一键导入
attack-patterns-reference
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
7-phase pentest pipeline from passive recon to exploitation.
4-phase pipeline for max findings per minute across batches.
| name | attack-patterns-reference |
| description | Catalog: 25 attacks, 18 WP, 8 CORS to match findings. |
| version | 1.1.0 |
| author | uphiago |
| license | MIT |
| metadata | {"tags":["meta","reference","patterns","bypass","catalog"],"category":"meta","related_skills":["wp-mass-recon","cors-credential-wordpress","xmlrpc-exploitation","cross-attack-chains","deep-invade","error-log-mining","source-leak-hunt","phpinfo-to-rce","port-service-discovery","js-secrets-extraction","staging-subdomain-hunt","subdomain-enumeration","wordpress-plugin-hunt","web-enumeration"]} |
Comprehensive reference catalog of 25 attack patterns (P-01 through P-25), 18 WordPress abuse patterns (WP-01 through WP-18), and 8 CORS bypass variants (V1 through V8). Distilled from 600+ targets across 28 sectors and 9 waves of reconnaissance. Use this as a lookup table when you encounter a specific scenario and need the right technique.
cross-attack-chains skill needs the raw pattern catalog.wp-mass-recon — match findings to pattern IDs for structured reporting.This is a reference skill — it has no executable commands. Load it alongside any recon or chain skill to identify which attack patterns match your findings. Match pattern IDs from your findings report (e.g., "P-02 confirmed") against the catalog below to find exploitation paths, related patterns, and real-world examples.
security-arsenal skill for actual payloads.See the Pattern Catalog below for the full P-01 through P-25 attack pattern index with detection commands, frequency, severity ratings, and exploitation guidance. The WordPress Abuse Patterns (WP-01 to WP-18) table provides exact curl commands for each pattern. The CORS Bypass Variants (V1 to V8) table tracks confirmed targets across waves.
This is a reference skill with no executable commands:
cross-attack-chains.| ID | Pattern | Severity | Skill |
|---|---|---|---|
| P-01 | WP REST API User Enumeration | Medium | wp-mass-recon |
| P-02 | CORS Origin Reflection + Credentials | Critical | cors-credential-wordpress |
| P-03 | CORS Null Origin Trust | High | cors-credential-wordpress |
| P-04 | CORS Wildcard (No Credentials) | Info | cors-credential-wordpress |
| P-05 | CORS Credentialed Preflight Bypass | High | cors-credential-wordpress |
| P-06 | CORS on Auth-Protected Endpoints | Critical | cors-credential-wordpress |
| P-07 | XMLRPC system.multicall Brute Force | High | xmlrpc-exploitation |
| P-08 | XMLRPC pingback.ping SSRF | High | xmlrpc-exploitation |
| P-09 | XMLRPC IMDS Role Guessing | Critical | xmlrpc-exploitation |
| P-10 | Open Registration → Upload → RCE | Critical | xmlrpc-exploitation + phpinfo-to-rce |
| P-11 | Plugin REST Namespace Brute Force | Variable | wordpress-plugin-hunt |
| P-12 | Yoast Author Sitemap Enumeration | Low | wp-mass-recon |
| P-13 | Staging Weaker Security | Variable | staging-subdomain-hunt |
| P-14 | Staging WordPress Install Pages | Critical | staging-subdomain-hunt |
| P-15 | Error Log Credential Mining | High-Critical | error-log-mining |
| P-16 | PHPInfo Exec Function Check | High | phpinfo-to-rce |
| P-17 | Source Leak Mass Scan | Critical | source-leak-hunt, web-enumeration |
| P-18 | JS Bundle Secret Extraction | Critical | js-secrets-extraction |
| P-19 | MySQL Port 3306 Public | Critical | port-service-discovery |
| P-20 | Internal Microservice Ports Exposed | High | port-service-discovery + api-noauth-hunt |
| P-21 | WooCommerce API Presence | Medium | wordpress-plugin-hunt |
| P-22 | Elementor 500 Leak | Medium | wordpress-plugin-hunt |
| P-23 | Same-Hosting Clustering | Variable | recon-playbook |
| P-24 | IAM Role Brute Force via SSRF | Critical | xmlrpc-exploitation |
| P-25 | WP CORS on ALL REST Endpoints | Critical | cors-credential-wordpress |
Full descriptions, commands, and exploitation paths: references/p-patterns.md
| ID | Pattern | Exact Command | Skill |
|---|---|---|---|
| WP-01 | Direct REST user enum | curl -sk "https://TARGET/wp-json/wp/v2/users" | jq '.[] | {id,name,slug}' | wp-mass-recon |
| WP-02 | Auth user info leak | curl -sk "https://TARGET/wp-json/wp/v2/users?context=edit" | cors-credential-wordpress |
| WP-03 | Yoast sitemap author leak | curl -sk "https://TARGET/author-sitemap.xml" | wp-mass-recon |
| WP-04 | XMLRPC method enum | curl -sk -X POST "https://TARGET/xmlrpc.php" -H "Content-Type: text/xml" -d '<methodCall><methodName>system.listMethods</methodName></methodCall>' | xmlrpc-exploitation |
| WP-05 | XMLRPC multicall BF | POST with <methodName>system.multicall</methodName> containing 100+ wp.getUsers calls (1000x amplification) | xmlrpc-exploitation |
| WP-06 | XMLRPC pingback SSRF | POST <methodName>pingback.ping</methodName> targeting IMDS/localhost | xmlrpc-exploitation |
| WP-07 | Open registration check | curl -sk "https://TARGET/wp-login.php?action=register" | grep -c "user_login" (must also match "register" + "wp-submit") | wp-mass-recon |
| WP-08 | Plugin namespace discovery | Brute-force 40+ REST namespaces (/wp-json/{plugin}/v1/) | wordpress-plugin-hunt |
| WP-09 | Plugin version via readme | curl -sk "https://TARGET/wp-content/plugins/PLUGIN/readme.txt" | grep "Stable tag" | wordpress-plugin-hunt |
| WP-10 | Plugin directory listing | curl -sk "https://TARGET/wp-content/plugins/PLUGIN/" | wordpress-plugin-hunt |
| WP-11 | Staging takeover | curl -sk "https://staging.TARGET/wp-admin/install.php" (check for "WordPress" + "installation" in body) | staging-subdomain-hunt |
| WP-12 | Debug log exposure | curl -sk "https://TARGET/wp-content/debug.log" | error-log-mining |
| WP-13 | Backup file discovery | curl -sk "https://TARGET/backup.sql" (verify DDL/DML content, not SPA catch-all) | source-leak-hunt |
| WP-14 | Site Health endpoint | curl -sk "https://TARGET/wp-json/wp-site-health/v1" | deep-invade |
| WP-15 | ACF plugin field probe | curl -sk -o /dev/null -w "%{http_code}" "https://TARGET/wp-json/acf/v3" | wordpress-plugin-hunt |
| WP-16 | Redirection plugin log | curl -sk -o /dev/null -w "%{http_code}" "https://TARGET/wp-json/redirection/v1/log" | error-log-mining |
| WP-17 | SolidWP Mail log export | curl -sk -o /dev/null -w "%{http_code}" "https://TARGET/wp-json/solidwp-mail/v1/logs" | wordpress-plugin-hunt |
| WP-18 | Gravity Forms API | curl -sk "https://TARGET/wp-json/gf/v2/" | wordpress-plugin-hunt |
| ID | Variant | Detection | Exploitability | Confirmed Target | Wave |
|---|---|---|---|---|---|
| V1 | Origin reflection + creds | ACAO: evil.com + ACAC: true | Critical — full credentialed cross-origin read | yardcare.com, restonic.com, toolking.com, wines.com | W1-W9 |
| V2 | Null origin reflection | ACAO: null + ACAC: true | High — sandboxed iframe bypass | familydental.com | W6 |
| V3 | Wildcard no creds | ACAO: * (no creds) | Info only — public data, no cookies | patientportal.com, nothingbundtcakes.com, autobell.com | W5 |
| V4 | Credentialed preflight | OPTIONS returns ACAC + valid origin | High — GET bypass when OPTIONS works | Multiple WP endpoints | W8 |
| V5 | Auth-endpoint CORS | CORS on endpoints returning 401/403 | Critical — cookie theft even from auth-gated APIs | restonic.com gf/v2 (401 but ACAO+ACAC reflect) | W7 |
| V6 | Multi-origin reflection | Any origin reflected | Critical — broadest attack surface | realpro.com | W6 |
| V7 | Plugin-specific CORS | CORS only on plugin namespace (not wp/v2) | Medium — plugin data only | defy.com gravity-pdf/v1 | W5 |
| V8 | Staging-only CORS | Production no CORS, staging reflects | Medium — dependent on staging access | staging.biglots.com | W5 |
moldmedics.com (Wave6): ACAO reflects https://octaneforms.com — NOT evil.com. Indicates misconfigured third-party integration where the server hardcodes the wrong origin. Not directly exploitable but signals poor CORS hygiene and potential for exploitation of the third-party service instead.
Law Firms (25%):
Pest Control (20%):
Landscaping (20-26%):
Pool Services (20-25%):
Dental Clinics (15%), Gyms (15%), Real Estate (15%), Roofing (15-18%), HVAC/Plumbing (14%), Auto Repair (11%), Photography (10%), Funeral Homes (10%): Funeral homes: WordPress + user enum (funeralwise.com: 7 users, memorialplanning.com: 4 users). CRUD at rest.
Car Dealerships (0%), Furniture Retail (0%), Insurance (0%), Travel Agencies (0%): Furniture retail: 11/15 major brands (Ashley, Wayfair, Crate&Barrel, Pottery Barn) behind Cloudflare/WAF returning 403/429. Only smaller brands (bassettfurniture.com, cityfurniture.com) alive — both clean.
| Wave | Date | New Techniques | Key Discovery |
|---|---|---|---|
| 1-3 | Early | WP-01, WP-04, P-02 | WordPress + CORS is epidemic |
| 4 | Mid | 13 sector recon skills | Standardized skill format |
| 5 | Mid | P-13, P-18, P-11 | Staging is the soft underbelly |
| 6 | Late | P-08 (SSRF confirmed), P-15 | Error logs = treasure maps |
| 7 | Late | P-09 (IMDS guessing), P-12 | Deep probes beat surface scans |
| 8 | Late | P-14 (install pages), P-22 | Forgotten installs = free real estate |
| 9 | Mid | P-01 through P-25 catalogued | 25 patterns, 18 WP patterns, 8 CORS variants |
cross-attack-chains for combining patterns.| Chain | Steps | Severity | Targets Confirmed | Difficulty |
|---|---|---|---|---|
| CORS Phishing | CORS → browser PoC → data exfil | HIGH | 20+ targets | Trivial |
| CORS + User Enum → ATO | CORS → user list → spear-phish → admin hijack | HIGH-CRIT | 5 deep targets | Easy |
| XMLRPC multicall BF | multicall → 1000x brute → WP admin | HIGH | 10+ targets | Easy |
| SSRF → IMDS → AWS creds | pingback → IMDSv1 → IAM role → AWS takeover | CRITICAL | biglots staging, realpro | Medium |
| Open Reg → Upload → RCE | register → wp.uploadFile → webshell → shell_exec | CRITICAL | wines.com | Medium |
| CORS + Plugin CVE → RCE | CORS discover plugin → version detect → CVE exploit | CRITICAL | toolking.com SliderRev | Medium |
| Error Log → Creds → Admin | error_log mine → DB creds → WP admin login | HIGH | wines.com | Medium |
| Staging Takeover | crt.sh subdomain → install.php 200 → site seize | CRITICAL | biglots staging | Medium |
| MySQL Open + CORS | 3306 scan → brute MySQL → dump + API exfil | CRITICAL | patientportal.com | Easy |
| Yoast Sitemap + XMLRPC | author-sitemap.xml → user enum → XMLRPC BF → admin | HIGH | multiple | Medium |
.git/config content./sliderrevolution/v1/ AND /revslider/v1/.REQUEST_DENIED in Wave7). Only useful for footprinting, not exploitation./gf/v2/forms returning entries are over.