Exploiting Vulnerable Web Components

Modern web applications are often built on frameworks, libraries, plugins, and modules—many of which were written once and then forgotten. These outdated components are like termites in a house: invisible until they bring the whole thing down. In this post, we’ll look at how to identify and exploit these forgotten and vulnerable bits of code.

Why Focus on Vulnerable Components?

Developers frequently use third-party software to save time—but they don’t always update it. As pentesters, these neglected components are gold mines:

• Known exploits already exist (CVE numbers, PoCs).
• Easy privilege escalation or code execution vectors.
• Detection often lags behind in patch management systems.

Identifying Components and Their Versions

1. Tools for Discovery

• WhatWeb whatweb http://target.com # Detects CMS, frameworks, server info
• Wappalyzer browser plugin Quick visual fingerprinting
• BuiltWith (Online) Tech stack analysis from the outside
• strings, grep, or source inspection Look for JS/CSS version comments like /jquery-1.8.3.js
• CMS Scanners:
  • wpscan (WordPress) wpscan --url http://target.com --enumerate vp # Enumerate vulnerable plugins
  • droopescan (Drupal, Joomla, SilverStripe) droopescan scan drupal -u http://target.com

Where to Find Vulnerabilities

Once you identify the version of a component:

• Search CVE databases:
  • https://cvedetails.com/
  • https://www.exploit-db.com/
  • https://vulners.com/
• Google Dorking inurl:/wp-content/plugins/ AND intitle:"Index of"
• GitHub PoCs
  • Use the component name + CVE ID
  • Watch for reverse shells and RCE exploits

Exploiting Vulnerable Components

WordPress Plugin Exploit Example

You discover:

• /wp-content/plugins/wp-file-manager/
• WPScan reveals it’s version 6.0
• A known RCE exists (CVE-2020-25213)

Exploit Steps:

1. Upload malicious PHP file using the vulnerable plugin.
2. Access it via browser to execute code: http://target.com/wp-content/plugins/wp-file-manager/lib/files/shell.php
3. Reverse shell acquired.

Apache Struts RCE (CVE-2017-5638)

A classic:

curl -X POST -H "Content-Type: %{(#nike='multipart/form-data').(#[...code...])}" http://target.com/upload.action

If the app is using vulnerable Struts, code execution is immediate.

Common Targets

• CMS Platforms: WordPress, Joomla, Drupal
• Frameworks: Apache Struts, Spring, Ruby on Rails, Django
• JavaScript Libraries: jQuery, Angular, React (older versions)
• Dependency Managers: Composer (PHP), npm (Node), pip (Python)
• File uploaders, themes, contact forms—all great places to hide vulnerable code

Automation with Nuclei

Nuclei is a powerful scanner with thousands of templates.

nuclei -u http://target.com -t cves/
# Scans for known CVEs across technologies

Update templates often:

nuclei -update-templates

Real-World Workflow Example

Target: http://vulnerablecms.local
- WhatWeb shows WordPress 5.1.1
- WPScan finds Contact Form 7 plugin, version 5.0.1
- Exploit-DB shows an RCE vulnerability
- Upload PHP web shell via plugin's upload field
- Browse to shell
- Gain foothold into the web server

Final Thoughts

Old software never forgets—especially when it’s riddled with vulnerabilities. As a pentester, the trick is to spot the cracks before the defenders patch them. Keep your scanners updated, read CVEs like bedtime stories, and never trust a plugin left unattended.