{"id":27817910,"url":"https://github.com/inmymine7/wp-brute","last_synced_at":"2025-05-01T15:28:22.974Z","repository":{"id":168975268,"uuid":"644823654","full_name":"InMyMine7/WP-Brute","owner":"InMyMine7","description":" WordPress XML-RPC \u0026 WP-Login Bruteforce + Auto Uploader  Powerful asynchronous bruteforce tool for WordPress sites via wp-login.php and xmlrpc.php, featuring smart password placeholders, username enumeration, and auto-plugin/theme uploader with shell verification. Built for speed, efficiency, and full automation.","archived":false,"fork":false,"pushed_at":"2025-04-22T09:43:49.000Z","size":1256,"stargazers_count":10,"open_issues_count":1,"forks_count":5,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-22T11:01:45.316Z","etag":null,"topics":["brute-force","bruteforce-attacks","plugin-uploader","wordpress-brute-force","wordpress-bruteforce","wp-login","wpbf","xmlrpc","xmlrpc-api","xmlrpc-bruteforcer"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/InMyMine7.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-05-24T10:31:11.000Z","updated_at":"2025-04-22T09:51:23.000Z","dependencies_parsed_at":"2025-04-22T10:59:28.552Z","dependency_job_id":"df2a5c22-fe82-489b-8cb0-c7283bffe895","html_url":"https://github.com/InMyMine7/WP-Brute","commit_stats":null,"previous_names":["inmymine7/xmlrpc-brure-force"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/InMyMine7%2FWP-Brute","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/InMyMine7%2FWP-Brute/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/InMyMine7%2FWP-Brute/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/InMyMine7%2FWP-Brute/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/InMyMine7","download_url":"https://codeload.github.com/InMyMine7/WP-Brute/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251897930,"owners_count":21661729,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["brute-force","bruteforce-attacks","plugin-uploader","wordpress-brute-force","wordpress-bruteforce","wp-login","wpbf","xmlrpc","xmlrpc-api","xmlrpc-bruteforcer"],"created_at":"2025-05-01T15:28:22.489Z","updated_at":"2025-05-01T15:28:22.959Z","avatar_url":"https://github.com/InMyMine7.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# XMLRPC \u0026 WPLOGIN Bruteforce + Auto Upload\n\nThis tool is designed for security researchers and penetration testers to test the security of WordPress websites. It attempts to brute-force login credentials using both the wp-login.php and xmlrpc.php methods and, upon successful login, uploads a specified plugin and/or theme.\n\n**Disclaimer:** This tool is for **educational and authorized testing purposes only**. Unauthorized use on systems you do not own or have permission to test is illegal and unethical. The author is not responsible for any misuse or damage caused by this tool.\n\n## Features\n- Asynchronous bruteforce with `asyncio` + `httpx`\n- Supports login via `wp-login.php` and `xmlrpc.php`\n- Checks if a target website is a WordPress site.\n- Brute-forces login credentials using a provided password list with various transformations.\n- Uploads a specified plugin and/or theme upon successful login.\n- Verifies the uploaded plugin or theme by checking for specific strings.\n- Loads local OpenSSL DLLs on Windows for SSL compatibility.\n- Bypasses SSL verification for flexibility in testing environments.\n\n## Requirements\n\n- Python 3.7 or higher\n- Required Python libraries:\n  - `httpx`\n  - `colorama`\n  - `requests`\n  - `asyncio`\n  - `ssl`\n  - `ctypes` (for Windows users)\n\nYou can install the required libraries using pip:\n\n```bash\npip install httpx colorama requests\n```\n\n## Usage\n\n1. **Prepare the target list file:** Create a text file containing the list of target websites, one per line. For example:\n\n   ```\n   http://example.com\n   http://anotherexample.com\n   ```\n\n2. **Prepare the password list file:** Create a text file containing the list of passwords to try. The tool supports placeholders in the passwords that will be replaced with transformations of the username and domain. For example:\n\n   ```\n   [WPLOGIN]123\n   password[DOMAIN]\n   [YEAR]admin\n   ```\n\n   Available placeholders:\n\n   - `[WPLOGIN]`: Replaced with the username.\n   - `[UPPERLOGIN]`: Replaced with the username in uppercase.\n   - `[DOMAIN]`: Replaced with the domain name without the TLD.\n   - `[DDOMAIN]`: Replaced with the full domain name.\n   - `[YEAR]`: Replaced with the current year.\n   - `[UPPERALL]`: Replaced with the username in uppercase.\n   - `[LOWERALL]`: Replaced with the username in lowercase.\n   - `[UPPERONE]`: Replaced with the username capitalized.\n   - `[LOWERONE]`: Replaced with the first letter lowercase and the rest uppercase.\n   - `[AZDOMAIN]`: Replaced with the domain name without special characters.\n   - `[REVERSE]`: Replaced with the reversed username.\n   - `[DVERSE]`: Replaced with the reversed domain name without TLD.\n   - `[UPPERDO]`: Replaced with the domain name capitalized without TLD.\n   - `[UPPERDOMAIN]`: Replaced with the full domain name in uppercase.\n\n3. **Prepare the plugin and theme zip files:** The tool looks for `plugin-inmymine.zip` and `theme-inmymine.zip` in the same directory as the script. These should be the zip files you want to upload upon successful login.\n\n4. **Run the script:** Execute the script using Python:\n\n   ```bash\n   python main.py\n   ```\n\n   You will be prompted to enter the path to the target list file and the password list file.\n\n5. **Output:** The tool will output the results to the console and save successful logins to `success.txt`. If uploads fail, the site will be logged in `failed.txt`. Uploaded plugins and themes will be saved in `plugins.txt` and `themes.txt`, respectively.\n\n## example\n```bash\n[INFO] OpenSSL Version: OpenSSL 1.1.1\nEnter target list file: x.txt\nEnter password list file: password.txt\n[found username] http://example.com: ['admin']\n[FAIL] http://example.com -\u003e admin:password123\n[SUCCESS] http://example.com -\u003e admin:admin2025\n[UPLOAD SUCCESS] Plugin: http://example.com/wp-content/plugins/random123/install.php\n```\n## How It Works\n\n1. **WordPress Detection:** The tool checks if the target site has a `wp-login.php` page and looks for specific strings to confirm it's a WordPress site.\n2. **Username Enumeration:** It attempts to retrieve usernames from the WordPress REST API endpoint `/wp-json/wp/v2/users`. Falls back to default username (admin) if enumeration fails\n3. **Brute-Force Login:** For each username, it tries each password in the list, applying transformations based on the placeholders. It attempts to log in using both the wp-login.php and xmlrpc.php methods.\n4. **Upload Plugin/Theme:** Upon successful login, it uploads the specified plugin and/or theme zip files using the WordPress admin interface.\n5. **Verification:** It checks if the uploaded plugin or theme is active by verifying specific strings in the response from the uploaded file's URL.\n\n## Contributing\n\nContributions are welcome! Please feel free to submit a pull request or open an issue for any bugs or feature requests.\n\n1. Fork this repository.\n2. Create a pull request with your changes.\n3. Report bugs or suggestions via GitHub issues.\n\n## License\n\nThis project is licensed under the MIT License.\n\n## Contact\n\nFor any inquiries, you can reach me at:\n\n- GitHub: InMyMine7\n- Telegram: t.me/minsepen\n\n---\n\n**Note:** This tool is for educational and testing purposes only. Always ensure you have permission before testing any website.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finmymine7%2Fwp-brute","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finmymine7%2Fwp-brute","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finmymine7%2Fwp-brute/lists"}