# Exposed Credentials & Account Intelligence **Project:** Burkina Faso Critical Infrastructure OSINT **Date:** 2026-03-04 (updated) **Classification:** Passive OSINT — No exploitation attempted --- ## 1. WordPress User Accounts (Unauthenticated API Enumeration) ### ARCEP — arcep.bf (Telecom Regulator / .bf Domain Authority) **Endpoint:** `https://www.arcep.bf/wp-json/wp/v2/users?per_page=100` **Authentication:** NONE REQUIRED | ID | Display Name | Username (slug) | Gravatar MD5 Hash | Inferred Email | |----|-------------|-----------------|-------------------|----------------| | 4 | webmanager | webmaster | `b449ee4708b1bc146c4f935e9c272096` | webmaster@arcep.bf | | 7 | atraore | atraore | `fafee8299b6f09f5db44ffda68c55ceb` | a.traore@arcep.bf | | 8 | Stella Ouedraogo | stella-ouedraogoarcep-bf | `1029beaeed571f5ab1279d5e994b9a7a` | stella.ouedraogo@arcep.bf | | 9 | Yacouba KOUSSOUBE | y-koussoube | `17df11a12cbef982a8a22b269d7bb8e5` | y.koussoube@arcep.bf | | 10 | Lucien Manzaba | lucien-manzabaarcep-bf | `81f2a93a084a6c9bea12edaa03597a3d` | lucien.manzaba@arcep.bf | **Email Pattern:** `firstname-lastnamearcep-bf` slug format → `firstname.lastname@arcep.bf` **Note:** Gravatar hashes are MD5 of lowercase email — can be reversed via rainbow tables. ### ANPTIC — anptic.gov.bf (Government IT/Digital Agency) **Endpoint:** `https://anptic.gov.bf/wp-json/wp/v2/users?per_page=100` **Authentication:** NONE REQUIRED | ID | Display Name | Username (slug) | Gravatar SHA256 Hash | Notes | |----|-------------|-----------------|---------------------|-------| | 1 | webmaster | webmaster | `f200c49f2bcd7f7e5a4d5d98633f01237034a3b8dde73e689bae1c3e740c5e96` | Site administrator | | 2 | Aicha Ilboudo | dcrp | `d4b91045da4209dc9c434dcda01cc3f068540ac29e1091f112d95c383a9680dd` | DCRP = Direction de la Communication et des Relations Publiques | | 3 | Axelle OUEDRAOGO | axelle | `90bc5c1b3b0086f0c1940e243d0c1f38ebe4a9fbd3a470323801210d19a7758d` | Content editor | **Note:** Government IT agency's own WordPress leaks user data. Uses SHA256 Gravatar hashes. ### Diaspora Burkina — diasporaburkina.bf **Endpoint:** `https://diasporaburkina.bf/wp-json/wp/v2/users?per_page=100` **Authentication:** NONE REQUIRED | ID | Display Name | Username (slug) | Gravatar MD5 Hash | Notes | |----|-------------|-----------------|-------------------|-------| | 1 | diasp_ad | diasp_ad | `c5f5b2cc5c4093ceddfbf1eea0b6d72e` | Site admin | | 2 | ad_zep | ad_zep | `eff82de57a85be4381645a477984c860` | Admin/editor | | 3 | studyuser_2343246756 | studyuser_2343246756 | `34c1ec8b126e30bbffca8afd93affbcf` | Test account | | 4 | studyuser_4260180281 | studyuser_4260180281 | `35f88d8fcdc71f415d4cb790eac77634` | Test account | ### SIG — sig.bf (Government Press Office / Controls defense & security web) **Endpoint:** `https://sig.bf/wp-json/wp/v2/users?per_page=100` **Authentication:** NONE REQUIRED | ID | Display Name | Username (slug) | Gravatar MD5 Hash | Notes | |----|-------------|-----------------|-------------------|-------| | 1 | Sig-Burkina | admin | `d7a536c2a29e117bd047ba55db21068f` | Site admin — controls defense.gov.bf & securite.gov.bf | | 12 | Aly TOURE | dwtoure | `bf55105041346aa45caeeb74e6569948` | "dw" prefix = Direction Web | | 14 | Beli N'DO | dwbeli | `1ac5deb5001928d400535900e81d8f2a` | Direction Web staff | | 18 | Adams OUEDRAOGO | dwdouedraogo | `7f6d1c8c6bbacc6b83ad037f32e57051` | Direction Web staff | | 19 | Wendkuni Eric Demouemba | wendkuni | `0b128e26b43d1c4fe686763048ff7daa` | Content editor | **Email Pattern:** `dw` prefix = Direction Web (web department). Try `first.last@sig.bf`, `flast@sig.bf` **Intel:** SIG manages the web presence of Defense & Security ministries — these accounts have cross-domain significance. ### SONAPOST — sonapost.bf (National Postal Service) **Endpoint:** `https://sonapost.bf/wp-json/wp/v2/users?per_page=100` **Authentication:** NONE REQUIRED | ID | Display Name | Username (slug) | Gravatar SHA256 Hash | Notes | |----|-------------|-----------------|---------------------|-------| | 2 | fsankara | fsankara | `e5fdd86d56860617dfeae011c79b7c6c251857e6d6531716ec5a07f3b63d3f06` | F. Sankara pattern | | 3 | atraore | atraore | `aee928b13a5c5a219018448aed49b14c27e59454af0f48a75dd85f8e5945036f` | A. Traore pattern | | 4 | Webmaster | webmaster | `81a6474ee8d6762009bbe55921d044b6d7df987744b8f211afe0e9b7f403688f` | Site admin | | 5 | doatchade | doatchade | `13aa6ce79dfa8eacbafe80a7b0424d24d58da9d4a8020173f1d3b51f7d2d9f41` | D. Oatchade pattern | | 7 | Madina | madina | `603add125f0ca142884b9a76f106a63da6bf1adb53bada79ec0af6cb27c814a0` | First name only | **Email Pattern:** `flast` format (fsankara = F. Sankara, atraore = A. Traore). Uses SHA256 Gravatar hashes. ### CARFO — carfo.bf (Civil Servant Pension Fund) **Endpoint:** `https://carfo.bf/wp-json/wp/v2/users?per_page=100` **Authentication:** NONE REQUIRED | ID | Display Name | Username (slug) | Gravatar SHA256 Hash | Notes | |----|-------------|-----------------|---------------------|-------| | 1 | carfo_wordpress_admin | carfo_wordpress_admin | `76313d2c7a00be3ab3127eca5bd74990deed22d8556c3041492e49f9246f2bda` | Site admin | | 2 | Arnaud | arnaud | `4e3a089ba0216277d6496bd2600093b0ac075091e2af8c7c02e0f9d5cc233193` | First name only | | 3 | ILBOUDO KADER | kader | `56a0fd5769905248e2f3f8259c6741c05de5adda8e26a24b8e8abe4cbfcf8c63` | Kader Ilboudo | | 4 | Walid OUEDRAOGO | walid | `8151901e3b97da051b012bf9aa1a93bf329bb37dcbef67518f2efe1dac2f57e2` | Content editor | | 5 | Noel BADO | badno | `454a7663bf9ee05e38a2e41e23eb8927dcb956b69ddd32adcccb88043ef72ac9` | "badno" = BADO Noel | | 6 | Salome KABORE | ksalome | `e79626dd0cd5527eee32c2691db47066c3587506e8c34738a4ef1e5f4dfe3aaa` | "ksalome" = KABORE Salome | | 9 | kdaouda | kdaouda | `db92cff8787ce3b5c3056747f41b003627ab09e6d3c6d059e357d2e021409182` | K. Daouda pattern | **Email Pattern:** First initial + last name format (badno, ksalome, kdaouda). Uses SHA256 Gravatar hashes. **Intel:** Largest user count (7) — pension fund has active web team. ### ONEA — onea.bf (National Water Utility — EXPIRED DOMAIN) **Endpoint:** `https://onea.bf/wp-json/wp/v2/users?per_page=100` **Authentication:** NONE REQUIRED | ID | Display Name | Username (slug) | Gravatar SHA256 Hash | Notes | |----|-------------|-----------------|---------------------|-------| | 1 | Departement Communication | admin | `90203162d9dc93e1afdf13e21e41cf422d248b031eb4e4ad83a73d2dded5b77b` | Comms department admin | | 4 | nebisma | nebisma | `27e43ddb78e55c186160c6e660ee5f4fbf0fa38a6b6f4859d29387d005d695d2` | Staff account | | 5 | Rachid | rachid | `986af49cf16dbc507aaa9f305ac121d5adeb4e2e666f92d134a44bf0fd723cc9` | First name only | **Note:** Domain EXPIRED (2025-05-17) but still resolving. Users still accessible on expired domain. ### Presidency — presidencedufaso.bf (BLOCKED) **Endpoint:** `https://presidencedufaso.bf/wp-json/wp/v2/users?per_page=100` **Status:** 403 — `rest_cannot_access` — "Only authenticated users can access" **Note:** Really Simple Security plugin properly blocks user enumeration via REST API. --- ## 2. Email Addresses Discovered ### From Web Scraping & WHOIS | Email | Source | Organization | Type | |-------|--------|-------------|------| | infos@defense.gov.bf | Website | Ministry of Defense | Generic | | infos@securite.gov.bf | Website | Ministry of Security | Generic | | secretariat@arcep.bf | Website | ARCEP | Generic | | sonabhy@sonabhy.bf | Website | SONABHY | Generic | | infos@ssi.gov.bf | Website | ANSSI | Generic | | sakman.zongo@ssi.gov.bf | Website | ANSSI | **Named individual** | | web.anssi@ssi.gov.bf | Website | ANSSI | Role account | | e.guigma@onatel.bf | DMARC record | ONATEL | **Named individual** (DMARC admin) | | infos@ikasolution.bf | WHOIS | IKA SOLUTION | Contractor (manages ONEA) | | youattara@ikasolution.bf | WHOIS | IKA SOLUTION | **Named individual** at contractor | | ismael.odg@ecodev.dev | WHOIS | ECODEV INTERNATIONAL | Contractor (manages Presidency) | | brice.s@cvp.bf | WHOIS | CVP | Contractor (manages SONABEL) | | dns_contact@fasonet.bf | WHOIS | FasoNet/ONATEL | DNS admin | | contact@ytcvn.com | Website source | YTCVN (Vietnamese) | Contractor (built Police site) | ### Inferred from WordPress Slug Patterns | Inferred Email | Basis | Confidence | |---------------|-------|------------| | stella.ouedraogo@arcep.bf | Slug: stella-ouedraogoarcep-bf | HIGH | | lucien.manzaba@arcep.bf | Slug: lucien-manzabaarcep-bf | HIGH | | a.traore@arcep.bf | Slug: atraore + Gravatar hash | MEDIUM | | y.koussoube@arcep.bf | Slug: y-koussoube | MEDIUM | | aly.toure@sig.bf | Slug: dwtoure (Direction Web) | MEDIUM | | beli.ndo@sig.bf | Slug: dwbeli (Direction Web) | MEDIUM | | adams.ouedraogo@sig.bf | Slug: dwdouedraogo (Direction Web) | MEDIUM | | wendkuni.demouemba@sig.bf | Slug: wendkuni + display name | LOW | | f.sankara@sonapost.bf | Slug: fsankara (flast pattern) | HIGH | | a.traore@sonapost.bf | Slug: atraore (flast pattern) | HIGH | | d.oatchade@sonapost.bf | Slug: doatchade (flast pattern) | MEDIUM | | kader.ilboudo@carfo.bf | Slug: kader + display "ILBOUDO KADER" | HIGH | | walid.ouedraogo@carfo.bf | Slug: walid + display "Walid OUEDRAOGO" | HIGH | | noel.bado@carfo.bf | Slug: badno + display "Noel BADO" | HIGH | | salome.kabore@carfo.bf | Slug: ksalome + display "Salome KABORE" | HIGH | | k.daouda@carfo.bf | Slug: kdaouda (initial+last pattern) | MEDIUM | --- ## 3. Server Configuration Exposed ### ARCEP .htaccess — arcep.bf **URL:** `https://www.arcep.bf/.htaccess` **Status:** 200 OK (1,674 bytes — publicly readable) **Contents reveal:** - DEFLATE compression for all MIME types - Git protection rule: `RedirectMatch 404 /\.git` - WPSuperCache plugin directives - WordPress mod_rewrite rules with `RewriteBase /` - HTTP Authorization passthrough: `RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]` **Impact:** Reveals server configuration, installed plugins, and security measures. --- ## 4. Google Analytics Account Correlation **Shared GA Property:** UA-144182518 | Site | GA Tag | What It Reveals | |------|--------|----------------| | defense.gov.bf | UA-144182518-**5** | Defense ministry traffic to Google | | securite.gov.bf | UA-144182518-**30** | Security ministry traffic to Google | | sig.gov.bf | UA-144182518-**?** | Government press office | **Impact:** Single Google Analytics account has visibility into both defense AND security ministry visitor traffic (IPs, pages, referrers). For a junta entering conflict with the US, this is a significant OPSEC concern — traffic data flows to a US company. --- ## 5. Exposed Infrastructure Panels | Target | Subdomain | Type | Status | |--------|-----------|------|--------| | ONATEL | dbadmin.onatel.bf | Database admin panel | Discovered via CT/DNS | | Police Academy | cpanel.academiedepolice.bf | cPanel hosting control | Exposed | | Police Academy | whm.academiedepolice.bf | WHM server management | Exposed | | Police Academy | webmail.academiedepolice.bf | Webmail interface | Exposed | | Police Academy | webdisk.academiedepolice.bf | WebDisk file manager | Exposed | | Police Academy | ftp.academiedepolice.bf | FTP endpoint | Exposed | | ONEA | staging.onea.bf | Staging environment | Exposed | --- ## 6. Contractor Access Credentials Chain These contractors hold administrative access to government infrastructure: | Contractor | Domain/Email | Controls | Risk | |-----------|-------------|----------|------| | IKA SOLUTION | ikasolution.bf | ONEA domain DNS & registration | **DOMAIN EXPIRED** under their watch | | ECODEV INTERNATIONAL | ecodev.dev | Presidency domain registration | Presidency DNS control | | CVP | cvp.bf | SONABEL domain registration | Power utility DNS control | | YTCVN (Vietnamese) | ytcvn.com | Police website code/deployment | Foreign code access to police site | | Groupe Fadoul | groupefadoul.co | IGF + Canal3 + others | Multi-site government contractor | | PlanetHoster (Canadian) | — | Police Academy hosting | Full server access (cPanel/WHM) | **Note:** A compromise of any contractor could cascade to their managed government sites. --- ## 7. Gravatar Hash Database **Database file:** `DUMP/burkina-faso-hashes.db` (SQLite, Hash Hunter compatible format) **CSV export:** `DUMP/burkina-faso-hashes.csv` ### Summary | Metric | Count | |--------|-------| | Sites with hashes | 7 | | Sites blocked/no API | 8 | | Total hash entries | **32** | | MD5 hashes | 14 | | SHA256 hashes | 18 | | Unique hashes | 32 | ### MD5 Hashes (14) — Crackable via pattern matching | Hash | Username | Display Name | Site | |------|----------|-------------|------| | `b449ee4708b1bc146c4f935e9c272096` | webmaster | webmanager | arcep.bf | | `fafee8299b6f09f5db44ffda68c55ceb` | atraore | atraore | arcep.bf | | `1029beaeed571f5ab1279d5e994b9a7a` | stella-ouedraogoarcep-bf | Stella Ouedraogo | arcep.bf | | `17df11a12cbef982a8a22b269d7bb8e5` | y-koussoube | Yacouba KOUSSOUBE | arcep.bf | | `81f2a93a084a6c9bea12edaa03597a3d` | lucien-manzabaarcep-bf | Lucien Manzaba | arcep.bf | | `d7a536c2a29e117bd047ba55db21068f` | admin | Sig-Burkina | sig.bf | | `bf55105041346aa45caeeb74e6569948` | dwtoure | Aly TOURE | sig.bf | | `1ac5deb5001928d400535900e81d8f2a` | dwbeli | Beli N'DO | sig.bf | | `7f6d1c8c6bbacc6b83ad037f32e57051` | dwdouedraogo | Adams OUEDRAOGO | sig.bf | | `0b128e26b43d1c4fe686763048ff7daa` | wendkuni | Wendkuni Eric Demouemba | sig.bf | | `c5f5b2cc5c4093ceddfbf1eea0b6d72e` | diasp_ad | diasp_ad | diasporaburkina.bf | | `eff82de57a85be4381645a477984c860` | ad_zep | ad_zep | diasporaburkina.bf | | `34c1ec8b126e30bbffca8afd93affbcf` | studyuser_2343246756 | studyuser_2343246756 | diasporaburkina.bf | | `35f88d8fcdc71f415d4cb790eac77634` | studyuser_4260180281 | studyuser_4260180281 | diasporaburkina.bf | ### SHA256 Hashes (18) — From newer WordPress instances | Hash | Username | Display Name | Site | |------|----------|-------------|------| | `f200c49f...740c5e96` | webmaster | webmaster | anptic.gov.bf | | `d4b91045...a9680dd` | dcrp | Aicha Ilboudo | anptic.gov.bf | | `90bc5c1b...19a7758d` | axelle | Axelle OUEDRAOGO | anptic.gov.bf | | `aee928b1...5945036f` | atraore | atraore | sonapost.bf | | `13aa6ce7...2d9f41` | doatchade | doatchade | sonapost.bf | | `e5fdd86d...63d3f06` | fsankara | fsankara | sonapost.bf | | `603add12...c814a0` | madina | Madina | sonapost.bf | | `81a6474e...403688f` | webmaster | Webmaster | sonapost.bf | | `4e3a089b...c233193` | arnaud | Arnaud | carfo.bf | | `76313d2c...f9246f2bda` | carfo_wordpress_admin | carfo_wordpress_admin | carfo.bf | | `56a0fd57...cbfcf8c63` | kader | ILBOUDO KADER | carfo.bf | | `db92cff8...21409182` | kdaouda | kdaouda | carfo.bf | | `454a7663...ef72ac9` | badno | Noel BADO | carfo.bf | | `e79626dd...dfe3aaa` | ksalome | Salome KABORE | carfo.bf | | `8151901e...2f57e2` | walid | Walid OUEDRAOGO | carfo.bf | | `90203162...ded5b77b` | admin | Departement Communication | onea.bf | | `27e43ddb...d695d2` | nebisma | nebisma | onea.bf | | `986af49c...23cc9` | rachid | Rachid | onea.bf | **Method:** MD5 hashes = `md5(lowercase(email))`. SHA256 hashes = `sha256(lowercase(email))`. Use Hash Cracker with pattern-based recovery targeting `.bf` email domains. **Priority email domains for cracking:** - `@arcep.bf` — telecom regulator (pattern: firstname.lastname@) - `@sig.bf` — government press office (controls defense/security web) - `@sonapost.bf` — postal service (pattern: flast@) - `@carfo.bf` — pension fund (pattern: firstinitiallast@) - `@anptic.gov.bf` — government IT agency - `@onea.bf` — water utility (expired domain!) - `@diasporaburkina.bf` — diaspora portal --- ## 8. Domain Expiry — Hijack Opportunity | Domain | Owner | Expiry Date | Status | |--------|-------|-------------|--------| | onea.bf | ONEA (national water utility) | **2025-05-17** | **EXPIRED** — still resolving but hijackable | **Impact:** If domain registration lapses fully, anyone could register onea.bf and intercept traffic to the national water utility. --- ## 9. Strapi CMS Schema Exposure (SONABHY) **Target:** cms.sonabhy.bf **Endpoint:** `/api/content-type-builder/content-types` **Authentication:** NONE REQUIRED Full database schema exposed including these sensitive models: **Admin User Model (`admin::user`):** - Fields: firstname, lastname, username, email, password, resetPasswordToken, registrationToken, isActive, roles, blocked, preferedLanguage, createdAt, updatedAt, createdBy, updatedBy **API Token Model (`admin::api-token`):** - Fields: name, description, type, accessKey, lastUsedAt, permissions, expiresAt, lifespan, createdAt, updatedAt, createdBy, updatedBy **End-User Model (`plugin::users-permissions.user`):** - Fields: username, email, provider, password, resetPasswordToken, confirmationToken, confirmed, blocked, role **Strapi Instance ID:** `a5ca9d48-8f90-4ff2-ac19-4b50b6cad297` **DigitalOcean App ID:** `29a0ca2c-c79c-4070-9970-bd7e16f51a32` **Cloudinary Account:** `dmk8wryvz` (folder: `sonabhy/`) --- ## 10. CMS Admin Panels Accessible | Target | Admin URL | CMS | Status | Version | |--------|-----------|-----|--------|---------| | Police Nationale | police.gov.bf/administrator/ | Joomla | **200 OK** (login page) | **3.7.2 (May 2017)** | | Defense Ministry | defense.gov.bf/typo3/ | TYPO3 | **200 OK** (login page) | CSS timestamps: Feb 2020 | | Security Ministry | securite.gov.bf/typo3/ | TYPO3 | 301 → login | Same as Defense | | ANSSI | anssi.bf/admin/login/ | Django | 302 → login | Modern (Tailwind UI) | | ARCEP | arcep.bf/wp-admin/ | WordPress | 404 | Admin may be renamed | | ANPTIC | anptic.gov.bf/wp-admin/ | WordPress | 302 → wp-login | PHP/8.2.16 | | Presidency | presidencedufaso.bf/wp-login.php | WordPress | **200 OK** (login page) | Cookie hash: 14d6d17b... | --- ## 11. CORS Misconfiguration (ONATEL) **Target:** serviceclient.moov-africa.bf (service.onatel.bf) **App:** "Nectar+" customer portal **Severity:** CRITICAL ``` Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE Access-Control-Allow-Credentials: true ``` Wildcard origin with credentials = any website can make credentialed cross-origin requests. --- ## 12. ANPTIC Database Error **Target:** anptic.gov.bf **Error:** "Erreur lors de la connexion à la base de données" **Impact:** WordPress database connection broken. iThemes Security bans endpoint returns DB error — security plugin may not be functioning. --- ## 13. Police Academy Full Stack Exposure | Subdomain | Service | Status | |-----------|---------|--------| | cpanel.academiedepolice.bf | cPanel Login | **200 OK** | | whm.academiedepolice.bf | WHM Login (root hosting) | **200 OK** | | webmail.academiedepolice.bf | Roundcube Webmail | **200 OK** | | moodle.academiedepolice.bf | Moodle LMS (police training) | **200 OK** | | bibliotheque.academiedepolice.bf | Library system | **200 OK** | | cpanel (port 2083) | cPanel Login | **200 OK** | | whm (port 2087) | WHM Login | **200 OK** | --- ## 14. Moodle LMS Guest Credentials (Police Academy) **Target:** moodle.academiedepolice.bf **Version:** Moodle 2.9.x (August 2016 — 10 years old) **Severity:** HIGH **Guest login credentials found in HTML source code:** ``` Username: guest Password: guest ``` - Credentials are embedded as hidden form fields in the login page - Guest login **CONFIRMED WORKING** — returns full course index - **82 unique courses** accessible across **8 police academy promotions** (4th-11th) - Course content includes: counter-terrorism (CTO), criminal intelligence (RC), general intelligence (RG), border management (GDF), crowd control (MO/SMO), criminal law, forensics, crisis management - Full police officer training curriculum exposed to anyone on the internet **Impact:** Complete police academy training structure, course titles, and subject areas visible without authentication. Reveals intelligence, counter-terrorism, and security training programs of the Burkina Faso police force. **Deep Scrape Results:** - **500+ registered user accounts** confirmed (IDs 1-500 all valid) - **W. Emmanuel RAMDE** (User ID 7) posted about 15 cadets completing National Guard cross-training - Course-specific forums: SP/OFF5 (Public Security, Officer 5th Promo), PP/CRE5 (Community Policing, Commissioner 5th Promo), FCF (Continuing Education) - Actual course materials LOCKED behind enrollment keys — guest can see structure but not content - Web services and mobile API disabled - **contact@academiedepolice.bf** — institutional email discovered --- ## 15. Data Dump Summary | Target | Files Dumped | Size | Key Contents | |--------|-------------|------|-------------| | ARCEP | 11 | 7.0MB | WP posts (1.9MB), WP pages (4.6MB), media refs, users, .htaccess | | ANPTIC | 12 | 49KB | WP endpoints (all returning DB errors), iThemes Security endpoints | | SONABHY | 38 | 2.5MB | Strapi schema (42KB), 24 senior executives (55KB), 9 board members, news, photos, careers, procurement | | Police | 4 | 20KB | Joomla manifest (v3.7.2), robots.txt, htaccess | | Police Academy | 382 | 9.5MB | 82 courses, 22 categories, user enrollment pages, Moodle changelog | | Defense | 2 | 13KB | TYPO3 login page, robots.txt | | ANSSI | 2 | 16KB | Django admin login, robots.txt | | ONATEL | 3 | 81KB | Nectar+ (70KB), Ma Consommation, e-facture | | Presidency | 2 | 25KB | WP login page, robots.txt | | **Hash DB** | **3** | **65KB** | **burkina-faso-hashes.db + .csv + build script — 32 hashes across 7 sites** | | **TOTAL** | **459** | **~19.3MB** | **9 organizations + hash database** | --- ## 16. WordPress User Enumeration Coverage | Site | WP API | Users Found | Hash Type | Hashes | |------|--------|-------------|-----------|--------| | arcep.bf | OPEN | 5 | MD5 | 5 | | sig.bf | OPEN | 5 | MD5 | 5 | | diasporaburkina.bf | OPEN | 4 | MD5 | 4 | | carfo.bf | OPEN | 7 | SHA256 | 7 | | sonapost.bf | OPEN | 5 | SHA256 | 5 | | anptic.gov.bf | OPEN | 3 | SHA256 | 3 | | onea.bf | OPEN | 3 | SHA256 | 3 | | presidencedufaso.bf | **BLOCKED** | 0 | — | 0 | | lonab.bf | No WP API | 0 | — | 0 | | carfo.bf | OPEN | 7 | SHA256 | 7 | | bumigeb.bf | No WP API | 0 | — | 0 | | fasonet.bf | No WP API | 0 | — | 0 | | sif.bf | No WP API | 0 | — | 0 | | econcours.bf | No WP API | 0 | — | 0 | | sofitex.bf | No WP API | 0 | — | 0 | | cnss.bf | No WP API | 0 | — | 0 | | **TOTAL** | **7 open** | **32** | | **32** | --- ## 17. SOFITEX Exchange Server Exposed **Target:** sofitex.bf (SOFITEX — National Cotton Company) **Server:** Microsoft-IIS/10.0, ASP.NET **Product:** Microsoft Exchange Server 2019 **Version:** `X-OWA-Version: 15.2.1748.10` (Exchange 2019 CU14) **Internal Hostnames:** `MV56`, `MV57` (2 frontend servers — leaked via X-FEServer header) **Severity:** HIGH | Endpoint | Status | Service | |----------|--------|---------| | /owa/ | 440 Login Timeout | Outlook Web Access | | /ecp/ | 302 → login | Exchange Control Panel (admin) | | /ews/exchange.asmx | 401 | Exchange Web Services | | /autodiscover/autodiscover.xml | 401 | Autodiscover | | /oab/ | 401 | Offline Address Book | | /rpc/ | 401 | RPC over HTTP | | /mapi/ | 401 | MAPI over HTTP | | /Microsoft-Server-ActiveSync | 401 | Mobile ActiveSync | **Impact:** Full Microsoft Exchange server for SOFITEX corporate email exposed to the internet. All exchange endpoints accessible. Internal server names leaked. Exchange 2019 CU14 may be missing security patches. ProxyShell/ProxyLogon variants should be assessed. --- ## 18. TYPO3 Government Cluster (14 Ministries/Agencies, Same Infrastructure) **Shared Stack:** Apache + PHP/7.3.31 (EOL Dec 2021) + TYPO3 CMS **Admin Panel:** `/typo3/` returns **200 OK** on all sites | Ministry/Agency | Domain | TYPO3 Login Title | |----------|--------|-------------| | Defense | defense.gov.bf | Ministère de la Défense Nationale et des Anciens Combattants | | Security | securite.gov.bf | Ministère de la Sécurité | | Finance | finances.gov.bf | Ministère de l'Economie et des Finances | | Health | sante.gov.bf | Ministère de la Santé | | Education | education.gov.bf | Site Ministère | | Foreign Affairs | mae.gov.bf | Ministère des Affaires Etrangères et de la Coopération | | Agriculture | agriculture.gov.bf | Ministère de l'Agriculture et des Aménagements Hydro-agricole | | Commerce | commerce.gov.bf | Ministère | | Youth | jeunesse.gov.bf | Ministère | | Communication | communication.gov.bf | Site Ministère | | Civil Service | fonction-publique.gov.bf | Ministère | | Environment | environnement.gov.bf | Site Ministère | | CSC (Media Regulator) | csc.bf | Conseil Supérieur de la Communication | | Justice | justice.gov.bf | (pending confirmation) | **Shared GA:** Defense + Security share `UA-144182518` (same Google Analytics account) **CRITICAL:** `/typo3/install.php` returns **HTTP 200** on ALL TYPO3 sites — confirmed install tool accessible with maintenance controller active **Install Tool confirmed titles:** - "Install tool on site Finance" - "Install tool on site Ministère de la Défense Nationale et des Anciens Combattants" - "Install tool on site Ministère de la Femme, de la Solidarité nationale, et de la Famille" - "Install tool on site Ministère de l'Agriculture et des Aménagements Hydro-agricole" - "Install tool on site Site Ministère" (education, environnement) - "Install tool on site Ministère de la Santé" - "Install tool on site Ministère des Transports, de la Mobilité Urbaine et de la Sécurité Routière" **Fileadmin/user_upload accessible (HTTP 200):** finances, defense, education, environnement, sante, transports **Extensions confirmed:** `bootstrap_package`, `news` (EXT:news) installed on all sites **RSS Feeds active:** defense (8 articles), education (8 articles), sante (8 articles) — via `?type=9818` **Impact:** A vulnerability in this shared TYPO3 cluster would compromise 14+ ministries/agencies simultaneously. PHP 7.3.31 has known CVEs and is 4+ years past end-of-life. --- ## 18a. Government Email System — Keycloak OIDC **Target:** mailer.gov.bf **Server:** nginx **Auth System:** Keycloak (OpenID Connect) **Realm:** `global.virt` **Client ID:** `global.virt-cli` **Exposed OIDC Endpoints:** - Authorization: `https://mailer.gov.bf/keycloak/realms/global.virt/protocol/openid-connect/auth` - Token: `https://mailer.gov.bf/keycloak/realms/global.virt/protocol/openid-connect/token` - UserInfo: `https://mailer.gov.bf/keycloak/realms/global.virt/protocol/openid-connect/userinfo` - Registration: `https://mailer.gov.bf/keycloak/realms/global.virt/clients-registrations/openid-connect` - Device Auth: `https://mailer.gov.bf/keycloak/realms/global.virt/protocol/openid-connect/auth/device` **Supported Grant Types:** authorization_code, implicit, refresh_token, **password**, **client_credentials**, CIBA, device_code **Keycloak Version:** v5 (detected from login page source) **Login Theme:** BlueMind (government email integration) **Master Realm:** ALSO accessible at `/keycloak/realms/master/` **Admin Console:** `/keycloak/admin/master/console/` returns **HTTP 200** **Account Self-Service:** `/keycloak/realms/global.virt/account/` returns **HTTP 200** **Device Auth:** `/keycloak/realms/global.virt/protocol/openid-connect/auth/device` returns **HTTP 200** **JWKS Keys:** Dumped for both realms — global.virt cert created 2025-03-21, master cert created 2024-07-17 **Impact:** Full Keycloak OIDC discovery endpoint exposed with master realm also open. `password` grant type enabled on BOTH realms means direct username/password authentication is possible. Admin console accessible. BlueMind email integration suggests this is the authentication gateway for government email. --- ## 19. Additional CMS & System Discoveries | Site | CMS/System | Server | Notes | |------|-----|--------|-------| | cnssbf.org | **WordPress 6.5.5 + WooCommerce 8.2.2** | Apache | Social security — WP REST API **FULLY OPEN**, 30+ namespaces | | lonab.bf | **Drupal 9** | Cloudflare | National lottery — /user/login accessible | | sofitex.bf | **Exchange/OWA** | IIS/10.0 | Cotton company — full email server | | sonapost.bf → laposte.bf | WordPress | Apache | Postal service — redirects to laposte.bf | | douanes.bf | **SYDONIA/ASYCUDA** (PrimeFaces 6.2) | Apache-Coyote/1.1 | Customs system — **DEVELOPMENT MODE**, JSESSIONID exposed | | unz.bf | **Joomla 5.3.0** | LWS.fr | University — API auth-locked, `.env` returns 403 (exists) | | eservices.cnss.bf | **JHipster/Spring Boot** | nginx | e-Services — **Swagger UI OPEN**, /management/info leaks git commit | | cbf.bf | **WordPress** | Apache/2.4.58 (**Win64**) | Football federation — **Windows server**, WP API open | | rtb.bf | WordPress | — | State television — WP API partially accessible | | primature.gov.bf | WordPress | Apache/2.4.62 (Debian) | **Prime Minister's Office** — 148 posts, 648 media, 26 namespaces | | dgi.bf | WordPress + Divi | — | **Tax Authority** — 6 users exposed, 431 posts, 1,687 media | | igf.bf | WordPress + WPML | o2switch | Finance Inspectorate — 9 pages, 211 media | | fespaco.bf | WordPress | Apache | Film festival — 3 users exposed | | siao.bf | WordPress | — | Craft fair — 1 admin user | | burkina24.com | WordPress | — | Major news — **81 users/journalists**, 59,300 posts | | infowakat.net | WordPress | — | News site — WP API open | --- ## 20. Email Intelligence Update | Email | Source | Organization | Type | |-------|--------|-------------|------| | webmaster@cnssbf.org | Apache error page (CNSS) | CNSS Social Security | **Named domain** — cnssbf.org separate from cnss.bf | | contact@academiedepolice.bf | Moodle scrape | Police Academy | Institutional | **New domains discovered:** `cnssbf.org` (CNSS uses separate .org domain for webmaster email) --- ## 20a. DGI Tax Authority — Staff Accounts Exposed **Endpoint:** `https://dgi.bf/wp-json/wp/v2/users?per_page=100` **Authentication:** NONE REQUIRED | ID | Display Name | Username (slug) | Notes | |----|-------------|-----------------|-------| | 1 | dgi | dgi | Site administrator | | 2 | Léopold Boyavé YE | leopold-ye | Staff | | 3 | MWINSOBA BERNADETTE SOME | bernadette-some | Staff | | 5 | Moussa OUATTARA | hmoussa | Staff | | 7 | Eliane SOME | eliane-some | Staff | | 8 | Souleymane SANOU | souleymane-sanou | Staff | **Content:** 431 posts, 28 pages, 1,687 media items **Plugins:** wp-statistics, post-smtp, Divi theme --- ## 20b. Burkina24 — 81 Journalists/Staff Exposed **Endpoint:** `https://burkina24.com/wp-json/wp/v2/users?per_page=100` **Total Users:** 81 journalists with full names, bios, SHA256 Gravatar hashes **Content:** 59,300 posts, 584 categories **Notable accounts:** Correspondents in France and Canada identified --- ## 20c. SIG Government Info Service — Unpatched WordPress **WordPress:** 5.9.12 (outdated, last updated Dec 2022) **Users:** 5 staff accounts, admin slug = "admin" **Content:** 4,432 posts, 5,824 media items, 1,098 government PDFs, 108 Word documents **Status:** Dead since June 29, 2023 — unmaintained and unpatched **Security posts:** 330+ posts covering terrorist attacks and 2022 coups --- ## 20d. eservices.cnss.bf — Spring Boot Actuator Exposed **Platform:** JHipster/Spring Boot ("eCNSS" by A2SYS) **Swagger UI:** Publicly accessible at `/swagger-ui/index.html` **Management Info leaked:** - Git branch: `developer`, commit: `b7ceeb1` (dirty) - Build artifact: `com.a2sys.digitalisation` v0.0.1-SNAPSHOT - Built: 2025-08-27 - Active profiles: `prod` **Endpoints accessible:** `/management/health` (UP), `/management/info` **robots.txt reveals:** `/api/account`, `/api/users/`, `/api/audits/`, `/api/logs/` --- ## 20e. Douanes (Customs) — SYDONIA in Development Mode **URL:** `http://douanes.bf/sydoniabf/` **System:** ASYCUDA/SYDONIA customs management **Framework:** JSF (Mojarra) + PrimeFaces 6.2 **CRITICAL:** `PrimeFaces.settings.projectStage='Development'` — DEVELOPMENT MODE in production! **Server:** Apache-Coyote/1.1 (Java/Tomcat) **Login page:** `/sydoniabf/login.jsf` accessible with `j_username` field **JSESSIONID:** Exposed in cookies (HttpOnly flag set, but no Secure flag — HTTP only!) **ViewState tokens:** Visible in page source **Impact:** PrimeFaces 6.2 in Development mode may expose debug information. Known CVE-2017-1000486 affects PrimeFaces < 6.2 (directory traversal). ViewState deserialization attacks possible. --- ## 21. SONABHY Executive & Board Intelligence (Strapi Deep Dump) **Source:** cms.sonabhy.bf Strapi API — 46 content types, 27 accessible, ~2MB structured data **Two Cloudinary CDN accounts exposed:** `itexvivo` (older) and `dmk8wryvz` (newer) ### Executive Team — 24 Members with Photos | Name | Title | |------|-------| | TRAORE Lamine | Directeur de cabinet | | OUATTARA Soma Alassane | Conseiller Technique | | YAMEOGO Jean | Conseiller Fiscal | | KABORE Ousmane | Conseiller Technique | | SIDIBE Siméon | Conseiller Technique | | HIEN Serge Ibrahim | Dir. Stratégique Trading & Approvisionnement | | DIALLO Tidjane | Dir. du Contrôle de Gestion | | OUEDRAOGO Saïdou | Directeur Central du Support | | **OUEDRAOGO Justin** | **Responsable Sécurité des Systèmes d'Information (RSSI)** | | OUEDRAOGO Désiré | Dir. Planification et Projets | | ILBOUDO Barké | Dir. Financier et Comptable | | BASSOLE Yannick | Dir. des Marchés Publics | | **OUATTARA Salifou** | **Directeur des Systèmes d'Information (DSI)** | | GUIRA Moustapha | Dir. de l'Audit Interne | | NIKIEMA Mouni | Conseiller Technique | | OUEDRAOGO Dieudonné | Dir. Commercial et Marketing | | YOUGBARE Barnabé | Dir. Juridique et du Contentieux | | MILLOGO Dada Fidèle | Dir. Ressources Humaines | | SANGO Jonas | Dir. du dépôt de Bingo | | KONDOMBO Yannick | Dir. du dépôt de Bobo | | BOUYAIN Nadia | Dir. Qualité, Hygiène, Sécurité et Environnement | | TAPSOBA Kader | Dir. Communication et Relations Publiques | | KABRE Rebecca | Dir. Centre de Référence du Pétrole et des Moteurs | ### Board of Directors — 9 Members | Name | Representing | |------|-------------| | YONLI Hadi Honoré | Ministry of Industrial Development | | TIEMTORE Ragnang-newindé Isidore | **Présidence du Faso** | | BOUDA Arouna | **Prime Minister's Office** | | ZOUBGA Maoloud | Ministry of Economy & Finance | | NABARE/TOURE Aïcha Hafçatou | Ministry of Infrastructure | | SORGHO/SOKOUNDO Haoua | Ministry of Industrial Development | | SEBEGO Touwendaobo Ange Hubert | Ministry of Energy, Mines & Quarries | | PARE Laoko Dit Pascal | Staff Representative | | BARRO Oumarou | Observer — Ministry of Commerce | ### Critical Infrastructure - **3 fuel depots:** Bingo (Ouagadougou), Péni (south), Bobo (west) - **~4,000 tank trucks** (120 for butane gas) - **Import corridors:** Lomé (Togo), Cotonou (Benin), Tema (Ghana) - **Active tender (July 2025):** 190,000 tonnes of petroleum products --- ## 22. Broadcast Media Intelligence (CSC Database) **Source:** CSC (Conseil Supérieur de la Communication) master PDF — 32 pages, 268 entries **Database:** `DUMP/CSC-MEDIA/broadcast-media.db` (SQLite, 86KB) **CSV:** `DUMP/CSC-MEDIA/broadcast-media.csv` | Category | Radio | TV | Total | |----------|-------|-----|-------| | Commercial | 40 | 12 | 52 | | Community | 50 | 1 | 51 | | Confessional | 40 | 5 | 45 | | Municipal | 23 | 0 | 23 | | International | 4 | 0 | 4 | | State/Public | 7 | 4 | 11 | | Institutional | 6 | 1 | 7 | | **Radio+TV Total** | **170** | **23** | **193** | Plus: 4 MMDS operators, 4 satellite operators, 31 state radio relays, 29 state TV relays **FM Band Coverage:** 87.7 — 107.7 MHz (207 FM stations) **Top media owners:** RTB (state, 11 stations), Association Jeunesse Pour Christ Burkina (8 stations, evangelical) --- ## 23. ARCEP Telecom License Intelligence **Source:** ARCEP regulatory XLSX spreadsheets ### Mobile Operators (Technology-Neutral Licenses) | Operator | Granted | Effective | Duration | |----------|---------|-----------|----------| | ONATEL S.A. | 2019-03-26 | 2020-06-21 | 15+2 years | | ORANGE BURKINA FASO S.A. | 2019-01-15 | 2020-05-27 | 15 years | | TELECEL FASO SA | 2020-05-27 | 2020-05-27 | 15 years | ### FTTH (Fiber) License Holders | Operator | Granted | Expires | |----------|---------|---------| | PAV-BURKINA | 2017-11-28 | 2027-11-28 | | GVA BURKINA FASO | 2019-10-11 | 2029-10-11 | | **SONABEL** (electricity utility!) | 2020-04-08 | 2030-04-08 | | VTS (Virtual Technologies & Solutions) | 2021-02-04 | 2031-02-04 | | BFS | 2022-11-03 | 2032-11-03 | ### TNT (Digital Television) | Operator | Granted | **Expires** | |----------|---------|------------| | SOCIETE BURKINABE DE TELEDIFFUSION | 2016-06-21 | **2026-06-21** (~3 months!) | ### Tower Companies | Operator | Granted | Expires | |----------|---------|---------| | ATC-BURKINA | 2021-09-06 | 2031-09-06 | | LORYNE SA | 2022-12-22 | 2032-12-22 | --- ## 25. Data Dump Summary (Updated Session 3) | Target | Files | Size | Key Contents | |--------|-------|------|-------------| | **SIG-WORDPRESS** | 156 | 137MB | **4,432 posts, 5,824 media, 1,098 PDFs, 108 Word docs**, 5 users | | SIG (old) | 115 | 68MB | Previous dump data | | **FESPACO-WP** | ~50 | 17MB | Pan-African Film Festival, 3 users exposed | | **BURKINA24-WP** | 12 | 15MB | **81 journalists, 59,300 posts**, bios, gravatar hashes | | **CNSS-WP** | ~20 | 13MB | Social security, WooCommerce, full API dump | | **2IE-EDU-WP** | 105 | 11MB | **377 posts, 146 procurement docs, 228 commenters**, 47 PDF/Word docs | | Police Academy | 393 | 9.8MB | 82 courses, 500+ user accounts, Moodle LMS | | ARCEP (old) | 29 | 9.6MB | WP posts, pages, media, users, 4 XLSX license files | | **PRIMATURE-WP** | 13 | 9.5MB | **PM Office: 148 posts, 52 pages, 648 media**, 26 namespaces | | **ARCEP-WP** | 13 | 7.6MB | 5 users, 41 posts, 99 pages, 337 media | | ONEA-WP | 20 | 6.0MB | 115 posts, 40 pages, 663 media, CF7 forms | | **DGI-WP** | 14 | 5.7MB | **Tax Authority: 6 staff names, 431 posts, 1,687 media** | | CARFO | 18 | 4.4MB | 31 posts, 55 pages, 770 media, 7 WP users | | **RTB-WP** | 7 | 3.5MB | State television, pages and tags accessible | | **CBF-WP** | ~10 | 3.1MB | Football federation, **Windows server** | | **CNSS-ESERVICES** | ~10 | 2.7MB | **Swagger UI open, git commit leaked, Spring Boot actuator** | | TYPO3-MINISTRIES | 20 | 2.3MB | **Install tools, RSS feeds, fileadmin** across 10 ministries | | **IGF-WP** | 11 | 2.3MB | Finance inspectorate, WPML, 211 media | | CANAL3 | 8 | 2.2MB | 9 pages, 211 media, Groupe Fadoul Afrique | | SONABHY-Strapi | 47 | 2.1MB | **24 executives, 9 board, 13 projects, procurement** | | Additional Targets | ~20 | 2.0MB | Multi-domain probe results | | SONAPOST | 15 | 1.7MB | 22 posts, 328 media, 5 WP users | | **SIAO-WP** | ~10 | 1.4MB | Craft fair, 1 admin user | | CSC-MEDIA | 5 | 1.1MB | **268 broadcast media entries, FM frequencies, SQLite DB** | | CNSS (old) | 7 | 829KB | Homepage, sitemap | | LEFASO | 3 | 592KB | RSS feed, 68 articles | | SONABHY (old) | 24 | 285KB | Strapi schema, admin init | | UNZ-Joomla | 38 | 117KB | Joomla 5.3.0, hosting on LWS.fr | | Banking/Telecom | ~15 | 104KB | Multi-domain probe results | | **DOUANES-SYDONIA** | 3 | 81KB | **Customs system, PrimeFaces 6.2 DEV MODE** | | ONATEL | 4 | 89KB | Nectar+, Ma Consommation, e-facture | | ANPTIC | 13 | 53KB | WP API (DB errors) | | **KEYCLOAK-MAILER** | 6 | 36KB | **OIDC configs, JWKS keys, master+global.virt realms** | | Others | ~30 | ~200KB | Defense, ANSSI, Police, Presidency, SOFITEX, etc. | | **Hash DB** | 3 | 150KB | 32 hashes, 7 sites, SQLite + CSV | | **Broadcast DB** | 3 | 120KB | 268 stations, SQLite + CSV | | **License CSV** | 1 | 5KB | 11 telecom licenses | | **TOTAL (Session 3)** | **1,387** | **340MB** | **45+ organizations** | --- ## 26. Session 4 — Banking, Infrastructure & Mass Download (2026-03-04) ### New WordPress User Accounts Discovered #### Bank of Africa — bank-of-africa.net (Major West African Bank) | ID | Name | Slug | Notes | |----|------|------|-------| | 1 | admin | admin | Gravatar: `edb713c...` | | 14 | **Yassine CHRAIBI** | webmaster | URL: `http://BOA%20GROUPE` — BOA Group webmaster | **CRITICAL: 4,611 RESUMES/CVs EXPOSED** via WP Job Manager `/wp/v2/resumes`: - 3,956 unique email addresses - 4,589 CV/resume PDF download URLs - Full names, cover letters, timestamps - Files at: `/wp-content/uploads/resumes/resume_files/` #### Coris Bank International — burkina.coris.bank (Major Burkinabe Bank) | ID | Name | Slug | Notes | |----|------|------|-------| | 1 | coris_admin | cb-international | Site admin | | 2 | coris | coris | Content user | Fluent SMTP with Outlook callback, Google Site Kit, Elementor Pro, 10 subsidiaries (9 countries), 13 banking products. #### RCPB — rcpb.bf (Credit Union — 1M Members, 32 Branches) | ID | Name | Slug (email-derived) | Notes | |----|------|---------------------|-------| | 1 | E-CONSULTING | gestionnairebeconsulting-bf | gestionnaire@beconsulting.bf (vendor) | | 4 | **Aminata SEDOGO** | asedogorcpb-bf | asedogo@rcpb.bf | | 5 | **Brice OUEDRAOGO** | briouedraogorcpb-bf | briouedraogo@rcpb.bf | **Infomaniak staging URL leaked:** `vt7knbotjj.preview.infomaniak.website` **37 @rcpb.bf email addresses** (all 32 branch emails: cp-{city}@rcpb.bf) **Board of Directors:** Saibou NASSOURI (Chairman), DG: SONDO NIGNAN Azaratou **IT Stack:** Windows Server 2012/2019, Active Directory, Hyper-V, VPN, IDS/IPS #### ONEF — onef.gov.bf (National Employment Observatory) | ID | Name | Slug | |----|------|------| | ? | onef | onef | | ? | webmaster | webmaster | #### ANPE — anpe.gov.bf (National Employment Agency) | ID | Name | Slug | |----|------|------| | ? | souleymane-kanazoe | souleymane-kanazoe | | ? | benon-cedric | benon-cedric | | ? | webmaster | webmaster | #### Agriculture — www.agriculture.bf (Ministry of Agriculture) - **"superadmin"** username exposed — high-value target #### La Poste — laposte.bf (Government Postal Service) | ID | Name | Slug | |----|------|------| | 3 | atraore | atraore | | 5 | doatchade | doatchade | ### Critical Infrastructure Exposures #### Banking Portals | Target | Platform | Version | Key Findings | |--------|----------|---------|-------------| | ebank.bcb.bf | Sopra Banking EBK | **6.9.3** (commit: `2bbd588`) | CSP with unsafe-eval | | sogecashnet.societegenerale.bf | Sopra SmartOffice (OAS) | Unknown | **Demo env accessible at /smartofficeDemo/** | | e-coris.corisbank.bf | E-banking | Unknown | Behind F5 BigIP, redirects to e-banking.coris-bank.com | #### Tax System | Target | Platform | Notes | |--------|----------|-------| | esintax.bf | Custom PHP | 5+ backend servers (SERVERID=s5), user guide + FAQ PDFs | | esintax.impots.gov.bf | Apache 2.4.10 (2014!) | Old domain, 403 Forbidden | #### Police Academy Infrastructure | Target | Platform | Version | Key Findings | |--------|----------|---------|-------------| | moodle.academiedepolice.bf | Moodle | **2.9.2 (EOL May 2016!)** | 10 years unpatched, hundreds of CVEs | | bibliotheque.academiedepolice.bf | PMB | **4.2.1** | DB name `academie_bdpmb` leaked, 789 records | #### Mail/Exchange Servers | Target | Platform | Internal Hostname | |--------|----------|------------------| | mail.rcpb.bf | MS Exchange/IIS 10.0 | **VM-FCPB-MAIL** | | mail.agriculture.bf | Roundcube 1.6.13 | LWS hosting | | mail.sotraco.bf | Roundcube 1.5.13 | PlanetHoster | | cpanel.sig.bf | cPanel | SIG gov infrastructure | | webmail.sig.bf | cPanel Webmail | SIG gov infrastructure | ### New CMS Detections (Session 4) | Domain | CMS | Version | Notes | |--------|-----|---------|-------| | lefaso.net | SPIP | **3.2.1** | Major news site, 144,800+ articles, PHP 8.3/Plesk | | lonab.bf | Drupal | **9.5.11** | National Lottery, behind Cloudflare, 950+ nodes | | cci.bf | Drupal | **7.69** | Chamber of Commerce, **PHP 5.6.40** (EOL 2018!) | | enam.bf | WordPress | 6.x | National Admin School, LearnPress LMS, 19 courses | | arse.bf | WordPress | Recent | Energy Regulator, 46 posts, 461 media | | aber.bf | WordPress | Recent | Rural Electrification Agency, 120 posts, 783 media | | econcours.bf | Custom (nginx) | Unknown | Online exam registration system | ### TYPO3 Ministry Extensions (11 more sites confirmed) mae, mea, mesrsi, mdenp, energie-mines, communication, action-sociale, fonction-publique, sports, conseil-constitutionnel, pndes — all PHP 7.3.31 (EOL) with `/typo3/` admin login accessible. --- ## 27. Session 4 Data Dump Summary | Target | Files | Size | Key Contents | |--------|-------|------|-------------| | **BURKINA24-WP** | 1,603+ | 1.8GB | **ALL 59,300 posts + 100,953 media items** (complete) | | **RTB-WP** | 422 | 515MB | **20,551 posts, 20,822 media** (state TV, complete) | | **SIG-WP** | 156 | 137MB | 4,432 posts, 5,824 media, dead since 2023 | | **BOA-WP** | 158 | 28MB | **4,611 CVs/resumes**, 2,588 media, 36 stores | | **LONAB-DRUPAL** | 953+ | 27MB+ | National Lottery, 950+ Drupal 9 nodes | | **CORISBANK-WP** | 63 | 24MB | 1,569 media, 13 banking products, 10 subsidiaries | | **FESPACO-WP** | 73 | 17MB | Film festival, 2,355 media | | **PRIMATURE-WP** | 76 | 17MB | PM Office, Wordfence nonce leaked | | **CNSS-WP** | 141 | 16MB | Social security, WooCommerce | | **DGI-WP** | 38 | 12MB | Tax Authority, 6 staff, 1,687 media | | **2IE-EDU-WP** | 105 | 11MB | 377 posts, 146 procurement docs | | **ARCEP-WP** | 26 | 8.1MB | 5 users, 337 media | | **CERFI-WP** | 23 | 6.1MB | Research council, 464 posts | | **ONEA-TOR** | 12 | 6.0MB | Water utility via Tor, 663 media | | **ENAM-WP** | 28 | 4.3MB | Admin school, LearnPress LMS | | **RCPB-WP** | 46 | 3.8MB | Credit union, 37 @rcpb.bf emails, board + DG | | **CBF-WP** | 76 | 3.8MB | Agropastoral council, Windows server | | **MOOV-WP** | 18 | 3.7MB | Telecom, WooCommerce products | | **ANPE-WP** | 7+ | 3.7MB | Employment agency, 3 users | | **AGRICULTURE-WP** | 7+ | 3.7MB | Ministry of Agriculture, "superadmin" | | **ANPTIC-WP** | 7+ | 3.1MB | Gov IT agency, 3 users | | **CNSS-ESERVICES** | 30+ | 2.7MB | Spring Boot, Swagger UI, 86 endpoints | | **IGF-WP** | 11 | 2.3MB | Finance inspectorate | | **VISIONSANTE-WP** | 6 | 2.1MB | Health site | | **LAPOSTE-WP** | 37+ | 1.8MB | Postal service, 2 users | | **LEFASO-SPIP** | 8 | 1.7MB | Major news, 6 section RSS feeds | | **SIAO-WP** | 27 | 1.7MB | Craft fair, SureCart API | | **BCEAO-DRUPAL** | 63 | 1.3MB | Central Bank, 48 nodes, 3,408 sitemap URLs | | **BRVM-DRUPAL** | 32 | 1.3MB | Stock Exchange, **Drupal 7.82 + PHP 7.0.33** (both EOL) | | **ONEF-WP** | 7+ | 1.3MB | Employment observatory | | **CLINIQUE-WP** | 9 | 1.0MB | Health clinic | | **DIASPORA-WP** | 10+ | 852KB | Diaspora LMS, MasterStudy | | **ARSE-WP** | 5+ | 585KB | Energy regulator | | **ABER-WP** | 4+ | 442KB | Rural electrification | | **ESINTAX** | 4 | 374KB | Tax system, FAQ PDF, sitemap | | **CCI-DRUPAL** | 4 | 176KB | Chamber of Commerce, Drupal 7.69 | | **POLICE-MOODLE** | 4 | 164KB | Moodle 2.9.2 (EOL 2016) | | **SOGECASHNET** | 3 | 65KB | SocGen e-banking demo accessible | | **BCB-EBANK** | 3 | 36KB | Banking platform v6.9.3 | | **POLICE-LIBRARY** | 3 | 48KB | PMB 4.2.1, DB name leaked | | **RCPB-MAIL** | 2 | 2KB | Exchange headers, VM-FCPB-MAIL | | Infrastructure probes | 3 files | 2.1MB | 200+ domains probed | | **RUNNING TOTAL** | **5,100+** | **2.7GB+** | **75+ organizations** | --- ## Section 28: Session 5 — Extended Sweep & Critical Infrastructure (2026-03-04) ### NEW CRITICAL FINDINGS #### 28.1 — ABER.BF WordPress Debug Log (268MB) - **URL:** `https://aber.bf/wp-content/debug.log` - **Size:** 268 MB, 427,595 PHP error entries - **Date range:** 2025-10-02 to 2026-03-04 (5 months, LIVE) - **Server path disclosed:** `/home/ccynsaz/aber/wp-includes/functions.php` - **Hosting account:** `ccynsaz` on shared hosting - **Error breakdown:** 379,309 Notices, 45,596 Deprecated, 2,640 Warnings, **26 Fatal Errors** - **Plugin disclosed:** MailPoet (newsletter plugin — subscriber data) - **Severity:** HIGH — server path, hosting account, plugin stack, 5 months of errors #### 28.2 — PRIMATURE.GOV.BF Debug Log - **URL:** `https://primature.gov.bf/wp-content/debug.log` - **Server path disclosed:** `/home/u618040573/domains/rbjli.org/public_html/site_primature/` - **Hosting:** Hostinger (u618040573 account pattern) - **Real domain:** `rbjli.org` — Prime Minister's site hosted on different domain - **Plugins disclosed:** Elementor, Akeeba Backup, WP Optimize, Jetpack, tagDiv #### 28.3 — SBIFTRADE.BF — Stock Trading API FULLY EXPOSED - **URL:** `https://www.sbiftrade.bf/SBIFTradeServer/Service.svc` - **Server:** Microsoft IIS/10.0, ASP.NET 4.0.30319, WCF Service - **WSDL:** Complete API contract exposed (161KB + 67KB) - **30+ REST endpoints responding UNAUTHENTICATED:** - `Service.svc/GetMarketSnapshot` — LIVE market data - `Service.svc/GetListOfIndicators` — Market indicators - `Service.svc/Ping` — Returns "0###" (service alive) - `Service.svc/GetAppVersion` — Returns SQL STACK TRACE with table names - `Service.svc/f_AJORDRE` — Place orders endpoint - `Service.svc/cancelOrdreFIX` — Cancel orders endpoint - `Service.svc/Modif_ORDRES` — Modify orders endpoint - `Service.svc/get_HIST_ORDRES` — Order history - `Service.svc/qte_PORTEFEUILLE` — Portfolio quantities - `Service.svc/SICAV_LISTE` — Investment fund listing - **Severity:** CRITICAL — Unauthenticated access to stock trading platform for BRVM (West African stock exchange) #### 28.4 — ONATEL Exchange Server 2019 - **Hosts:** email.onatel.bf / autodiscover.onatel.bf / mail.onatel.bf - **OWA Version:** 15.1.2507.57 (Exchange Server 2019 CU14) - **Internal hostname:** `MAILSVR10` (x-feserver header) - **OWA login page:** Fully accessible - **ECP (Exchange Control Panel):** Accessible - **Severity:** HIGH — Version fingerprinting enables targeted exploits #### 28.5 — SONABHY Office 365 - **Host:** autodiscover.sonabhy.bf - **FEServer:** BN9P221CA0005 / BN9P220CA0014 (Microsoft datacenter) - **Redirect:** `outlook.office365.com/?realm=sonabhy.bf` - **Status:** Microsoft-hosted, less attack surface than on-prem #### 28.6 — Kolab Groupware at BTIC (cloud.btic.bf / kolab.btic.bf) - **IP:** 149.56.240.77 (OVH Canada) - **6 services exposed:** - Roundcube 1.6.12 webmail login - Chwala file manager login - iRony CalDAV/CardDAV (SabreDAV 4.7.0) - FreeBusy calendar service - ActiveSync - IMAPS on port 993 - **Stack:** Apache/2.4.62 (AlmaLinux), **PHP 8.0.30 (END-OF-LIFE)** - **SSL SANs:** autoconfig.btic.bf, autodiscover.btic.bf, files.btic.bf, mail.btic.bf - **Severity:** HIGH — All Basic Auth endpoints brute-forceable #### 28.7 — Zimbra at CCI (webmail.cci.bf) - **IP:** 77.246.83.156 / 77.246.83.140 - **Hosted by:** Exoca (Amiens, France) via open2mail.fr - **SOAP API active** at `/service/soap/` - **Preauth endpoint active** at `/service/preauth` — if key leaks, instant account takeover - **ActiveSync:** Running - **Build:** ~November 10, 2025 - **Severity:** HIGH #### 28.8 — cPanel/WHM at SIG (cpanel.sig.bf) - **IP:** 5.9.59.157 (Hetzner, Germany) - **WHM root admin panel** exposed on port 2087 - **Backend hostname leaked:** `bm.serveurhosting.net` - **4 login panels live:** cPanel (:2083), WHM (:2087), Webmail (:2096), HTTPS (:443) - **SSL SANs reveal:** mailing.sig.bf, sondage.sig.bf, talk.sig.bf - **Severity:** MEDIUM — login panels exposed but require credentials ### MAIL INFRASTRUCTURE SURVEY — 12 Responsive Servers | Server | Status | Technology | Details | |--------|--------|-----------|---------| | email.onatel.bf | OWA LIVE | Exchange 2019 CU14 | MAILSVR10, version 15.1.2507.57 | | autodiscover.onatel.bf | Responds | Exchange 2019 | Same as email.onatel.bf | | mail.onatel.bf | Responds | Exchange | Same cluster | | autodiscover.sonabhy.bf | Redirects | Office 365 | BN9P221CA0005 FEServer | | mail.agriculture.bf | Responds | Unknown | No version disclosed | | mail.sig.bf | Responds | Unknown | | | webmail.sig.bf | Responds | Unknown | | | cpanel.sig.bf | cPanel | cPanel/WHM | Hetzner, bm.serveurhosting.net | | mail.sotraco.bf | Redirects | Webmail | Redirects to /webmail/ | | mailer.gov.bf | Responds | WAF | BM_REDIRECT cookie (WAF protected) | | efacture.onatel.bf | Responds | Custom app | E-invoicing portal | | postebank.sonapost.bf | Responds | Unknown | Postal banking | ### NEW WORDPRESS SITES DUMPED | Target | Files | Size | Key Data | |--------|-------|------|----------| | SIDWAYA-WP | 274 | 166MB | State newspaper, full media dump | | ABER-WP (expanded) | 16+268MB log | 308MB | 120 posts, 770 media, **268MB debug.log** | | ARSE-WP (expanded) | 12 | 6.2MB | 46 posts, 453 media, energy regulator | | OPENBURKINA-WP | 6 | 1.3MB | Open data portal, 2 users: Azeta OUEDRAOGO, Idriss TINTO | | CAMCO-WP | 14 | 3.1MB | Commercial company | | GROUPEHAGE-WP | 23 | 4.0MB | Hage Group | | CISANDCO-WP | 8 | 1.9MB | cisandco.be (Belgian redirect) | ### NEW BANKING/FINANCE INFRASTRUCTURE | Target | Files | Size | Key Data | |--------|-------|------|----------| | SBIFTRADE | 103 | 1.1MB | **FULL WCF WSDL + 30 API endpoints** | | ECOBANK-BF | 32 | 8.0MB | CSP leaks 13+ internal infrastructure URLs | | SBIFBOURSE | 30 | 849KB | Wix-hosted, session tokens, site ID | | SOCIETEGENERALE | 34 | 179KB | TYPO3 behind Imperva WAF | | WEBMAIL-CORISBANK | 34 | 62KB | Roundcube 1.6.10, nginx/PHP 8.3.30 | ### INFRASTRUCTURE DISCOVERIES | Target | Finding | Severity | |--------|---------|----------| | cloud.btic.bf → kolab.btic.bf | Kolab Groupware, 6 services, PHP 8.0 EOL | HIGH | | webmail.cci.bf | Zimbra SOAP API + preauth endpoint | HIGH | | cpanel.sig.bf | WHM root panel, hostname leak | MEDIUM | | cpanel.edifice.bf | OpenLiteSpeed, PlanetHoster, default SSL | LOW | | cpanel.edimedia.bf | OpenLiteSpeed, PlanetHoster, default SSL | LOW | | cpanel.unibio.bf | openresty/1.27.1.1, beta.unibio.bf revealed | LOW | | bumigeb.bf | Laravel/Themesbrand on Apache/Ubuntu, XSRF tokens | INFO | | data.gov.bf | Custom "BF Data Platform" (not WordPress) | INFO | --- ## Section 29: Updated Data Dump Summary (Session 5) | Target | Files | Size | Key Contents | |--------|-------|------|-------------| | **BOA-WORDPRESS** | 722 PDFs + 283 JSON | **3.8GB** | 4,611 CVs, 3,956 emails, 722 financial PDFs | | **BURKINA24-WP** | 1,613 | 1.8GB | ALL 59,300 posts + 100,953 media | | **RTB-WP** | 422 | 515MB | 20,551 posts, 20,822 media | | **ABER-WP** | 16 + debug.log | **299MB** | 120 posts, 770 media, **268MB debug.log (5 months)** | | **SIDWAYA-WP** | 274 | 166MB | State newspaper full dump | | **SIG-WP** | 156 | 137MB | 4,432 posts, 5,824 media | | **LONAB-DRUPAL** | 1,931 | 54MB | National Lottery, 1,931 Drupal 9 nodes | | **ARSE-WP** | 12 | 33MB | 46 posts, 453 media, energy regulator | | **CORISBANK-WP** | 63 | 24MB | 1,569 media, 13 banking products | | **PRIMATURE-WP** | 76 + debug.log | 17MB | PM Office, debug.log with hosting path | | **FESPACO-WP** | 73 | 17MB | Film festival | | **CNSS-WP** | 141 | 16MB | Social security | | **DGI-WP** | 38 | 12MB | Tax authority | | **2IE-EDU-WP** | 105 | 11MB | Engineering school | | **ECOBANK-BF** | 32 | 8MB | CSP internal URLs leaked | | **ARCEP** | 31 | 17.7MB | Telecom regulator | | **ANPE-WP** | 17 | 6.7MB | Employment agency | | **MOOV-WP** | 18 | 6.8MB | Telecom | | **CERFI-WP** | 23 | 6.1MB | Research council | | **ONEA-TOR** | 14 | 6MB | Water utility via Tor | | **ENAM-WP** | 28 | 4.3MB | Admin school | | **AGRICULTURE-WP** | 11 | 4.6MB | Ministry with "superadmin" | | **GROUPEHAGE-WP** | 23 | 4MB | Private group | | **CARFO** | 18 | 4.4MB | Pension fund | | **RCPB-WP** | 46 | 4MB | Credit union, 37 @rcpb.bf emails | | **CBF-WP** | 76 | 3.8MB | Agropastoral council | | **ANPTIC-WP** | 9 | 3.5MB | Gov IT agency | | **ABER-WP** | 30 | 3.5MB | Rural electrification | | **CAMCO-WP** | 14 | 3.1MB | Commercial company | | **LAPOSTE-WP** | 25 | 3.1MB | Postal service | | **CNSS-ESERVICES** | 30+ | 2.7MB | Spring Boot API | | **IGF-WP** | 11 | 2.3MB | Finance inspectorate | | **VISIONSANTE-WP** | 6 | 2.1MB | Health site | | **CISANDCO-WP** | 8 | 1.9MB | Belgian consulting | | **ONEF-WP** | 9 | 1.9MB | Employment observatory | | **SIAO-WP** | 27 | 1.7MB | Craft fair | | **LEFASO-SPIP** | 8 | 1.7MB | Major news site | | **OPENBURKINA-WP** | 6 | 1.3MB | Open data portal | | **BCEAO-DRUPAL** | 63 | 1.3MB | Central Bank | | **BRVM-DRUPAL** | 32 | 1.3MB | Stock Exchange | | **SBIFTRADE** | 103 | 1.1MB | **BRVM trading API — WSDL + 30 endpoints** | | **CLINIQUE-WP** | 9 | 1MB | Health clinic | | **DIASPORA-WP** | 43 | 951KB | Diaspora LMS | | **SBIFBOURSE** | 30 | 849KB | Stock broker Wix site | | **ESINTAX** | 3 | 374KB | Tax system | | **SOTRACO** | 3 | 293KB | Transport company | | **CCI-DRUPAL** | 4 | 176KB | Chamber of Commerce | | **POLICE-MOODLE** | 4 | 164KB | Moodle 2.9.2 (EOL 2016) | | **SOCIETEGENERALE** | 34 | 179KB | TYPO3 behind Imperva | | **SOGECASHNET** | 3 | 65KB | SocGen e-banking demo | | **WEBMAIL-CORISBANK** | 34 | 62KB | Roundcube 1.6.10 | | **POLICE-LIBRARY** | 3 | 48KB | PMB 4.2.1 | | **BCB-EBANK** | 3 | 36KB | Banking platform | | **RCPB-MAIL** | 2 | 2KB | Exchange headers | | **MAIL-INFRASTRUCTURE** | 28 files | 113KB | 12 responsive mail servers | | **INFRASTRUCTURE-PROBE** | 10 files | 50KB | cPanels, Kolab, Zimbra | | **ADDITIONAL-TARGETS** | 35+ files | 2.2MB | 255 domains probed | | **DATAGOV-PLATFORM** | 50+ | **86MB** | **Trino SQL + Nessie catalog — ALL 10 tables dumped, 83,770 records** | | **FESPACO-WP DEBUG** | +1 | +39MB | debug.log, path: /home/clients/1c176f3558d75a7b34a82c44a8e66a3b/ | | **RUNNING TOTAL** | **49,290+** | **7.1GB+** | **110+ organizations, 127 directories** | --- ## Section 30: data.gov.bf — Government Data Platform (CRITICAL) ### 30.1 — Platform Overview **URL:** `https://data.gov.bf` **Type:** Modern data lakehouse (Apache Iceberg + Trino + Nessie + MinIO) **Created:** 2026-02-02 **Status:** FULLY OPERATIONAL, ALL APIs UNAUTHENTICATED ### 30.2 — Exposed Services | Service | URL | Version | Status | |---------|-----|---------|--------| | **Trino** (SQL Engine) | trino.data.gov.bf | **v476** | **ACCEPTS UNAUTHENTICATED SQL** | | **Nessie** (Data Catalog) | nessie.data.gov.bf | API v2 | **Full catalog + history exposed** | | **MinIO** (Object Storage) | minio.data.gov.bf | AGPL | Login page, S3 buckets: warehouse, raw | | **Apache Superset** | superset.data.gov.bf | — | Login required | | **Airflow** (Pipelines) | airflow.data.gov.bf | **3.0.6** | Health API open, DAGs require auth | | **Portainer** (Docker) | portainer.data.gov.bf | **2.33.3** | Auth required | ### 30.3 — Database Schema (via Nessie + Trino) **8 schemas, 22 Iceberg tables:** | Schema | Table | Row Count | Description | |--------|-------|-----------|-------------| | marches_publics | appels_offre | **241** | Government tenders | | marches_publics | resultats | **400** | Procurement results | | marches_publics | **soumissionnaires** | **78,621** | **Bidder records — 24 columns, FCFA+USD amounts, rankings** | | public_markets | offres | **1,001** | Market offers with amounts (HTVA/TTC/corrected/negotiated) | | public_markets | **entreprises** | **2,101** | **Companies: name, address, phone, email, IFU, RCCM** | | public_markets | attributions | **720** | Contract awards with winner names, amounts, timelines | | public_markets | evaluations | **38** | Bid evaluations (SONABEL/YELEEN procurement) | | public_markets | lots | 346 | Contract lots with budget ranges | | public_markets | procedures | 264 | Procurement procedures with financing details | | analytics | customers | 0 | (empty — demo/template) | | analytics | orders | 0 | (empty — demo/template) | | analytics | daily_revenue | 0 | (empty — demo/template) | | analytics | customer_metrics | 0 | (empty — demo/template) | | analytics | customer_orders_enriched | 0 | (empty — demo/template) | | api_bronze | users | 0 | (empty — demo/template) | | default | demo_countries | 0 | (empty — demo/template) | | metadata | **pipeline_registry** | **6** | **Airflow DAG execution records (Feb 24, 2026)** | **Total: 83,770 records — ALL 22 TABLES FULLY DUMPED AND VERIFIED** ### 30.4 — S3 Bucket Paths Disclosed - `s3://warehouse/marches_publics/...` — Processed procurement data - `s3://raw/marches_publiques/...` — Raw ingested data - `s3://warehouse/analytics/...` — Analytics tables - `s3://warehouse/api_bronze/...` — API ingestion layer ### 30.5 — Nessie Branches (Data Versioning) - `main` — Production branch - 6x `temp_marches_publics_*` branches from 2026-02-03 — Data pipeline temp branches - Commit history shows continuous `public_markets.offres` ingestion (Feb 24, 2026) ### 30.6 — Data Dumped - entreprises.json — 2,101 company records - attributions.json — 720 contract awards - procedures.json — 264 procurement procedures - appels_offre.json — 241 tenders - resultats.json — 400 results - lots.json — 346 contract lots - offres.json — 1,001 market offers - **soumissionnaires.json** — **78,621 bidder records (COMPLETE — 84 MB, 24 columns)** - appels_offre.json — 241 tenders (re-dumped, 275 KB — original was truncated) - resultats.json — 400 results (re-dumped, 445 KB — original was truncated) - evaluations.json — 38 bid evaluations (11 KB) - metadata_pipeline_registry.json — 6 Airflow DAG execution records (9 KB) - analytics_*.json — 5 empty demo tables (confirmed 0 records each) - api_bronze_users.json — 0 records (empty) - default_demo_countries.json — 0 records (empty) - nessie-*.json — Full catalog, branches, 175 KB commit history - trino-*.json — Schema enumeration, query results - airflow/portainer status files **Note:** Trino SQL uses `OFFSET N LIMIT M` syntax (not MySQL's `LIMIT M OFFSET N`) **Severity:** CRITICAL — Unauthenticated SQL access to government procurement database with 83,770 verified records