This template is designed to detect a misconfiguration vulnerability in WordPress themes that use the Haberadam JSON API. This vulnerability can lead to an Insecure Direct Object Reference (IDOR) and path disclosure, potentially exposing sensitive information.
PoC代码[已公开]
id: wp-haberadam-idor
info:
name: WordPress Themes Haberadam JSON API - IDOR and Path Disclosure
author: pussycat0x
severity: low
description: This template is designed to detect a misconfiguration vulnerability in WordPress themes that use the Haberadam JSON API. This vulnerability can lead to an Insecure Direct Object Reference (IDOR) and path disclosure, potentially exposing sensitive information.
reference:
- https://cxsecurity.com/issue/WLB-2021090078
metadata:
max-request: 2
google-query: inurl:/wp-content/themes/haberadam/
tags: wordpress,idor,wp-theme,disclosure,vuln
http:
- method: GET
path:
- '{{BaseURL}}/wp-content/themes/haberadam/api/mobile-info.php?id='
- '{{BaseURL}}/blog/wp-content/themes/haberadam/api/mobile-info.php?id='
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"status"'
- '"hava"'
- '"degree"'
- '"icon"'
condition: and
- type: status
status:
- 200
- type: word
part: header
words:
- text/html
# digest: 4a0a004730450220213741c535e11efa7cf688564497741a964bb2e68fea651ee157170efb5cf46f022100cdd56afc9915c099496a472584991d43e41adcc26de2f40f54c5b3e8ac124598:922c64590222798bb761d5b6d8e72950