Fixes #1642

.rubocop.yml

@@ -15,7 +15,7 @@ Lint/MissingSuper:
 Lint/UriEscapeUnescape:
   Enabled: false
 Metrics/AbcSize:
-  Max: 25
+  Max: 27
 Metrics/BlockLength:
   Exclude:
   - 'spec/**/*'

app/finders/db_exports/known_locations.rb

@@ -40,11 +40,24 @@ module WPScan
         # @return [ Hash ]
         def potential_urls(opts = {})
           urls = {}
+          index = 0
 
-          File.open(opts[:list]).each_with_index do |path, index|
+          File.open(opts[:list]).each do |path|
-            path.gsub!('{domain_name}', domain_name)
+            path.chomp!
 
-            urls[target.url(path.chomp)] = index
+            if path.include?('{domain_name}')
+              urls[target.url(path.gsub('{domain_name}', domain_name))] = index
+
+              if domain_name != domain_name_with_sub
+                urls[target.url(path.gsub('{domain_name}', domain_name_with_sub))] = index + 1
+
+                index += 1
+              end
+            else
+              urls[target.url(path)] = index
+            end
+
+            index += 1
           end
 
           urls
@@ -58,6 +71,25 @@ module WPScan
                            end
         end
 
+        def domain_name_with_sub
+          @domain_name_with_sub ||=
+            if Resolv::AddressRegex.match?(target.uri.host)
+              target.uri.host
+            else
+              parsed = PublicSuffix.parse(target.uri.host)
+
+              if parsed.subdomain
+                parsed.subdomain.gsub(".#{parsed.tld}", '')
+              elsif parsed.domain
+                parsed.domain.gsub(".#{parsed.tld}", '')
+              else
+                target.uri.host
+              end
+            end
+        rescue PublicSuffix::DomainNotAllowed
+          @domain_name_with_sub = target.uri.host
+        end
+
         def create_progress_bar(opts = {})
           super(opts.merge(title: ' Checking DB Exports -'))
         end

spec/app/finders/db_exports/known_locations_spec.rb

@@ -12,7 +12,7 @@ describe WPScan::Finders::DbExports::KnownLocations do
       allow(target).to receive(:sub_dir).and_return(false)
     end
 
-    it 'replaces {domain_name} by its value' do
+    it 'replaces {domain_name} by its values' do
       expect(finder.potential_urls(opts).keys).to eql %w[
         http://ex.lo/aa/ex.sql
         http://ex.lo/aa/wordpress.sql
@@ -27,8 +27,8 @@ describe WPScan::Finders::DbExports::KnownLocations do
       context "when #{sub_domain} sub-domain" do
         let(:url) { "https://#{sub_domain}.domain.tld" }
 
-        it 'replaces {domain_name} by its correct value' do
+        it 'replaces {domain_name} by its correct values' do
-          expect(finder.potential_urls(opts).keys).to include "#{url}/domain.sql"
+          expect(finder.potential_urls(opts).keys).to include "#{url}/domain.sql", "#{url}/#{sub_domain}.domain.sql"
         end
       end
     end
@@ -44,16 +44,22 @@ describe WPScan::Finders::DbExports::KnownLocations do
     context 'when multi-level tlds and sub-domain' do
       let(:url) { 'https://dev.something.com.tr' }
 
-      it 'replaces {domain_name} by its correct value' do
+      it 'replaces {domain_name} by its correct values' do
-        expect(finder.potential_urls(opts).keys).to include 'https://dev.something.com.tr/something.sql'
+        expect(finder.potential_urls(opts).keys).to include(
+          'https://dev.something.com.tr/something.sql',
+          'https://dev.something.com.tr/dev.something.sql'
+        )
       end
     end
 
     context 'when some weird stuff' do
       let(:url) { 'https://098f6bcd4621d373cade4e832627b4f6.aa-bb-ccc-dd.domain-test.com' }
 
-      it 'replaces {domain_name} by its correct value' do
+      it 'replaces {domain_name} by its correct values' do
-        expect(finder.potential_urls(opts).keys).to include "#{url}/domain-test.sql"
+        expect(finder.potential_urls(opts).keys).to include(
+          "#{url}/domain-test.sql",
+          "#{url}/098f6bcd4621d373cade4e832627b4f6.aa-bb-ccc-dd.domain-test.sql"
+        )
       end
     end