How I Get my first P1 (Sensitive Information Disclosure) using WPScan
بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ
Background
Hello,
I was started to do bug hunting on October 2019. I spent almost 4 months to learning on common vulneralibility and focusing on how to do Recon. Until I found my first P1 with using basic recon technique. In this article, I would like to share with you about my very first P1, hope you like it, enjoy!
Reconnaissance Phase
I was invited to a Private Program on Bugcrowd with a huge in-scope target (wildcard). So the first step to do is finding all the subdomains. I used crtsh combined with httpprobe (By Tomnomnom), run this command on my VPS:
curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httprobe | tee -a ./alive.txt
This command is about :
- curl -> searching the target domain on crt.sh and save the output to json
- jq & sed -> slicing and filtering the output, so we got only the domains;
- sort -> eliminating duplicate domains;
- httprobe -> check that the subdomains is active or not;
- tee -> breaks the output from httprobe to two part , so it would be displayed on terminal and also write on to the output file.
Btw, did I type that very long command every time I do recon ? Absolutely No. I use .bash_profile to do this by shortcut, I learn to using this by Youtube video of Behrouz Sadeghipour on https://www.youtube.com/watch?v=YhUiAH5SIqk . Thanks Nahamsec!
I also got that command from Nahamsec’s recon_profile . Thanks again Nahamsec! :D
Check all the subdomains
I’m a GUI-guy, so after I get all the subdomains, what I do is check one by one the subdomains. Open it in the browser, and see what features in there. But, there is no way I can do it one by one, copy the url one by one, paste it into the browser, wait until the page is fully loaded. It’s very wasting time bro. So I use these very helpful extensions on Firefox (also available on Chrome):
- Open Multiple URLs (We can open multiple url in just one click)
2. Wappalyer (Tells us about what technologies are use on the website : CMS, Web Server, Database, Programming Language, etc.)
For all the subdomain I got, usually I open 20–30 subdomains in one click, so my computer did not process too much. And then I check it one by one.
By using this technique, I found that more than 50% of the subdomains is using wordpress (including the main domain). Without thinking too much, I try to wpscan the main domain first.
WPscan Finding
After waiting for the wpscan be done, I found a very interesting alert. It say that wp-config backup file (wp-config.php.bak) was found! So I try to access it from URL, like https://redacted.com/wp-config.php.bak . Boom! Found db_name, db_password, and other sensitive information!
Resolved after 2 days.
Awarded with 40 points!
Thats all, thanks for read this write up!
Regards, Harrmahar.
Credits
- Behrouz Sadeghipour (Thanks for bash_profile, and live recon + all amazing videos on Youtube! )
- YoKo Kho (Thanks for the Bug Hunting 101 book and all the tips you gave to me!)
- Crt.sh
- TomNomNom ‘s httprobe
- Open Multiple URLs extension on Chrome and Firefox
- Wappalyzer