Cómo encontrar vulnerabilidades en sitios web CMS

A los pentesters/investigadores de seguridad les toma mucho tiempo descubrir vulnerabilidades en sitios web, no obstante, actualmente hay muchas herramientas y técnicas para descubrir errores en cualquier URL, útiles para muchas fases de pentesting, afirman expertos en hacking ético.

El pentesting siempre comienza con la fase de recopilación de información, y acorde a los especialistas en hacking ético del Instituto Internacional de Seguridad Cibernética (IICS), esta fase se ha convertido en un proceso automatizado, que requiere de herramientas para buscar puertos y servicios abiertos. A continuación le mostraremos un robot de automatización empleado para encontrar vulnerabilidades en diferentes sistemas de gestión de contenido (CMS).

Con Vulnx es posible encontrar vulnerabilidades en múltiples CMS para la exploración de dominios, puertos, direcciones IP, país, región, entre otros datos. Acorde a especialistas, esta herramienta está diseñada para automatizar cualquier prueba de penetración.

Para las pruebas hemos usado Kali Linux 2018.2. Asegúrese de que python3 esté instalado.

  • Escriba sudo apt-get update
  • Escriba sudo apt-get install python3
  • Escriba git clone https://github.com/anouarbensaad/vulnx.git
root@kali:/home/iicybersecurity/Downloads# git clone https://github.com/anouarbensaad/vulnx.git
 Cloning into 'vulnx'…
 remote: Enumerating objects: 35, done.
 remote: Counting objects: 100% (35/35), done.
 remote: Compressing objects: 100% (28/28), done.
 remote: Total 1034 (delta 13), reused 17 (delta 7), pack-reused 999
 Receiving objects: 100% (1034/1034), 505.30 KiB | 410.00 KiB/s, done.
 Resolving deltas: 100% (609/609), done.
  • Escriba cd vulnx /
  • Escriba ls
root@kali:/home/iicybersecurity/Downloads# cd vulnx/
root@kali:/home/iicybersecurity/Downloads/vulnx# ls
 CHANGELOG.md  common  docker      LICENSE  README.md         shell      vulnx.py
 cli.py        config  install.sh  modules  requirements.txt  update.sh
  • Escriba ./install.sh
root@kali:/home/iicybersecurity/Downloads/vulnx# ./install.sh
===== VULNX INSTALL =====
 [+] Vulnx Will Be Installed In Your System
 [+] Installing python3...
Reading package lists... Done
Building dependency tree
Reading state information... Done
python3 is already the newest version (3.7.3-1).
0 upgraded, 0 newly installed, 0 to remove and 664 not upgraded.
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r ./requirements.txt (line 1)) (2.21.0)
Collecting bs4 (from -r ./requirements.txt (line 2))
  Downloading https://files.pythonhosted.org/packages/10/ed/7e8b97591f6f456174139ec089c769f89a94a1a4025fe967691de971f314/bs4-0.0.1.tar.gz
Requirement already satisfied: beautifulsoup4 in /usr/lib/python2.7/dist-packages (from bs4->-r ./requirements.txt (line 2)) (4.8.0)
Building wheels for collected packages: bs4
  Running setup.py bdist_wheel for bs4 ... done
  Stored in directory: /root/.cache/pip/wheels/a0/b0/b2/4f80b9456b87abedbc0bf2d52235414c3467d8889be38dd472
Successfully built bs4
Installing collected packages: bs4
Successfully installed bs4-0.0.1
 [+] Checking directories...
 [+] Installing ...
 [+] Creating Symbolic Link ...
 [+] Tool Successfully Installed And Will Start In 5s!
 [+] You can execute tool by typing vulnx



                    .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad
  • Escriba chmod 755 require.txt vulnx.py
root@kali:/home/iicybersecurity/Downloads/vulnx# chmod 755 requiremnets.txt vulnx.py
  • Escriba python3 vulnx.py –help
root@kali:/home/iicybersecurity/Downloads/vulnx# python3 vulnx.py --help
                    .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad

usage: vulnx.py [-h] [-u URL] [-D DORKS] [-o OUTPUT] [-t TIMEOUT]
                [-c {user,themes,version,plugins,all}] [--threads NUMTHREAD]
                [-n NUMBERPAGE] [-i INPUT_FILE]
                [-l {wordpress,prestashop,joomla,lokomedia,drupal,all}]
                [-p SCANPORTS] [-e] [--it] [-w] [-d] [--dns]

OPTIONS:
  -h, --help            show this help message and exit
  -u URL, --url URL     url target to scan
  -D DORKS, --dorks DORKS
                        search webs with dorks
  -o OUTPUT, --output OUTPUT
                        specify output directory
  -t TIMEOUT, --timeout TIMEOUT
                        http requests timeout
  -c {user,themes,version,plugins,all}, --cms-info {user,themes,version,plugins,all}
                        search cms info[themes,plugins,user,version..]
  --threads NUMTHREAD   number of threads
  -n NUMBERPAGE, --number-pages NUMBERPAGE
                        search dorks number page limit
  -i INPUT_FILE, --input INPUT_FILE
                        specify input file of domains to scan
  -l {wordpress,prestashop,joomla,lokomedia,drupal,all}, --dork-list {wordpress,prestashop,joomla,lokomedia,drupal,all}
                        list names of dorks exploits
  -p SCANPORTS, --ports SCANPORTS
                        ports to scan
  -e, --exploit         searching vulnerability & run exploits
  --it                  interactive mode.
  -w, --web-info        web informations gathering
  -d, --domain-info     subdomains informations gathering
  --dns                 dns informations gatherings
  • Escriba python3 vulnx.py -u https://hack.me –dns -d -w -e –output ./hack.me
  • –dns se usa para recopilar información dns
  • -d se usa para recopilar información del dominio
  • -w se usa para recopilar información del dominio web
  • -e se usa para buscar vulnerabilidades y exploits
root@kali:/home/iicybersecurity/Downloads/vulnx# python3 vulnx.py -u https://hack.me --dns -d -w -e --output ./hack.me
                   .:.        .:,
                   xM;           XK.
                  dx'            .lO.
                 do                ,0.
             .c.lN'      ,  '.     .k0.:'
              xMMk;d;''cOM0kWXl,',locMMX.
              .NMK.   :WMMMMMMMx    dMMc
               lMMO  lWMMMMMMMMMO. lMMO
                cWMxxMMMMMMMMMMMMKlWMk
                 .xWMMMMMMMMMMMMMMM0,
                   .,OMd,,,;0MMMO,.
             .l0O.VXVXOX.VXVX0MOVXVX.0Kd,
            lWMMO0VXVX0OX.VXVXlVXVX.VXNMMO
           .MMX;.N0VXVX00X.VXVXVX0.0M:.OMMl
          .OXc  ,MMOVXVX0VX .VXVX00MMo  ,0X'
          0x.  :XMMMkVXVX.XO.VXVXdMMMWo.  :X'
         .d  'NMMMMMMkVXVX..VXVX0.XMMMMWl  ;c
            'NNoMMMMMMxVXVXVXVXVX0.XMMk0Mc
           .NMx OMMMMMMdVXVXVXlVXVX.NW.;MMc
          :NMMd .NMMMMMMdVXVXdMd,,,,oc ;MMWx
          .0MN,  'XMMMMMMoVXoMMMMMMWl   0MW,
           .0.    .xWMMMMM:lMMMMMM0,     kc
            ,O.     .:dOKXXXNKOxc.      do
             '0c        -VulnX-       ,Ol
               ;.                     :.

    # Coded By Anouar Ben Saad - @anouarbensaad


 [Target] => https://hack.me

------------------------------------------------
 [?] looking for cms
 [+] CMS : Lokomedia
------------------------------------------------
------------------------------------------------
 [~] Scanning Ports

   PORTS                     STATUS  PROTO
 [?] 22                    CLOSE   SSH
-----------------------------------------------
 [~] Starting DNS dump
 [!] Retrieved token: 7lMSlFeGREkQtU4PxAkC9E7JuA0wsfXnLpLxG3izLIboqqtCEBFGs2YDRCIMsJLh
 [?] Search for DNS Servers
 [+] Host : ns-113.awsdns-14.com.
 [+] IP : 205.251.192.113
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-1428.awsdns-50.org.
 [+] IP : 205.251.197.148
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-1869.awsdns-41.co.uk.
 [+] IP : 205.251.199.77
 [+] AS : AMAZON-02
  ----------------
 [+] Host : ns-881.awsdns-46.net.
 [+] IP : 205.251.195.113
 [+] AS : AMAZON-02
  ----------------
 [?] Search for MX Records
 [+] Host : 1 aspmx.l.google.com.
 [+] IP : 172.217.197.27
 [+] AS : GOOGLE
  ----------------
 [+] Host : 10 alt3.aspmx.l.google.com.
 [+] IP : 64.233.184.27
 [+] AS : GOOGLE
  ----------------
 [+] Host : 10 alt4.aspmx.l.google.com.
 [+] IP : 172.217.218.26
 [+] AS : GOOGLE
  ----------------
 [+] Host : 5 alt1.aspmx.l.google.com.
 [+] IP : 64.233.186.26
 [+] AS : GOOGLE
  ----------------
 [+] Host : 5 alt2.aspmx.l.google.com.
 [+] IP : 209.85.202.26
 [+] AS : GOOGLE
  ----------------
-----------------------------------------------
 [~] Check Vulnerability
  • Arriba se muestra el CMS de la URL objetivo. Luego se muestra el escaneo que Vulnx hizo en busca de puertos abiertos, así como los tokens asociados con el DNS
  • Posteriormente, la herramienta recuperó los servidores DNS con sus respectivas direcciones IP y hosts. Dicha información básica también se puede recuperar con Nslookup
  • La diferencia es que Vulnx hace una automatización para encontrar todos los servidores DNS
  • Puede escanear sitios web de diferentes CMS de manera similar, afirman los expertos en