Merge pull request #431 from dwisiswant0/tpl/wpscan

Add WordPress Interesting Findings
2020-09-08 23:47:21 +05:30 · 2020-09-08 23:47:21 +05:30 · a3e564e007
parent cacfeebeab a1a01c3c1c
commit a3e564e007
6 changed files with 113 additions and 13 deletions
--- a/files/sql-dump.yaml
+++ b/files/sql-dump.yaml
@ -2,37 +2,40 @@ id: default-sql-dump

 info:
  name: MySQL Dump Files
-  author: geeknik
+  author: geeknik & @dwisiswant0
  severity: medium

 requests:
  - method: GET
    path:
-      - "{{BaseURL}}/{{Hostname}}.sql"
      - "{{BaseURL}}/1.sql"
      - "{{BaseURL}}/backup.sql"
-      - "{{BaseURL}}/data.sql"
      - "{{BaseURL}}/database.sql"
+      - "{{BaseURL}}/data.sql"
      - "{{BaseURL}}/db_backup.sql"
      - "{{BaseURL}}/dbdump.sql"
      - "{{BaseURL}}/db.sql"
      - "{{BaseURL}}/dump.sql"
+      - "{{BaseURL}}/{{Hostname}}.sql"
      - "{{BaseURL}}/localhost.sql"
+      - "{{BaseURL}}/mysqldump.sql"
      - "{{BaseURL}}/mysql.sql"
      - "{{BaseURL}}/site.sql"
      - "{{BaseURL}}/sql.sql"
      - "{{BaseURL}}/temp.sql"
-      - "{{BaseURL}}/users.sql"
      - "{{BaseURL}}/translate.sql"
-      - "{{BaseURL}}/mysqldump.sql"
-
+      - "{{BaseURL}}/users.sql"
+      - "{{BaseURL}}/wp-content/uploads/dump.sql"
+    headers:
+      Range: "bytes=0-3000"
    matchers-condition: and
    matchers:
-      - type: word
-        words:
-          - "INSERT INTO"
+      - type: regex
+        regex:
+          - "(?m)(?:DROP|CREATE|(?:UN)?LOCK) TABLE|INSERT INTO"
        part: body
-
      - type: status
        status:
-          - 200
+          - 200
+          - 206
+        condition: or
--- a/files/wordpress-db-backup.yaml
+++ b/files/wordpress-db-backup.yaml
@ -0,0 +1,22 @@
+id: wordpress-db-backup
+
+info:
+  name: WordPress DB Backup
+  author: dwisiswant0
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/backup-db/"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Index of /"
+          - ".sql\">"
+        condition: and
+        part: body
+      - type: status
+        status:
+          - 200
--- a/files/wordpress-emergency-script.yaml
+++ b/files/wordpress-emergency-script.yaml
@ -0,0 +1,26 @@
+id: wordpress-emergency-script
+
+info:
+  name: WordPress Emergency Script
+  author: dwisiswant0
+  severity: info
+
+  # Ref:-
+  # https://wordpress.org/support/article/resetting-your-password/#using-the-emergency-password-reset-script
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/emergency.php"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Your use of this script is at your sole risk"
+          - "WordPress Administrator"
+          - "Update Options"
+        condition: and
+        part: body
+      - type: status
+        status:
+          - 200
--- a/files/wordpress-installer-log.yaml
+++ b/files/wordpress-installer-log.yaml
@ -0,0 +1,20 @@
+id: wordpress-installer-log
+
+info:
+  name: WordPress Installer Log
+  author: dwisiswant0
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/installer-log.txt"
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "(?mi)DUPLICATOR(?:-(PRO|LITE):)? INSTALL-LOG"
+        part: body
+      - type: status
+        status:
+          - 200
--- a/files/wordpress-tmm-db-migrate.yaml
+++ b/files/wordpress-tmm-db-migrate.yaml
@ -0,0 +1,20 @@
+id: wordpress-tmm-db-migrate
+
+info:
+  name: WordPress ThemeMarkers DB Migration File
+  author: dwisiswant0
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wp-content/uploads/tmm_db_migrate/tmm_db_migrate.zip"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "application/zip"
+        part: header
+      - type: status
+        status:
+          - 200
--- a/workflows/wordpress-workflow.yaml
+++ b/workflows/wordpress-workflow.yaml
@ -10,8 +10,12 @@ variables:
  wordpress_wpconfig: security-misconfiguration/wordpress-accessible-wpconfig.yaml
  wordpress_duplicator_path_traversal: vulnerabilities/wordpress-duplicator-path-traversal.yaml
  wordpress_wordfence_xss: vulnerabilities/wordpress-wordfence-xss.yaml
-  wordpress_cve_1: cves/CVE-2019-9978.yaml
  wordpress_debug_log: files/wordpress-debug-log.yaml
+  wordpress_db_backup: files/wordpress-db-backup.yaml
+  wordpress_emergency_script: files/wordpress-emergency-script.yaml
+  wordpress_installer_log: files/wordpress-installer-log.yaml
+  wordpress_tmm_db_migrate: files/wordpress-tmm-db-migrate.yaml
+  wordpress_cve: cves/CVE-2019-9978.yaml

 logic: |
  wordpress_tech()
@ -23,6 +27,11 @@ logic: |
    wordpress_wpconfig()
    wordpress_duplicator_path_traversal()
    wordpress_wordfence_xss()
-    wordpress_cve_1()
    wordpress_debug_log()
+    wordpress_db_backup()
+    wordpress_emergency_script()
+    wordpress_installer_log()
+    wordpress_tmm_db_migrate()
+    wordpress_cve()
+
  }