Web Application Defaults DB
A DB of known Web Application Admin URLS, Username/Password Combos and Exploits
This list was originally released @ DerbyCon 2012 by Gillis Jones
Updated and released by the Web App Defaults DB Group
If you have info and don't want to trouble with Git, please feel free to shoot the info to:
and let us worry about the repo voodoo.
If you wish to submit via git, please use the following field types:
- ADMINURL:
- USERPASS:
- INTERESTINGURL:
- EXPLOITLINK:
- COMMENT:
This will make it much easier for people to parse the entire db for information.
For example:
## Example CMS
Info: This webapp falls over if you hit /dos.php on version 1.0 and prior
* ADMINURL: /admin/uberleet.php
* USERPASS: root:toor
* INTERESTINGURL: /database_test.php
* EXPLOITLINK: [http://exploitsdownload.com/search/cms](http://exploitsdownload.com/search/cms)
* COMMENT: Usernames with be [email protected]
Documentation: [http://www.wikipedia.org/](http:/www.wikipedia.org/)
API Documentation: [https://apigee.com/console](https://apigee.com/console)
List of CMSs in DB
- Accrisoft Freedom
- AdaptCMS Lite
- Adobe Business Catalyst
- Adobe CQ5
- Alfresco Community Edition
- Apache Lenya
- ATutor
- Autonomy Interwoven Teamsite CMS
- b2evolution
- BEdita
- BLOG:CMS
- blosxom
- Bricolage
Cascade Server | /login.act | Â | Â | http://help.hannonhill.com/kb/security | Â | Â |
CivicSpace | To be determined | Â | Â | Â | Â | Â |
Clickability (Limelight Networks) | hosted by limelight? | Â | Â | Â | Â | Â |
CMS Made Simple | Â | admin | Â | Â | Â | http://exploitsdownload.com/search/cmsmadesimple |
CMSimple | Â | admin | test | Â | Â | http://exploitsdownload.com/search/cmsimple |
Composite C1 | /Administration | [email protected] | admin | Â | Username may be [email protected] | Â |
Computhink ViewWise | Â | Â | Â | Â | Â | Â |
Concrete5 | /index.php/login (alternatively /dashboard) | admin | random set at install | "Yep, great tip. When you go to logs (after resetting the password), you tick the box for emails sent and click on print view with full text. This opens the email that was sent with the link to set a new password. Click on that link and it will open a new browser window." | http://exploitsdownload.com/search/concrete5 | |
Contegro | Â | Â | Â | Â | Hosted on Contegro. | Â |
Content SORT | Â | Â | Â | Â | WP plugin | Â |
CoreMedia WCM | Â | Â | Â | Â | <- Magic Quadrant Masterbaters | Â |
Cotonti | /admin.php | Â | Â | Â | Â | http://exploitsdownload.com/search/cotonti |
Daisy | /login | admin | admin | Â | Â | Â |
Django-cms | /admin | admin | Â | Â | Â | http://exploitsdownload.com/search/django |
Dokuwiki | /dokuwiki?do=login | Â | Â | Â | Â | http://exploitsdownload.com/search/dokuwiki |
Dotclear | /dotclear/admin/ | Â | Â | Â | Â | http://exploitsdownload.com/search/dotclear |
dotCMS | /admin/ | [email protected] (pre 1.9.2 [email protected]) | admin (pre 1.9.2 test) | http://dotcms.com/docs/1.9/DefaultsOnAnInitialDotCMSInstall | Â | http://exploitsdownload.com/search/dotcms |
DotNetNuke | Admin login | admin | Â | Â | Â | http://exploitsdownload.com/search/dotnetnuke |
Drupal | /admin or /?q=admin (non-clean) | admin | assigned in setup | Â | Â | http://exploitsdownload.com/search/drupal |
DSpace | (dspace?).site.com/admin | Â | Â | Â | Â | Â |
DynPG | /cms or /dynpg | Â | Â | Â | Â | http://exploitsdownload.com/search/dynpg |
e107 | //e107_admin/admin.php?view.all | Â | Â | Â | Â | http://exploitsdownload.com/search/e107 |
Ektron CMS400.Net | /workarea/login.aspx | admin | admin | documentation.ektron.com/CMS400/v70/adminmanual.pdf | Â | Â |
Elcom CMS | Â | Â | Â | Â | Â | http://exploitsdownload.com/search/elcom |
EMC Documentum ECM | Â | Â | Â | Â | Â | Â |
EPrints | /perl/users/home | admin | admin | Â | Â | Â |
Escenic Content Engine | /escenic/ | _admin | Specified by owner | documentation.vizrt.com/ece-pub-admin-guide-5.4.pdf | Â | Â |
Exponent CMS | Â | Â | Â | http://docs.exponentcms.org/docs/2.0.3/logging-in | Â | http://exploitsdownload.com/search/exponentcms |
ExpressionEngine | /admin.php or /phpmyadmin/ | Â | Â | Â | Â | http://exploitsdownload.com/search?q=expression+engine |
Exsite Webware | /cgi-bin/ | admin | password | Â | Â | Â |
eZ Publish | add "_admin" to the end of the frontoffice url | admin | password | Â | Â | http://exploitsdownload.com/search?q=frog+cms |
Fedora | .com:8091 or /login | admin | admin | Â | Â | |
Flagship Docs | Â | Â | Â | Â | Â | Â |
Foswiki | Â | Â | Â | Â | Â | Â |
Frog CMS | /admin/ | admin | password | Â | creds valid pre 1.0 version | Â |
Geeklog | /admin/ | Admin | password | Â | valid as of 02, looking for more recent sources. | Â |
Habari | /admin/login.php | Â | Â | Â | Â | http://exploitsdownload.com/search?q=habari |
Hippo CMS | .com:8080/cms | admin | admin | Â | Â | Â |
Hyland OnBase ECM | Â | Â | Â | Â | Info Behind Paywall | Â |
IBM Enterprise Content Management | Â | Â | Â | Â | Â | Â |
IBM Lotus Web Content Management | Â | Â | Â | Â | Â | Â |
Ikiwiki | Â | Â | Â | Â | Â | Â |
ImpressCMS | /admin.php | Â | Â | Â | Â | Â |
Jadu | "/mymicrosite/jadu/ | |||||
" | Â | Â | Â | Â | Â | |
JCore | /admin/ | admin | Â | Â | Â | Â |
Joomla! | /administrator or /joomla/administrator | admin | Â | Â | Â | Â |
Jumbo | jumbo/loginpage.php | admin | password | Â | Â | Â |
Kajona | Â | Â | Â | Â | Â | Â |
Kentico CMS | /CMSSiteManager | administrator | :blank: | Â | Â | Â |
KnowledgeTree Community Edition | /knowledgetree/ | admin | admin | Â | Â | Â |
Liferay Community Edition | Â | Â | Â | Â | Â | Â |
LogicalDOC | /logicaldoc/webdav/store | admin | admin | Â | As of 4.5 | Â |
Lyceum | Â | Â | Â | Â | Â | Â |
Magnolia | :8080/magnoliaAuthor/.magnolia. | superuser | superuser | Â | Â | Â |
Mambo | administrator/index.php | admin | admin | Â | Â | Â |
Mediawiki | Â | Â | Â | Â | Â | Â |
MiaCMS | /login.php | admin | let_me_in | Â | Â | Â |
Microsoft Office 365 | Â | Â | Â | Â | Â | Â |
Microsoft SharePoint Foundation | Â | Â | Â | Â | Â | Â |
Microsoft SharePoint Server | Â | Â | Â | Â | Â | Â |
Midgard CMS | /midgard | admin | password | http://www.midgard-project.org/documentation/midgard-admin-sitewizard/#36700c60b73acecb128e78b284b2d84e | Â | Â |
MODx | Â | Â | Â | Â | -Weirdness | Â |
mojoPortal | /Secure/Login.aspx | [email protected] | admin | http://www.mojoportal.com/installation-quick-start.aspx | Â | Â |
Movable Type | _mt/mt.cgi | Â | Â | Â | Â | Â |
Mura CMS | /admin | admin | admin | http://docs.getmura.com/user-guide/users/ | Â | Â |
Nucleus CMS | /nucleus/ | Â | Â | http://faq.nucleuscms.org/item/80 | Â | Â |
Nuxeo EP | /admin | Administrator | Administrator | http://doc.nuxeo.com/display/NXDOC54/Setup | Â | Â |
O3spaces | Â | Â | Â | Â | Â | Â |
Ocportal | /adminzone | admin | Â | http://ocportal.com/docs5/tut_configuration.htm | Â | http://exploitsdownload.com/search/ocportal |
OpenACS | Â | Â | Â | Â | Â | Â |
OpenCms | 8080/opencms/opencms/system/login/ | Admin | admin | http://www.opencms.org/en/development/installation/server.html | Â | http://exploitsdownload.com/search/opencms |
OpenKM | /OpenKM | okmAdmin | admin | http://forum.openkm.com/viewtopic.php?f=4&t=3711 | Â | Â |
OpenText ECM Suite | Â | Â | Â | Â | Â | Â |
OpenText Web Experience Management | Â | Â | Â | Â | Â | Â |
OpenText Web Site Management | Â | Â | Â | Â | Â | Â |
OpenWGA | /admin | admin | wga | http://www.openwga.com/home/support/tutorials/going_live_from_openwga_developer_studio.en.html | Â | Â |
Opus | Â | Â | Â | Â | Â | http://exploitsdownload.com/search/opus |
Oracle ECM Suite | .com:7001/console | Â | Â | http://docs.oracle.com/cd/E17904_01/doc.1111/e14495/verify.htm#CHDHCEFB | creds set in setup | Â |
Orchard Project | /Admin/ | Â | Â | Â | creds set in setup | Â |
papaya CMS | /papaya/ | Â | Â | http://www.papaya-cms.com | documentation in german | Â |
Peardrop(CMS) | /admin.php | admin(?) | admin | http://peardrop.coolmediatech.com/index.php/Documentation_%280.1.x%29 | Â | Â |
Percussion Software CM1 | Â | Â | Â | Â | Â | Â |
Phire CMS | Â | Â | Â | Â | Â | Â |
PHP-Fusion | /login.php | Â | Â | http://www.php-fusion.co.uk/ | Â | http://exploitsdownload.com/search/phpfusion/ |
PHP-Nuke | /nuke/admin.php | God | Password | Â | Â | http://exploitsdownload.com/search/phpnuke/ |
PHPSlash | god | password | http://phpxref.com/xref/phpslash/doc/html/single/phpslash.html.source.html | Â | http://exploitsdownload.com/search/phpslash/ | |
Phpweblog | /admin/users.php | Bypass using securiteam link | Â | http://www.securiteam.com/unixfocus/6K0021P0KE.html | sitekey:phpweblog | http://exploitsdownload.com/search/phpweblog/ |
phpWebSite | /admin.php | admin | phpwebsite | hintsforums.macworld.com/archive/index.php/t-10721.html | Â | http://exploitsdownload.com/search/phpwebsite |
phpWiki | /phpwiki/admin.php | Â | Â | Â | Â | Â |
Pier | .com/?command=PULogin | admin | pier | http://www.piercms.com/doc/faq#193819363 | Â | Â |
pimcore | /admin | admin | admin | www.pimcore.com | Â | http://exploitsdownload.com/search/pimcore/ |
PivotX | /pivotx | Â | Â | http://book.pivotx.net | user created name/pass | http://exploitsdownload.com/search/pivotx/ |
Pixie (CMS) | /admin | admin | pixie123 | http://www.getpixie.co.uk/support/article/manual-installation/ | Â | Â |
PmWiki | Â | admin | http://yate.null.ro/pmwiki/index.php?n=PmWiki.PasswordsAdmin | Â | http://exploitsdownload.com/search/pmwiki/ | |
Polopoly Web CMS | Â | Â | Â | Â | Â | Â |
Prestashop | /admin or /admin939 | Â | Â | http://doc.prestashop.com/display/PS14/System+Administrator+Guide | /admin is renamed upon install | http://exploitsdownload.com/search/prestashop/ |
ProcessWire | /processwire/ | admin | processwire2 | http://www.processwire.com | Â | Â |
Pulse CMS | /pulsepro/ | demo | http://www.pulsecms.com/docs/settings.php | Couldn't find username | http://exploitsdownload.com/search/pulsecms/ | |
Radiant | /admin/ | admin | radiant | http://radiantcms.org | Â | Â |
RavenNuke CMS | /admin.php or /ravennuke230/admin.php | Â | Â | http://rnwiki.ravennuke.com | Â | http://exploitsdownload.com/search/ravennuke/ |
Refinery CMS | :3000/refinery | Â | Â | http://refinerycms.com/guides/getting-started | No default user | http://exploitsdownload.com/search/refinery/ |
RenovatioCMS | /?RVGET_document=System+Management | Â | Â | www.renovatiocms.com/ | English Site Incomplete | Â |
Scoop | Â | Â | Â | Â | Â | Â |
Serendipity | /serendipity/serendipity_admin.php | John Doe | john | http://www.s9y.org/36.html | Â | http://exploitsdownload.com/search/serendipity |
SilverStripe | /admin | admin | password | http://doc.silverstripe.org/sapphire/en/topics/configuration | User can assign defaults in configuration | http://exploitsdownload.com/search/silverstripe |
Sitecore Professional Edition | Â | Â | Â | Â | Â | http://exploitsdownload.com/search/sitecore |
Sitefinity CMS | /Sitefinity/LoginPages/LoginForm | admin | Password | http://www.sitefinity.com/devnet/kb.aspx | If you see telerik.rad it's sitefinity | http://exploitsdownload.com/search/sitefinity |
Sitekit CMS | /admin | Â | Â | http://www.sitekit.net | Â | Â |
SMW+ | Â | root | m8nix | http://www.smwplus.com/index.php/Help:SMW%2B | Â | http://exploitsdownload.com/search/smwplus |
SPIP | Â | Â | Â | Â | Â | Â |
Squiz CMS | /_edit | admin/editor/approver | password | http://cms.squizsuite.net/quick-start-guide/ | admin password should be changed | http://exploitsdownload.com/search?q=squiz |
Squiz Matrix | /_admin | root | root | http://matrix.squizsuite.net/quick-start-guide/ | Â | http://exploitsdownload.com/search?q=squiz |
TangoCMS | index.php?url=session or /session | Â | Â | http://tangocms.org/announcements?page=2 | Â | Â |
Telligent Community | /telligent_evolution | admin | pa$$word | Â | check for /solr/admin | Â |
Textpattern | /textpattern/index.php or /textpattern/ | Â | Â | Â | Â | http://exploitsdownload.com/search?q=textpattern |
Tiki Wiki CMS Groupware | /tiki/tiki-login_scr.php | admin | admin | http://doc.tiki.org/Admin+Problems | Â | http://exploitsdownload.com/search?q=tikiwiki |
Titan CMS | Â | Â | Â | Â | Â | Â |
Tribiq CMS | /admin | tribiq.com/tribiq-6-documentation-installation.download | Â | http://exploitsdownload.com/search?q=tribiq | ||
TWiki | /cgi-bin/login | admin | Â | http://twiki.org/ | Â | http://exploitsdownload.com/search?q=twiki |
Typo | Â | Â | Â | Â | Â | Â |
TYPO3 | /typo3 | admin | password | http://wiki.typo3.org/TYPO3_Installation_Basics | Â | http://exploitsdownload.com/search?q=typo3 |
uCoz | /admin | Â | Â | Â | Â | Â |
Umbraco | /umbraco/login.aspx | admin | default | http://our.umbraco.org/ | Â | Â |
VosaoCMS | /cms | [email protected] | admin | Â | Â | Â |
WebGUI | Â | root | Â | Â | http://www.exploitsdownload.com/search?q=webgui | |
Webnodes CMS | Â | Â | Â | Â | Â | Â |
WolfCMS | /admin/ | http://www.wolfcms.org/wiki/books:administration | Â | http://www.exploitsdownload.com/search?q=wolfCMS | ||
WordPress | /wp-admin/ | admin | http://codex.wordpress.org/ | Why are you looking HERE for WP? | http://www.exploitsdownload.com/search?q=Wordpress | |
Wuzly | /admin/login.php | Administrator | 100 | Â | Â | http://osvdb.com/search/search?search[vuln_title]=wuzly |
Xaraya | Â | Â | Â | Â | Â | Â |
XOOPS | /admin.php | admin | admin | xoops.org | Â | http://www.exploitsdownload.com/search?q=XOOPS |
Xpress Engine | /index.php?module=admin | http://xpressengine.org | Â | http://www.exploitsdownload.com/search?q=XpressEngine | ||
Yanel | .com:8080/yanel/ | Â | Â | http://yanel.wyona.org/en/documentation/index.html | Â | Â |
Zikula | /admin.php or user.php | Â | Â | http://phpxref.zikula.de/nav.html?system/Admin/lib/Admin/Controller/Admin.php.html | Â | http://www.cvedetails.com/vulnerability-list/vendor_id-10810/Zikula.html |
Zotonic | Â | admin | admin | Â | Written in Erlang |