My thoughts about IT and infosec.

Detect the CMS with CMSmap

There are plenty of tools available that you can use to find vulnerability flaws on a website. One tool I use is CMSmap ( that is written in Python.

Let’s install CMSmap

Installing CMSmap is an easy job. On my clean Debian 8.5 machine it was done in a second. There is one tool that you will need, and that is git.

apt install git

After installing git you can create a local clone of the repo.

# git clone
Cloning into 'CMSmap'...
remote: Counting objects: 34, done.
remote: Total 34 (delta 0), reused 0 (delta 0), pack-reused 34
Unpacking objects: 100% (34/34), done.
Checking connectivity... done.

Be sure you update CMSmap before you use it.

$ python --update A
[-] Date & Time: 29/08/2016 23:52:36
[-] Updating CMSmap to the latest version from GitHub repository... 
Already up-to-date.
[-] CMSmap is now updated to the latest version!
[-] Downloading wordpress plugins from svn website
[-] 62039 plugins found
[-] Wordpress Plugin File: /opt/tools/CMSmap/data/wp_plugins.txt
[-] Downloading WordPress plugins from ExploitDB website
[-] File: /opt/tools/CMSmap/data/wp_plugins_small.txt
[-] Downloading WordPress themes from ExploitDB website
[-] File: /opt/tools/CMSmap/data/wp_themes_small.txt
[-] Downloading Joomla components from ExploitDB website
[-] File: /opt/tools/CMSmap/data/joo_plugins_small.txt
[-] Downloading drupal modules from
[-] Drupal Plugin File: /opt/tools/CMSmap/data/dru_plugins_small.txt

Your first CMSmap scan

CMSmap takes it time to run and find some useful information. Sometimes it runs for 5 minutes or longer. You can speed this up (or low it down!) when needed and specify the maximum of threads (--theads) the program can use.

Run the scan with this command:

python -t

See the results:


When you are sure that the website is running Wordpress for example, and you want to do a full scan, the command to use is:

python -f W -F -t

Some thoughts

Tools like CMSmap are great for automatic testing. But when you are testing websites that are secured with plugins like Wordfence, there is big chance that you will not find where you are looking for. You cannot always trust on automated scans. If you do an automated scan on your website, and it thinks the state of your website is OK, think again and do some manual auditing. You always have to double-check your results.


Note: was my test website back then.

2016-08-24 23:32
#networking #security #cms