cms2cmd — Universal CMS Plugin For Command Execution

2 min readNov 24, 2018

I just released cms2cmd, a CMS plugin that can be used with Drupal 7, Drupal 8, Joomla and Wordpress as a simple command execution mechanism.

Occasionally during a CTF (or a pen test?) you might gain admin access to a CMS, which in most configurations gives you RCE. cms2cmd is a clean (i.e. no need to change templates or otherwise “break” the CMS instance) and simple command execution plugin that works for a number of various CMS systems (current version has been tested on Drupal 7, Drupal 8, Joomla 3.x, and Wordpress 3.9.x).

The same file is recognized as a valid plugin by all the supported CMS systems. It will send a 404 HTTP response if called without providing a command to execute, which makes it a bit sneakier and safer in CTF type environment.

How it works

mod_cmd.php — main module both in both Joomla and Wordpress as they allow direct access to PHP files of a plugin. Wordpress doesn’t need any additional files, all the required plugin metadata is provided in the comments here.

mod_cmd.xml — provides required plugin metadata for Joomla.

mod_cmd.module — main module for Drupal 7 plugin. It works by registering mod_cmd page and tells Drupal to invoke mod_cmd_callback() function when the page is requested (through ?q=mod_cmd parameter). — plugin metadata file for Drupal 7.

src/Controller/ModCmdController.php — main module for Drupal 8.

mod_cmd.routing.yml — registers /mod_cmd page with Drupal 8 and tells Drupal to invoke content() method from ModCmdController.php when it is requested. — plugin metadata for Drupal 8.

index.html — prevents directory browsing.

Final notes

cms2cmd is invoked differently for different CMS systems, check for details.

I’m not a professional developer, this project was put this together as a convenience for myself. If you have constructive improvement suggestions let me know.




Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.