Most of the websites have their own custom control panel/admin panel other than the server cpanel. They are simply programmed in php, html and java like languages. These admin panel can control the website completely other than the server settings. Once you have access to this then you can upload new images, edit pages and posts etc.
Admin panel requires a login that is stored in its local database. You can simply hack the database with tools like sqlmap (How to hack a database with sql injection sqlmap) or you can bruteforce it to gain access. The most annoying part in web penetration testing is finding these control panels. You can manually type in urls and search it which is very time consuming.
Here i have written a simple piece of code in python- CPSCAN. This can perform that annoying task easily. This python script bruteforce all the possible directories of a server and detects control panel by http response codes. This can detect almost 85% of websites. There is a file named dir you can edit the file to add or remove directory if necessary .
option -v is for verbose mode. This can check every directory one by one and display the http codes, if it found one it will prompt user to continue scan or quit with the result. this wont take much time and its easy to use.Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.