erwanlr
commented
11 years ago Not at this time
However, if the uploads directory is viewable (which seems to be the default behavior), it's possible to get all the links
Closed rubybooby closed 7 years ago
erwanlr
commented
11 years ago Not at this time
However, if the uploads directory is viewable (which seems to be the default behavior), it's possible to get all the links
erwanlr
commented
11 years ago The problem is, what to do when the list of found files is huge ? output them anyway, write them to a file etc ?
ethicalhack3r
commented
11 years ago I think directory listing would have to be enabled on the server? Even then, is the knowing the location of all the media a security issue? I don't think many people would upload anything sensitive via the media upload.
erwanlr
commented
11 years ago Some files can be very interesting (like accounts import & etc ;p, yes very stupid to upload that, but I've seen it more than once xD)
Furthermore, sometimes theme files are uploaded there.
My idea was to put this feature as an enumeration option
rubybooby
commented
11 years ago Okay, So yes How would I find the upoads directory? or know if its viewable or not? If the list is huge, I'd output them anyway as long as I could see them,
I just want to see the media uploaded "Via media upload' yes
ethicalhack3r
commented
11 years ago 
anantshri
commented
11 years ago some simple info.
if attachment not linked to post then site/?attachment_id=
should be easy to implement on the wp-scan system.
anantshri
commented
11 years ago also if post is in draft but attachment is added in post then 404 is recieved or 301 if post has canonical name.
anantshri
commented
11 years ago python code to perform the same https://github.com/anantshri/script-collection/blob/master/wordpress_attachment.py you may want to source it into ruby.
fgeek
commented
11 years ago Please note that nacin has commented http://blog.whitehatsec.com/information-leakage-in-wordpress/ in short
If you upload a file to an unpublished post, ?attachment_id=123 will only work if you are logged in and have the
ability to edit that post. Otherwise, you’ll get a 404. Very simply, ?attachment_id=123 is not something you can use
to look for attachments stuck in limbo while their parent posts remain private. It just doesn’t work.Please also note that if indexing of directories is enabled in web-server all uploads will be shown with direct URLs for example in:
wp-content/uploads/2013/06/As i already stated here http://blog.anantshri.info/mission-attachment-protection if there is an media uploaded but not linked to a post then this method can reveal the attachment as well as publically accessible url is also provided.
PoC https://github.com/anantshri/script-collection/blob/master/wordpress_attachment.py is already tested on a local installation.
erwanlr
commented
10 years ago (Title updated)
SECURITI
commented
10 years ago Would love to implement this into the code base!
pvdl
commented
9 years ago Google Dork: inurl:/wp-content/uploads intitle:Index
firefart
commented
9 years ago WPScan already checks for a browsable uploads directory
erwanlr
commented
7 years ago -e m in the v3, can also provide the range: -e m2-10: https://github.com/wpscanteam/wpscan-v3/blob/master/app/controllers/enumeration/cli_options.rb#L26
Is it possible to find the links of files stored in the "Media" section of a wordpress site with WPscan?