From b4655e7d5a69c5d4a401f3fea09865ee803faf60 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <firefart@gmail.com>
Date: Mon, 24 Sep 2012 14:39:05 +0200
Subject: [PATCH] locate searchreplacedb2.php. this file reads database
 credentials

---
 lib/wpscan/wp_target.rb | 11 +++++++++++
 wpscan.rb               |  4 ++++
 2 files changed, 15 insertions(+)

diff --git a/lib/wpscan/wp_target.rb b/lib/wpscan/wp_target.rb
index 934f588e..3c4937f6 100644
--- a/lib/wpscan/wp_target.rb
+++ b/lib/wpscan/wp_target.rb
@@ -123,6 +123,17 @@ class WpTarget
     @uri.merge("#{wp_content_dir()}/debug.log").to_s
   end
 
+  # Script for replacing strings in wordpress databases
+  # reveals databse credentials after hitting submit
+  def search_replace_db_2_url
+    @uri.merge("searchreplacedb2.php").to_s
+  end
+
+  def search_replace_db_2_exists?
+    resp = Browser.instance.get(search_replace_db_2_url)
+    resp.status == 200 && resp.body[%r{by interconnect}i]
+  end
+
   # Should check wp-login.php if registration is enabled or not
   def registration_enabled?
     # TODO
diff --git a/wpscan.rb b/wpscan.rb
index 4d7c6897..985acc66 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -131,6 +131,10 @@ begin
     puts red("[!] A wp-config.php backup file has been found '#{file_url}'")
   end
 
+  if wp_target.search_replace_db_2_exists?
+    puts red("[!] searchreplacedb2.php has been found '#{wp_target.search_replace_db_2_url}'")
+  end
+
   if wp_target.has_malwares?
     malwares = wp_target.malwares
     puts red("[!]") + " #{malwares.size} malware(s) found :"