cms2cmd — Universal CMS Plugin For Command Execution
I just released cms2cmd, a CMS plugin that can be used with Drupal 7, Drupal 8, Joomla and Wordpress as a simple command execution mechanism.
Occasionally during a CTF (or a pen test?) you might gain admin access to a CMS, which in most configurations gives you RCE. cms2cmd is a clean (i.e. no need to change templates or otherwise “break” the CMS instance) and simple command execution plugin that works for a number of various CMS systems (current version has been tested on Drupal 7, Drupal 8, Joomla 3.x, and Wordpress 3.9.x).
The same mod_cmd.zip file is recognized as a valid plugin by all the supported CMS systems. It will send a 404 HTTP response if called without providing a command to execute, which makes it a bit sneakier and safer in CTF type environment.
How it works
mod_cmd.php — main module both in both Joomla and Wordpress as they allow direct access to PHP files of a plugin. Wordpress doesn’t need any additional files, all the required plugin metadata is provided in the comments here.
mod_cmd.xml — provides required plugin metadata for Joomla.
mod_cmd.module — main module for Drupal 7 plugin. It works by registering mod_cmd page and tells Drupal to invoke mod_cmd_callback() function when the page is requested (through ?q=mod_cmd parameter).
mod_cmd.info — plugin metadata file for Drupal 7.
src/Controller/ModCmdController.php — main module for Drupal 8.
mod_cmd.routing.yml — registers /mod_cmd page with Drupal 8 and tells Drupal to invoke content() method from ModCmdController.php when it is requested.
mod_cmd.info.yml — plugin metadata for Drupal 8.
index.html — prevents directory browsing.
cms2cmd is invoked differently for different CMS systems, check README.md for details.
I’m not a professional developer, this project was put this together as a convenience for myself. If you have constructive improvement suggestions let me know.