There are plenty of tools available that you can use to find vulnerability flaws on a website. One tool I use is CMSmap (https://github.com/Dionach/CMSmap) that is written in Python.
Installing CMSmap is an easy job. On my clean Debian 8.5 machine it was done in a second. There is one tool that you will need, and that is
apt install git
git you can create a local clone of the repo.
# git clone https://github.com/Dionach/CMSmap.git Cloning into 'CMSmap'... remote: Counting objects: 34, done. remote: Total 34 (delta 0), reused 0 (delta 0), pack-reused 34 Unpacking objects: 100% (34/34), done. Checking connectivity... done.
Be sure you update CMSmap before you use it.
# python cmsmap.py --update A [-] Date & Time: 29/08/2016 23:52:36 [-] Updating CMSmap to the latest version from GitHub repository... Already up-to-date. [-] CMSmap is now updated to the latest version! [-] Downloading wordpress plugins from svn website [-] 62039 plugins found [-] Wordpress Plugin File: /opt/tools/CMSmap/data/wp_plugins.txt [-] Downloading WordPress plugins from ExploitDB website [-] File: /opt/tools/CMSmap/data/wp_plugins_small.txt [-] Downloading WordPress themes from ExploitDB website [-] File: /opt/tools/CMSmap/data/wp_themes_small.txt [-] Downloading Joomla components from ExploitDB website [-] File: /opt/tools/CMSmap/data/joo_plugins_small.txt [-] Downloading drupal modules from drupal.org [-] Drupal Plugin File: /opt/tools/CMSmap/data/dru_plugins_small.txt
CMSmap takes it time to run and find some useful information. Sometimes it runs for 5 minutes or longer. You can speed this up (or low it down!) when needed and specify the maximum of threads (
--theads) the program can use.
Run the scan with this command:
python cmsmap.py -t https://xpired.nl
See the results:
[-] Date & Time: 30/08/2016 00:02:21 [-] Target: https://xpired.nl [I] Server: Caddy [L] X-Frame-Options: Not Enforced [I] X-Content-Security-Policy: Not Enforced [L] Robots.txt Found: https://xpired.nl/robots.txt [I] CMS Detection: Wordpress [I] Wordpress Theme: twentysixteen [-] Enumerating Wordpress Usernames via "Feed" ... [-] Enumerating Wordpress Usernames via "Author" ... [M] Sebastian Broekhoven [I] Forgotten Password Allows Username Enumeration: https://xpired.nl/wp-login.php?action=lostpassword [M] Website vulnerable to XML-RPC Brute Force Vulnerability [I] Autocomplete Off Not Found: https://xpired.nl/wp-login.php [-] Default WordPress Files: [I] https://xpired.nl/license.txt [I] https://xpired.nl/wp-includes/images/crystal/license.txt [I] https://xpired.nl/wp-includes/images/crystal/license.txt [I] https://xpired.nl/wp-includes/js/plupload/license.txt [I] https://xpired.nl/wp-includes/js/tinymce/license.txt [I] https://xpired.nl/wp-includes/js/swfupload/license.txt [I] https://xpired.nl/wp-includes/ID3/license.txt [I] https://xpired.nl/wp-includes/ID3/readme.txt [I] https://xpired.nl/wp-includes/ID3/license.commercial.txt [-] Searching Wordpress Plugins ... [-] Searching Wordpress TimThumbs ... [I] Checking for Directory Listing Enabled ... [-] Date & Time: 30/08/2016 00:05:25 [-] Completed in: 0:03:03
When you are sure that the website is running Wordpress for example, and you want to do a full scan, the command to use is:
python cmsmap.py -f W -F -t https://xpired.nl
Tools like CMSmap are great for automatic testing. But when you are testing websites that are secured with plugins like Wordfence, there is big chance that you will not find where you are looking for. You cannot always trust on automated scans. If you do an automated scan on your website, and it thinks the state of your website is OK, think again and do some manual auditing. You always have to double-check your results.
Note: https://xpired.nl is my test website