بنقرة واحدة
wp-mass-recon
Batch WP recon: users, CORS, XMLRPC, leaks across domains.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Batch WP recon: users, CORS, XMLRPC, leaks across domains.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | wp-mass-recon |
| description | Batch WP recon: users, CORS, XMLRPC, leaks across domains. |
Batch WordPress vulnerability detection pipeline for scanning dozens to hundreds of domains in parallel. Detects WordPress presence, REST API user enumeration, CORS credential reflection, XMLRPC exposure, open registration, and sensitive file leaks in a single pass. Proven on 600+ US company domains across 28 sectors.
subfinder/crt.sh produces a target list and you need to triage.terminal tool with access to the worker container (curl, httpx, python3, jq)./root/output/targets.txt in format domain|company|sector (one per line).parallel_batch.py available or you use the inline commands below.# Phase 1: Live host discovery + tech detection
httpx -silent -l targets.txt -threads 50 -tech-detect -status-code -title -o /root/output/alive.txt
# Phase 2: WP detection, user enum, CORS, XMLRPC (20 workers)
python3 /root/output/recon_us/new_targets/parallel_batch.py /root/output/targets.txt 20
Or run the 4-phase pipeline manually using the commands in Procedure.
| Check | Command | Positive Signal |
|---|---|---|
| WP detection | curl -skI "https://TARGET/wp-login.php" | HTTP 200/301/302 |
| User enum | curl -sk "https://TARGET/wp-json/wp/v2/users" | JSON with id, name, slug |
| CORS | curl -skI "https://TARGET/wp-json/wp/v2/users" -H "Origin: https://evil.com" | Access-Control-Allow-Credentials: true |
| XMLRPC | curl -sk -X POST "https://TARGET/xmlrpc.php" -d '<methodCall><methodName>demo.sayHello</methodName></methodCall>' | Hello! in body |
| Open reg | curl -sk "https://TARGET/wp-login.php?action=register" | Form with user_login field |
| Source leaks | Parallel curl for .env, wp-config.php.bak, .git/config, debug.log, backup.sql | Real content (not SPA catch-all) |
# Generate target list from crt.sh sector keywords
for sector in "landscaping" "roofing" "hvac" "pools" "plumbing"; do
curl -sk "https://crt.sh/?q=%25.${sector}%25&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u >> /root/output/discovered.txt
done
# Filter to unique domains, remove www prefix
cat /root/output/discovered.txt | sed 's/^www\.//' | sort -u > /root/output/unique_domains.txt
# httpx with tech detection, 50 threads
httpx -silent -l /root/output/unique_domains.txt -threads 50 -tech-detect -status-code -title \
-o /root/output/alive.txt
# Parse to URL list
awk '{print $1}' /root/output/alive.txt | grep -E '^https?://' > /root/output/urls.txt
For each live target, run in parallel (20 workers):
while read -r url; do
domain=$(echo "$url" | sed 's|https\?://||')
(
echo "# $domain Findings" > "/root/output/findings/${domain}_findings.md"
# WP detection
wp_code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 10 "$url/wp-login.php")
[[ "$wp_code" =~ ^(200|301|302|403)$ ]] && echo "- WordPress: YES (wp-login: $wp_code)" >> "/root/output/findings/${domain}_findings.md"
# User enumeration
users=$(curl -sk --max-time 10 "$url/wp-json/wp/v2/users" | python3 -c "import sys,json; d=json.load(sys.stdin); print(len(d) if isinstance(d,list) else 0)" 2>/dev/null)
[[ "$users" -gt 0 ]] && echo "- Users exposed: $users" >> "/root/output/findings/${domain}_findings.md"
# CORS credential reflection
cors=$(curl -skI --max-time 10 "$url/wp-json/wp/v2/users" -H "Origin: https://evil.com" 2>/dev/null | grep -i "access-control-allow-credentials: true")
[[ -n "$cors" ]] && echo "- CORS: CREDENTIAL REFLECTION CONFIRMED" >> "/root/output/findings/${domain}_findings.md"
# XMLRPC
xmlrpc=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 10 -X POST "$url/xmlrpc.php" \
-d '<?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName></methodCall>')
[[ "$xmlrpc" == "200" ]] && echo "- XMLRPC: OPEN" >> "/root/output/findings/${domain}_findings.md"
# Open registration
reg=$(curl -sk --max-time 10 "$url/wp-login.php?action=register" | grep -o 'user_login')
[[ -n "$reg" ]] && echo "- Open Registration: YES" >> "/root/output/findings/${domain}_findings.md"
# Source leaks (parallel)
for path in ".env" "wp-config.php.bak" ".git/config" "debug.log" "backup.sql" "info.php" "phpinfo.php" "wp-config.php~" ".env.backup" ".env.local" "docker-compose.yml" "Dockerfile"; do
leak_code=$(curl -sk -o /dev/null -w "%{http_code}" --max-time 5 "$url/$path")
if [[ "$leak_code" == "200" ]]; then
content=$(curl -sk --max-time 5 "$url/$path" | head -c 500)
# False positive filter: skip SPA catch-alls
if echo "$content" | grep -qiE 'DB_|APP_|_KEY|_SECRET|password|mysql|\[core\]|PHP Version|CREATE TABLE'; then
echo "- Source leak: /$path (VERIFIED)" >> "/root/output/findings/${domain}_findings.md"
fi
fi
done
) &
# Limit to 20 parallel workers
while [[ $(jobs -r | wc -l) -ge 20 ]]; do sleep 0.5; done
done < /root/output/urls.txt
wait
# Generate summary
echo "## Mass Recon Summary" > /root/output/mass_summary.md
echo "" >> /root/output/mass_summary.md
for f in /root/output/findings/*_findings.md; do
domain=$(basename "$f" _findings.md)
criticals=$(grep -c "CRITICAL\|CREDENTIAL REFLECTION\|XMLRPC: OPEN\|Source leak: VERIFIED" "$f" || true)
[[ "$criticals" -gt 0 ]] && echo "- **$domain**: $criticals findings" >> /root/output/mass_summary.md
done
# Rank targets by finding count
grep "^\- \*\*" /root/output/mass_summary.md | sort -t: -k2 -rn | head -20
The production-proven approach uses concurrent.futures.ThreadPoolExecutor with 20 workers. Each worker calls curl via subprocess.run. This is 10x faster than bash while loops.
import concurrent.futures, subprocess, json
def curl_code(url, timeout=8):
cmd = ["curl", "-sk", "-m", str(timeout), "-o", "/dev/null", "-w", "%{http_code}", url]
r = subprocess.run(cmd, capture_output=True, timeout=timeout+5)
return r.stdout.decode().strip()
def test_target(domain):
# Determine protocol
proto = None
for p in ["https", "http"]:
code = curl_code(f"{p}://{domain}/")
if code not in ["000", ""]: proto = p; break
if not proto: return None
# WP detection (v2 strict: check login OR json)
login_code = curl_code(f"{proto}://{domain}/wp-login.php")
json_code = curl_code(f"{proto}://{domain}/wp-json/")
is_wp = login_code not in ["000","404",""] or json_code not in ["000","404",""]
if not is_wp: return {"domain":domain, "is_wp":False}
score = 1 # WordPress detected
findings = ["wordpress"]
# Users (v2 pattern: parse JSON, check list length)
body, _ = curl_raw(f"{proto}://{domain}/wp-json/wp/v2/users")
try:
data = json.loads(body.decode())
if isinstance(data, list) and len(data) > 0:
findings.append(f"wp_users_{len(data)}")
score += 2
except: pass
# CORS (v2 pattern: explicit -I header check)
cmd = ["curl","-sk","-m","8","-I","-H","Origin: https://evil.com",
f"{proto}://{domain}/wp-json/wp/v2/users"]
r = subprocess.run(cmd, capture_output=True, timeout=10)
hdrs = r.stdout.decode().lower()
acao = [l.split(":",1)[1].strip() for l in hdrs.split('\n') if 'access-control-allow-origin:' in l]
acac = [l.split(":",1)[1].strip() for l in hdrs.split('\n') if 'access-control-allow-credentials:' in l]
if acao and "evil.com" in acao[0] and acac and acac[0] == "true":
findings.append("cors_credentialed")
score += 3
# XMLRPC (v2 pattern: system.listMethods, check for multicall string)
xml = '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>'
body, _ = curl_raw(f"{proto}://{domain}/xmlrpc.php", method="POST", data=xml)
txt = body.decode()
if "system.multicall" in txt:
findings.append("xmlrpc_multicall")
score += 3
elif "methodName" in txt:
findings.append("xmlrpc_active")
# Open registration (v2 pattern: three-string check avoids false positives)
body, _ = curl_raw(f"{proto}://{domain}/wp-login.php?action=register")
rt = body.decode().lower()
if "register" in rt and "user_login" in rt and "wp-submit" in rt:
findings.append("registration_open")
score += 2
# Severity (v2 thresholds: >=8 CRITICAL, >=5 HIGH, >=3 MEDIUM, >=1 LOW)
if score >= 8: severity = "CRITICAL"
elif score >= 5: severity = "HIGH"
elif score >= 3: severity = "MEDIUM"
elif score >= 1: severity = "LOW"
else: severity = "NONE"
return {"domain":domain, "severity":severity, "score":score, "findings":findings}
# Run with ThreadPoolExecutor
targets = [(d.strip(), s.strip()) for line in open("targets.txt") if (p := line.split("|")) and (d:=p[0]) and (s:=p[-1] if len(p)>2 else "unknown")]
with concurrent.futures.ThreadPoolExecutor(max_workers=20) as ex:
futures = {ex.submit(test_target, t[0]): t for t in targets}
for f in concurrent.futures.as_completed(futures):
r = f.result()
if r and r.get("score",0) > 0:
print(f"[{r['severity']:>8}] {r['domain']:40s} | {r['score']:2d} | {', '.join(r['findings'])}")
.env has DB_/APP_/_KEY/_SECRET patterns; .git/config has [core]; SQL files have CREATE TABLE/INSERT INTO. Skip bodies with <html or <script in first 100 chars.curl -sk --http1.0 "https://TARGET/wp-json/..."/blog/, /magical/, /wp/ in addition to root. wines.com has /magical/ with separate, more vulnerable WP install.system.listMethods (not just HTTP 200) — look for <string> tags in response XML.?action=register without actually allowing registration. The v2 check requires ALL THREE strings: register + user_login + wp-submit.| Finding | Frequency | Best Sector |
|---|---|---|
| WP user enumeration | ~9% (55/600) | Landscaping, Law Firms |
| Sensitive files (3+) | ~7% (41 sites) | Auto Body, Window Cleaning |
| CORS credential reflection | ~3.3% (20+ sites) | Law Firms, Real Estate |
| XMLRPC system.multicall | ~1.7% (10+ sites) | HVAC, Landscaping |
| PHPInfo/info.php exposed | ~1.7% (~10 sites) | Dental, Gyms |
| MySQL 3306 exposed | 0.17% (1 site) | Healthcare SaaS |
WordPress = 36.5% of all US SMB targets. All CORS/XMLRPC vulns occur EXCLUSIVELY on WordPress.
Access-Control-Allow-Credentials: true in curl -I response headers.system.listMethods response containing <string> method names.