Skip to content

aress31/xmlrpc-bruteforcer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits

.github

.github

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

xmlrpc-bruteforcer.py

xmlrpc-bruteforcer.py

 
 

Repository files navigation

xmlrpc-bruteforcer

lang license

Bruteforcing CMS users' passwords via the XMLRPC interface.

This script is a PoC for the Brute Force Amplification Attack exploit against XMLRPC interfaces enabling the _system.multicall()_ method (enabled by default).

The _system.multicall()_ method allows multiple calls to be sent within a single HTTP request. Using this "wrapper", malicious attackers can carry out a large number of login attempts (bruteforce) with a minimal network impact, consequently making them stealthier and more efficient.

At the moment, the maximum number of calls which can be encapsulated within the _system.multicall()_ method without triggering a networking error is 1999 calls meaning that for each HTTP request sent 1999 different login attempts are performed.

More information about the bruteforce amplification attack can be found at:

Important

This script has been sucessfully tested against WordPress versions < 4.4.

Installation

  1. Download this repository:

    git clone https://github.com/AresS31/xmlrpc-bruteforcer
cd .\xmlrpc-bruteforcer

  2. Install the dependencies:

    pip install -r requirements.txt

Running on Docker

cd .\xmlrpc-bruteforcer
docker build -t xmlrpc-bruteforcer .
docker run --rm -v $(pwd):/wordlists xmlrpc-bruteforcer -u admin -w /wordlists/wordlist.txt -t 3 -x https://wordpress.local/xmlrpc.php

Usage

python3 xmlrpc-bruteforce.py -u [username] -w [wordlist] -x [xmlrpc_intf] -t [threads_number] -c [chunks_size] -v [verbose] -h [help]
[-u]: username of the targeted user, required
[-w]: wordlist containing the passwords to try, required
[-x]: xmlrpc interface to attack, required
[-t]: number of threads to run, optional, default value: 5
[-c]: number of calls to encapsulate within a system.mullticall() call, optional, default value: 1999
[-v]: print debugging information, optional, default value: False
[-h]: print help

Roadmap

  • Debug the tqdm and sys.stdout printing issues.
  • Improve the quality of the source code.

Sponsor 💖

If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕

It is easy, all you got to do is press the Sponsor button at the top of this page or alternatively click this link. 💸

Reporting Issues

Found a bug? I would love to squash it! 🐛

Please report all issues on the GitHub issues tracker.

Contributing

You would like to contribute to better this project? 🤩

Please submit all PRs on the GitHub pull requests tracker.

License

See LICENSE.

About

Multi-threaded XMLRPC brute forcer using amplification attacks targeting WordPress installations prior to version 4.4.

Topics

python wordpress bruteforce pentesting xmlrpc-interface xmlrpc-bruteforcer multicall bruteforce-amplification-attack

Resources

Readme

License

Apache-2.0 license
Activity

Stars

106 stars

Watchers

6 watching

Forks

41 forks
Report repository

Releases

No releases published

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages