Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add wordlists for enumerating WordPress plugin/theme directories #11862

Merged
merged 5 commits into from Jun 3, 2019

Conversation

Projects
None yet
6 participants
@NoodleOfDeath
Copy link
Contributor

commented May 20, 2019

This file is useful for enumerating WordPress plugin directories located at wp/wp-content/plugins and theme directories located at wp/wp-content/themes

Verification

  • Run in terminal dirb http://target:port/path/to/wordpress/wp-content/plugins /usr/share/metasploit-framework/data/wordlists/wp-plugins.txt
  • Run in terminal dirb http://target:port/path/to/wordpress/wp-content/themes /usr/share/metasploit-framework/data/wordlists/wp-themes.txt
NoodleOfDeath NoodleOfDeath

@NoodleOfDeath NoodleOfDeath changed the title Added word list for enumerating WordPress plugin directories Added wordlist for enumerating WordPress plugin directories May 20, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

Where is this list from? Is it licensed?

@NoodleOfDeath

This comment has been minimized.

Copy link
Contributor Author

commented May 20, 2019

I retrieved most of this list from http://hacks.rocks/wordpress-plugin-wordlist/ added in wp-forum and intend to add more.

@NoodleOfDeath

This comment has been minimized.

Copy link
Contributor Author

commented May 23, 2019

Perhaps if I generated my own list by hand would this not be an issue?

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Let me leave a comment on that page and see if the author responds :-)

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

Waiting for a reply:

Screen Shot 2019-05-24 at 10 37 46 AM

@NoodleOfDeath

This comment has been minimized.

Copy link
Contributor Author

commented May 24, 2019

I actually commented myself as well a few days ago; I may try directly emailing the user.
Screenshot-2019-5-24 Wordpress Plugin Wordlist – hacks rocks

@FireFart

This comment has been minimized.

Copy link
Contributor

commented May 24, 2019

No need for copyright stuff. Just parse these two repos for the slugs:
https://plugins.svn.wordpress.org/
https://themes.svn.wordpress.org/

PS: this list will not include paid plugins, only open source ones

@NoodleOfDeath NoodleOfDeath changed the title Added wordlist for enumerating WordPress plugin directories Added wordlists for enumerating WordPress plugin/theme directories May 24, 2019

@NoodleOfDeath

This comment has been minimized.

Copy link
Contributor Author

commented May 25, 2019

Updated the files to reflect the lists provided publicly by WordPress removing the possibility for infringing copyrights. Both lists can be used to enumerate plugins and themes directories

@h00die

This comment has been minimized.

Copy link
Contributor

commented May 25, 2019

It would be a good idea to post the code here so it could be replicated in the future. See #11199 (comment) as an example

@NoodleOfDeath

This comment has been minimized.

Copy link
Contributor Author

commented May 28, 2019

The following bash script can be used to generate/update these wordlists when run in the metasploit-framework root directory:

#!/bin/bash

parse() {
  curl -s $1 | while IFS="" read -r p; do 
    if [[ $p =~ \<a.*?\>(.*?)/\</a\> ]]; then 
      echo "${BASH_REMATCH[1]}" 
    fi
  done
}

parse https://plugins.svn.wordpress.org > data/wordlists/wp-plugins.txt
parse https://themes.svn.wordpress.org > data/wordlists/wp-themes.txt

@NoodleOfDeath NoodleOfDeath changed the title Added wordlists for enumerating WordPress plugin/theme directories Add wordlists for enumerating WordPress plugin/theme directories May 28, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

Ok, looks like this is good to go? I can land this?

@wchen-r7 wchen-r7 self-assigned this May 30, 2019

@NoodleOfDeath

This comment has been minimized.

Copy link
Contributor Author

commented May 30, 2019

I am happy with it if you are!

@wchen-r7 wchen-r7 merged commit 22e8d34 into rapid7:master Jun 3, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 3, 2019

Release Notes

Wordlists for WordPress plugin/theme directories are now available.

msjenkins-r7 added a commit that referenced this pull request Jun 3, 2019

Land #11862, wordlists for wordpress plugin/theme directories
Add wordlists for enumerating WordPress plugin/theme directories

@NoodleOfDeath NoodleOfDeath deleted the NoodleOfDeath:data/wordlists/wp-plugins branch Jun 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.