control Panel Access → RCE through Splunk Scripted Inputs
PRTG
Monitoring Software
-
Gather PRTG Version
-
PRTG Control Panel Access → PRTG prior to 18.2.39 → Authenticated Command Injection
Gitlab
Software Config. Management
Unauthenticated →
- Sensitive Information or Web App Source Code Disclosure on Public Repositories ( e.g. Plain Credentials, Web app code review… )
<URL>/explore, groups, snippets, help pages and so on
-
Gitlab Instance o Validation after User Registration → Sign up, then log in to Gitlab
-
Gitlab CE prior to 13.10.2 → Unauthenticated RCE
Authenticated →
- Sensitive Information or Web App Source Code Disclosure on Internal or Private Repositories ( e.g. Plain Credentials, Web app code review… )
Browse, groups, snippets, help pages and so on
- Gather Gitlab Version → Look for known CVEs and security flaws
e.g. Searchsploit ( i.e. ExploitDB ), Google…
- Gitlab CE prior to 13.10.2 → Authenticated RCE
OSTicket
Customer Service Management
- Gather OSTicket Version → Look for known CVEs and security flaws
e.g. Searchsploit ( i.e. ExploitDB ), Google…
-
Try valid credentials in the Agent Login Panel
CGI
Common Gateway Interface
Shellshock
Bash 4.3 and lower
-
Directory Fuzzing on the given Web Application → Existence of a
/cgi-bindirectory
Coldfusion
Authentication required to gather Coldfusion Version
e.g. Searchsploit ( i.e. ExploitDB ), Google…