Hello Everyone, In this blog we are going to see How to Identify, Mass
hunt and Exploit Concrete5 CMS.
What is Concrete5 CMS?
It is an open-source software used for creating websites and editing them on fly.
TL,DR
Enough of talking, Let’s start!
Identification of Concrete5 CMS :
Wappalyzer:
https://www.wappalyzer.com/lookup/concrete5.org/


Concrete5 CMS running on the web-application
Shodan:
Search Query : Set-Cookie: CONCRETE5

Shodan Search Results
To Hunt for Specific Organisation
Search Query: Set-Cookie: CONCRETE5 org:”Microsoft Corporation”

Shodan Search Results for specific org
Shodan CLI Command :
shifa@Mac-Book-Pro mytemplates % shodan search “Set-Cookie: CONCRETE5” — fields ip_str,port — separator “ “ | awk ‘{print $1”:”$2}’ | tee -a shodan-concrete-ips.txt

Censys
Search Query: 443.https.get.body:concrete5

Writing Nuclei Template
Now we have the IP Address running the Concrete5 CMS, and we can further test them for the vulnerability.
We are going to now write a nuclei template to test all of them together in one go.
Vulnerable Endpoint : /ccm/system/panels/page/preview_as_user/preview?cID=
Vulnerable Parameter :
cID=
shifa@Mac-Book-Pro% cat concrete-nuclei-template.yaml

Breakdown of Template :
Path : This signifies the endpoint of the target
‘{{BaseURL}}/ccm/system/panels/page/preview_as_user/preview?cID=”></iframe><svg/onload=alert(1)>’
Matchers: This signifies the matching condition with the payload
“</iframe><svg/onload=alert(1)>”
matchers-condition: This signifies the condition that our template should match status code 200 in response and our payload as seen above.
Running Nuclei Template

Vulnerable Targets detected with the template
Template Link: https://github.com/shifa123/mytemplates/tree/main
Exploiting XSS in Browser

Reporting the Vulnerability
Found the vulnerability in targets and want to send a report, We have got your covered. Copy and Use the ready made reporting templates at https://hacktify.in/bugbounty to invest more time in hunting and not in reporting.

XSS reporting template
Loved reading this, We teach more such techniques in our Bug Bounty for Beginners Crash Course for Beginners.