{"id":17006015,"url":"https://github.com/aress31/xmlrpc-bruteforcer","last_synced_at":"2025-05-08T00:38:38.897Z","repository":{"id":41280991,"uuid":"66928367","full_name":"aress31/xmlrpc-bruteforcer","owner":"aress31","description":"Multi-threaded XMLRPC brute forcer using amplification attacks targeting WordPress installations prior to version 4.4.","archived":false,"fork":false,"pushed_at":"2024-05-03T19:51:27.000Z","size":48,"stargazers_count":133,"open_issues_count":9,"forks_count":39,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-05-08T00:38:33.086Z","etag":null,"topics":["bruteforce","bruteforce-amplification-attack","multicall","pentesting","python","wordpress","xmlrpc-bruteforcer","xmlrpc-interface"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aress31.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"aress31","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":null}},"created_at":"2016-08-30T09:50:55.000Z","updated_at":"2025-04-02T12:02:41.000Z","dependencies_parsed_at":"2024-10-26T21:20:56.537Z","dependency_job_id":null,"html_url":"https://github.com/aress31/xmlrpc-bruteforcer","commit_stats":{"total_commits":16,"total_committers":4,"mean_commits":4.0,"dds":0.4375,"last_synced_commit":"bbca347dae4bd39f2048cc593b44fa9ae2b972e7"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fxmlrpc-bruteforcer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fxmlrpc-bruteforcer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fxmlrpc-bruteforcer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aress31%2Fxmlrpc-bruteforcer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aress31","download_url":"https://codeload.github.com/aress31/xmlrpc-bruteforcer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252978667,"owners_count":21834910,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bruteforce","bruteforce-amplification-attack","multicall","pentesting","python","wordpress","xmlrpc-bruteforcer","xmlrpc-interface"],"created_at":"2024-10-14T05:04:48.262Z","updated_at":"2025-05-08T00:38:38.842Z","avatar_url":"https://github.com/aress31.png","language":"Python","funding_links":["https://github.com/sponsors/aress31"],"categories":[],"sub_categories":[],"readme":"# xmlrpc-bruteforcer\n\n\u003ca href=\"https://www.python.org\"\u003e\u003cimg alt=\"lang\" src=\"https://img.shields.io/badge/Lang-Python-blue.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opensource.org/licenses/Apache-2.0\"\u003e\u003cimg alt=\"license\" src=\"https://img.shields.io/badge/License-Apache%202.0-red.svg\"\u003e\u003c/a\u003e\n\n## Bruteforcing `CMS` users' passwords via the `XMLRPC` interface.\n\nThis script is a `PoC` for the _Brute Force Amplification Attack_ exploit against `XMLRPC` interfaces enabling the `_system.multicall()_` method (enabled by default).\n\nThe `_system.multicall()_` method allows multiple calls to be sent within a single `HTTP` request. Using this \"wrapper\", malicious attackers can carry out a large number of login attempts (bruteforce) with a minimal network impact, consequently making them stealthier and more efficient.\n\nAt the moment, the maximum number of calls which can be encapsulated within the `_system.multicall()_` method without triggering a networking error is `1999` calls meaning that for each `HTTP` request sent `1999` different login attempts are performed.\n\nMore information about the bruteforce amplification attack can be found at:\n\n- https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/\n\n\u003e [!IMPORTANT]\n\u003e This script has been sucessfully tested against WordPress versions **\u003c 4.4**.\n\n## Installation\n\n1. Download this repository:\n\n   ```bash\n   git clone https://github.com/AresS31/xmlrpc-bruteforcer\n   cd .\\xmlrpc-bruteforcer\n   ```\n\n2. Install the dependencies:\n\n   ```bash\n   pip install -r requirements.txt\n   ```\n\n## Running on Docker\n\n```bash\ncd .\\xmlrpc-bruteforcer\ndocker build -t xmlrpc-bruteforcer .\ndocker run --rm -v $(pwd):/wordlists xmlrpc-bruteforcer -u admin -w /wordlists/wordlist.txt -t 3 -x https://wordpress.local/xmlrpc.php\n```\n\n## Usage\n\n```bash\npython3 xmlrpc-bruteforce.py -u [username] -w [wordlist] -x [xmlrpc_intf] -t [threads_number] -c [chunks_size] -v [verbose] -h [help]\n[-u]: username of the targeted user, required\n[-w]: wordlist containing the passwords to try, required\n[-x]: xmlrpc interface to attack, required\n[-t]: number of threads to run, optional, default value: 5\n[-c]: number of calls to encapsulate within a system.mullticall() call, optional, default value: 1999\n[-v]: print debugging information, optional, default value: False\n[-h]: print help\n```\n\n## Roadmap\n\n- [ ] Debug the `tqdm` and `sys.stdout` printing issues.\n- [ ] Improve the quality of the source code.\n\n## Sponsor 💖\n\nIf you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕\n\nIt is easy, all you got to do is press the `Sponsor` button at the top of this page or alternatively [click this link](https://github.com/sponsors/aress31). 💸\n\n## Reporting Issues\n\nFound a bug? I would love to squash it! 🐛\n\nPlease report all issues on the GitHub [issues tracker](https://github.com/aress31/xmlrpc-bruteforcer/issues).\n\n## Contributing\n\nYou would like to contribute to better this project? 🤩\n\nPlease submit all `PRs` on the GitHub [pull requests tracker](https://github.com/aress31/xmlrpc-bruteforcer/pulls).\n\n## License\n\nSee [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fxmlrpc-bruteforcer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faress31%2Fxmlrpc-bruteforcer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faress31%2Fxmlrpc-bruteforcer/lists"}