Merge pull request #2787 from mr-rizwan-syed/master

wp-config-file and aws-s3-access-key-leak
2021-10-05 18:25:04 +05:30 · 2021-10-05 18:25:04 +05:30 · 5b5e764b48
parent 03f81f91cc 5c4dd11b6b
commit 5b5e764b48
2 changed files with 30 additions and 4 deletions
--- a/exposures/configs/wpconfig-aws-keys.yaml
+++ b/exposures/configs/wpconfig-aws-keys.yaml
@ -0,0 +1,23 @@
+id: wpconfig-aws-keys
+
+info:
+  name: AWS S3 keys Leak
+  author: r12w4n
+  severity: high
+  tags: aws,s3,wordpress,disclosure
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/wp-config.php-backup'
+      - "{{BaseURL}}/%c0"
+
+    matchers:
+      - type: word
+        words:
+          - 'access-key-id'
+          - 'secret-access-key'
+          - 'DB_NAME'
+          - 'DB_PASSWORD'
+        condition: and
+        part: body
--- a/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
+++ b/vulnerabilities/wordpress/wordpress-accessible-wpconfig.yaml
@ -1,9 +1,9 @@
 id: wordpress-accessible-wpconfig
 info:
  name: WordPress accessible wp-config
-  author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo
+  author: Kiblyn11,zomsop82,madrobot,geeknik,daffainfo,r12w4n
  severity: high
-  tags: wordpress,backups
+  tags: wordpress,backup

 requests:
  - method: GET
@ -24,6 +24,7 @@ requests:
      - '{{BaseURL}}/wp-config-backup.txt'
      - '{{BaseURL}}/wp-config.php.save'
      - '{{BaseURL}}/wp-config.php~'
+      - '{{BaseURL}}/wp-config.php-backup'
      - '{{BaseURL}}/wp-config.php.orig'
      - '{{BaseURL}}/wp-config.php.original'
      - '{{BaseURL}}/_wpeprivate/config.json'
@ -33,9 +34,11 @@ requests:
    matchers:
      - type: word
        words:
-          - DB_NAME
-          - WPENGINE_ACCOUNT
+          - "DB_NAME"
+          - "DB_PASSWORD"
        part: body
+        condition: and
+
      - type: status
        status:
          - 200