wordpress path traversal

payoub125 · payoub125 · commit ab04ffc2cf70 · 2025-03-01T13:23:55.000-05:00
diff --git a/cmd/wordpress.go b/cmd/wordpress.go
@@ -0,0 +1,107 @@
+package cmd
+
+import (
+	"errors"
+
+	path "github.com/Method-Security/methodwebtest/internal/wordpress/path"
+	"github.com/spf13/cobra"
+)
+
+// InitWordpressCommand initializes the apache command for the methodwebtest CLI.
+func (a *MethodWebTest) InitWordpressCommand() {
+	wordpressCmd := &cobra.Command{
+		Use:   "wordpress",
+		Short: "Perform wordpress specific injection tests against a target",
+		Long:  `Perform wordpress specific injection tests against a target`,
+	}
+
+	wordpressCmd.PersistentFlags().StringSlice("targets", []string{}, "The URL of target")
+	wordpressCmd.PersistentFlags().Int("timeout", 30, "Timeout per request (seconds)")
+	wordpressCmd.PersistentFlags().Int("sleep", 0, "Sleep time between requests (seconds)")
+	wordpressCmd.PersistentFlags().Int("retries", 0, "Number of attempts per credential pair")
+
+	// pathCmd holds the subcommands for path injection tests
+	pathCmd := &cobra.Command{
+		Use:   "path",
+		Short: "Perform path injection tests against a target",
+		Long:  `Perform path injection tests against a target`,
+	}
+
+	traversalCmd := &cobra.Command{
+		Use:   "traversal",
+		Short: "Perform a Wordpress specific path traversal for common file locations",
+		Long:  `Perform a Wordpress specific path traversal for common file locations`,
+		Run: func(cmd *cobra.Command, args []string) {
+			defer a.OutputSignal.PanicHandler(cmd.Context())
+
+			// Target flags
+			targets, err := cmd.Flags().GetStringSlice("targets")
+			if err != nil {
+				a.OutputSignal.AddError(err)
+				return
+			}
+			if len(targets) == 0 {
+				a.OutputSignal.AddError(errors.New("no targets provided"))
+				return
+			}
+
+			// Configuration flags
+			responseCodes, err := cmd.Flags().GetString("responsecodes")
+			if err != nil {
+				a.OutputSignal.AddError(err)
+				return
+			}
+			ignoreBase, err := cmd.Flags().GetBool("ignorebasecontentmatch")
+			if err != nil {
+				a.OutputSignal.AddError(err)
+				return
+			}
+			timeout, err := cmd.Flags().GetInt("timeout")
+			if err != nil {
+				a.OutputSignal.AddError(err)
+				return
+			}
+			sleep, err := cmd.Flags().GetInt("sleep")
+			if err != nil {
+				a.OutputSignal.AddError(err)
+				return
+			}
+			retries, err := cmd.Flags().GetInt("retries")
+			if err != nil {
+				a.OutputSignal.AddError(err)
+				return
+			}
+			successfulOnly, err := cmd.Flags().GetBool("successfulonly")
+			if err != nil {
+				a.OutputSignal.AddError(err)
+				return
+			}
+			threshold, err := cmd.Flags().GetFloat64("threshold")
+			if err != nil {
+				a.OutputSignal.AddError(err)
+				return
+			}
+
+			// Load configuration
+			config := LoadPathTraversalConfig(targets, []string{}, []string{}, "", responseCodes, ignoreBase, timeout, sleep, retries, successfulOnly, threshold, nil)
+
+			// Generate report
+			report := path.PerformWordpressPathTraversal(cmd.Context(), config)
+			if len(report.Errors) > 0 {
+				a.OutputSignal.Status = 1
+			}
+			a.OutputSignal.Content = report
+		},
+	}
+
+	traversalCmd.Flags().String("responsecodes", "200-299", "Response codes to consider as valid responses")
+	traversalCmd.Flags().Bool("ignorebasecontentmatch", true, "Ignores valid responses with identical size and word length to the base path, typically signifying a web backend redirect")
+	traversalCmd.Flags().Bool("successfulonly", false, "Only show successful attempts")
+	traversalCmd.Flags().Float64("threshold", 0.10, "Threshold for a negitive finding that represents the percentage difference between the size of the response body in question and the baseline response (0.0 is an exact match, with .05 being a 5 percent difference)")
+
+	pathCmd.AddCommand(traversalCmd)
+
+	wordpressCmd.AddCommand(pathCmd)
+
+	a.RootCmd.AddCommand(wordpressCmd)
+}
diff --git a/internal/wordpress/path/traversal.go b/internal/wordpress/path/traversal.go
@@ -0,0 +1,54 @@
+package wordpress
+
+import (
+	"context"
+
+	methodwebtest "github.com/Method-Security/methodwebtest/generated/go"
+	utils "github.com/Method-Security/methodwebtest/utils/engines"
+)
+
+var commonExposedPaths = []string{
+	"/xmlrpc.php",                       // Often exploited for brute-force attacks
+	"/wp-config.php",                    // Contains database credentials and secrets
+	"/wp-content/debug.log",             // Can leak sensitive debug info
+	"/wp-includes/",                     // Core WordPress files, can expose version info
+	"/wp-json/",                         // REST API, potential user enumeration
+	"/wp-json/wp/v2/users",              // Enumerate users, especially admin usernames
+	"/wp-json/wp/v2/settings",           // Enumerate settings, potential sensitive information
+	"/wp-json/wp/v2/revisions",          // Enumerate revisions, potential sensitive information
+	"/wp-cron.php",                      // Can be abused for DoS or forced execution
+	"/readme.html",                      // Leaks WordPress version
+	"/.htaccess",                        // Might expose security configurations
+	"/.htpasswd",                        // Can leak password-protected directories
+	"/license.txt",                      // Leaks installation details
+	"/wp-admin/install.php",             // Can be exposed on unconfigured sites
+	"/wp-admin/admin-ajax.php",          // Used in many plugins, potential data leaks
+	"/wp-admin/admin-post.php",          // Can expose admin-related operations
+	"/wp-admin/setup-config.php",        // Can be accessed if setup is incomplete
+	"/wp-config.bak",                    // Backup of wp-config.php, may still have credentials
+	"/wp-config.old",                    // Old versions often left after updates
+	"/wp-content/uploads/db-backup.sql", // Database dump file, may contain sensitive data
+	"/wp-content/uploads/error_log",     // PHP error log, may expose system paths
+	"/wp-sitemap.xml",                   // Can provide a list of indexed URLs for reconnaissance
+	"/wp-content/plugins/wp-file-manager/lib/files/",       // Misconfigured file manager plugin
+	"/wp-admin/admin-ajax.php?action=revslider_show_image", // Revslider LFI vulnerability
+}
+
+func PerformWordpressPathTraversal(ctx context.Context, config *methodwebtest.PathTraversalConfig) *methodwebtest.Report {
+	config.Paths = commonExposedPaths
+	engineConfig := methodwebtest.PathTraversalEngineConfig{
+		Targets:           config.Targets,
+		Paths:             config.Paths,
+		PathFiles:         []string{},
+		ResponseCodes:     config.ResponseCodes,
+		IgnoreBaseContent: config.IgnoreBaseContent,
+		Timeout:           config.Timeout,
+		Retries:           config.Retries,
+		Sleep:             config.Sleep,
+		SuccessfulOnly:    config.SuccessfulOnly,
+		Threshold:         &config.Threshold,
+	}
+	report := utils.RunPathTraversalEngine(ctx, &engineConfig)
+	report.Config = methodwebtest.NewEngineConfigFromPathTraversalEngineConfig(&engineConfig)
+	return report
+}
diff --git a/main.go b/main.go
@@ -15,8 +15,9 @@ func main() {
 	methodwebtest := cmd.NewMethodWebTest(version)
 	methodwebtest.InitRootCommand()
 	methodwebtest.InitGeneralCommand()
-	methodwebtest.InitNginxCommand()
 	methodwebtest.InitApacheCommand()
+	methodwebtest.InitNginxCommand()
+	methodwebtest.InitWordpressCommand()
 
 	if err := methodwebtest.RootCmd.Execute(); err != nil {
 		os.Exit(1)
diff --git a/utils/engines/pathTraversal.go b/utils/engines/pathTraversal.go
@@ -129,6 +129,10 @@ func AnalyzeResponse(request methodwebtest.RequestInfo, validCodes map[int]bool,
 	}
 
 	bodySize := len(*request.ResponseBody)
+	if bodySize == 0 {
+		return false
+	}
+
 	wordCount := len(strings.Fields(*request.ResponseBody))
 	if checkBaseContentMatch {
 		if areSimilar(bodySize, baselineSize, threshold) && areSimilar(wordCount, baselineWords, threshold) {
