Nettacker icon indicating copy to clipboard operation
Nettacker copied to clipboard
verified publisher icon OWASP

Nettacker fails running wp_xmlrpc_bruteforce_vuln module on Python 3.11 with database errors and undefined constants

Open 08062003 opened this issue 1 month ago • 3 comments

Issue Description: Attempting to run the OWASP Nettacker command below on Kali Linux with Python 3.11 encounters fatal errors preventing execution:

text python3.11 nettacker.py -i 192.168.29.62 -m wp_xmlrpc_bruteforce_vuln Errors observed include:

PHP Fatal error for missing WordPress DB tables (wordpress_vuln.wp_options does not exist)

PHP Fatal errors about undefined constants such as DB_USER in WordPress wp-includes/load.php

Deprecated warnings about dynamic property creation in WordPress core (wpdb)

The WordPress instance used by the target returns "500 Internal Server Error" for /wordpress-vuln/

Diagnostic steps already taken:

Used correct DB credentials in WordPress wp-config.php

Verified file permissions and ownership set to www-data

Confirmed Apache, PHP (with necessary modules) and MariaDB are properly installed and running

Database wordpress_vuln exists with user wpuser, matching credentials in wp-config.php

Empty or recreated the database, but tables are missing, causing WordPress setup errors

Attempted WordPress installation wizard; errors persist

Nettacker is run using Python 3.11 on Kali Linux as the target environment

Expected behavior:

Nettacker should successfully run the WordPress XML-RPC brute force module without hitting WordPress-related database or PHP errors on the target web application.

Potential area of concern:

The WordPress target instance under test is misconfigured or incomplete, leading to fatal PHP errors not caused by Nettacker itself but by the WordPress test instance.

Additional notes:

The errors seem related to WordPress target setup rather than Nettacker code, but Nettacker should handle or report gracefully.

Seeking guidance for Nettacker compatibility with WordPress targets running on PHP 8.x and MySQL/MariaDB with correct but incomplete installs.

Environment: Kali Linux (latest)

Python 3.11

OWASP Nettacker (latest GitHub release)

Target WordPress: WordPress 5.x, PHP 8.x, MariaDB 10.x on Debian 12

Apache 2.4.65

Request: Assistance or guidance on:

Ensuring Nettacker WP XML-RPC brute force module runs cleanly against WordPress targets with contemporary PHP/MySQL environments

Proper handling/logging of PHP/DB errors during scanning

Any required Nettacker config for Python 3.11 and WordPress 5.x targets

08062003 avatar Nov 14 '25 06:11 08062003

hey @08062003 I have submitted a full fix for this issue in PR #1169
The wp_xmlrpc_bruteforce_vuln module now handles:

  • WP 500 errors
  • PHP fatal errors
  • HTML responses instead of XML
  • Misconfigured installs
  • WordPress running on port 8080

Rohankaf avatar Nov 16 '25 18:11 Rohankaf

@Rohankaf please see #1168, the issue has been answered.

pUrGe12 avatar Nov 16 '25 19:11 pUrGe12

This didn't solve the issue 😕

08062003 avatar Nov 18 '25 09:11 08062003