n00py / wpforce Goto Github PK

View Code? Open in Web Editor NEW

906.0 50.0 219.0 142 KB

Wordpress Attack Suite

Home Page: https://www.n00py.io/2017/03/squeezing-the-juice-out-of-a-compromised-wordpress-server/

License: BSD 2-Clause "Simplified" License

Python 96.13% JavaScript 3.87%

wordpress wordpress-attack hacking-tool pentest-tool reverse-shell keylogger php javascript xss-exploitation

wpforce's Introduction

WPForce - Wordpress Attack Suite

ABOUT:

WPForce is a suite of Wordpress Attack tools. Currently this contains 2 scripts - WPForce, which brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been found. Yertle also contains a number of post exploitation modules.

For more information, visit the blog post here: https://www.n00py.io/2017/03/squeezing-the-juice-out-of-a-compromised-wordpress-server/

Blogs in other languages:

Chinese - www.mottoin.com/100381.html

Portuguese - http://www.100security.com.br/wpforce/

Spanish - http://www.1024megas.com/2017/05/wpforce-fuerzabruta-postexplotacion.html

https://esgeeks.com/como-hackear-sitio-wordpress-con-wpforce/

Russian - https://hackware.ru/?p=2547

French - https://securityhack3r.info/wpforce-brute-force-attack-tool-wordpress/

Turkish - http://turkhackteam.org/web-server-guvenligi/1655005-wordpress-site-sizma-testi-part-1-a.html

FEATURES:

Brute Force via API, not login form bypassing some forms of protection
Can automatically upload an interactive shell
Can be used to spawn a full featured reverse shell
Dumps WordPress password hashes
Can backdoor authentication function for plaintext password collection
Inject BeEF hook into all pages
Pivot to meterpreter if needed

INSTALL:

Yertle requires the requests libary to run.
http://docs.python-requests.org/en/master/user/install/

USAGE:

python wpforce.py -i usr.txt -w pass.txt -u "http://www.[website].com"

   ,-~~-.___.       __        __ ____   _____
  / |  x     \      \ \      / /|  _ \ |  ___|___   _ __  ___  ___
 (  )        0       \ \ /\ / / | |_) || |_  / _ \ | '__|/ __|/ _ \.
  \_/-, ,----'  ____  \ V  V /  |  __/ |  _|| (_) || |  | (__|  __/
     ====      ||   \_ \_/\_/   |_|    |_|   \___/ |_|   \___|\___|
    /  \-'~;   ||     |
   /  __/~| ...||__/|-"   Brute Force Attack Tool for Wordpress
 =(  _____||________|                 ~n00py~

Username List: usr.txt (3)
Password List: pass.txt (21)
URL: http://www[website].com
--------------------------
[[email protected] : xxxxxxxxxxxxx] are valid credentials!  - THIS ACCOUNT IS ADMIN
--------------------------
--------------------------
[[email protected] : xxxxxxxxxxxx] are valid credentials!
--------------------------
 100% Percent Complete
All correct pairs:
{'[email protected]': 'xxxxxxxxxxxxx', '[email protected]': 'xxxxxxxxxxxxx'}

 -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        Input file name
  -w WORDLIST, --wordlist WORDLIST
                        Wordlist file name
  -u URL, --url URL     URL of target
  -v, --verbose         Verbose output. Show the attemps as they happen.
  -t THREADS, --threads THREADS
                        Determines the number of threads to be used, default
                        is 10
  -a AGENT, --agent AGENT
                        Determines the user-agent
  -d, --debug           This option is used for determining issues with the
                        script.


python yertle.py -u "[username]" -p "[password]" -t "http://www.[website].com" -i
     _..---.--.    __   __        _   _
   .'\ __|/O.__)   \ \ / /__ _ __| |_| | ___
  /__.' _/ .-'_\    \ V / _ \ '__| __| |/ _ \.
 (____.'.-_\____)    | |  __/ |  | |_| |  __/
  (_/ _)__(_ \_)\_   |_|\___|_|   \__|_|\___|
   (_..)--(.._)'--'         ~n00py~
      Post-exploitation Module for Wordpress

Backdoor uploaded!
Upload Directory: ebwhbas
os-shell>



  -h, --help            show this help message and exit
  -i, --interactive     Interactive command shell
  -r, --reverse         Reverse Shell
  -t TARGET, --target TARGET
                        URL of target
  -u USERNAME, --username USERNAME
                        Admin username
  -p PASSWORD, --password PASSWORD
                        Admin password
  -li IP, --ip IP       Listener IP
  -lp PORT, --port PORT
                        Listener Port
  -v, --verbose         Verbose output.
  -e EXISTING, --existing EXISTING
                        Skips uploading a shell, and connects to existing
                        shell

Yertle currently contains these modules:

Core Commands
=============
 
Command                   Description
-------                   -----------
?                         Help menu
beef                      Injects a BeEF hook into website
dbcreds                   Prints the database credentials
exit                      Terminate the session
hashdump                  Dumps all WordPress password hashes
help                      Help menu
keylogger                 Patches WordPress core to log plaintext credentials
keylog                    Displays keylog file
meterpreter               Executes a PHP meterpreter stager to connect to metasploit
persist                   Creates an admin account that will re-add itself
quit                      Terminate the session
shell                     Sends a TCP reverse shell to a netcat listener
stealth                   Hides Yertle from the plugins page

wpforce's People

Contributors

Stargazers

Watchers

Forkers

minkione cys3c rajivraj samyoyo techlord-rce alma4rebi 0thm4n3 brammittendorff-dd ydl555 coldcain gamer7569 songofhack mrlobic olivierh59500 hax0rg1rl ezesoler zshell av1080p y0d4a clicknull subinacls kbahaxor bemonolit yeshuibo awesome-security w4ter linxi0428 mgcfish ksmaheshkumar projectboot cyberhack255 liggle123 5up3rc pawankumar9 doglife007 dnkls sasqwatch andyvaikunth dovao bluebear171 fb11 rogerio1982 qutorial knightth0r kaicastledine oofteerapud02 sinabio enterstudio puujee0238 adzon rygz146 soft360c 1ux10 solertis aln7 haseebc r3dfruitrollup digits88 namns1412 grant555 ncivnp ykankaya hridoyryan selfevo michaelwayneliu ro9ueadmin scorpioni4e fingerleakers paulkenya sisi12345 kaihacker sepppenner raymondseger rex05 wizard2773 dannymas sepulveda901 s3gm3nt4ti0nf4ult ladin157 stevenchen0x01 bigttys0 vishnudath cinno suaili hisanmehmood rdincel1 yahongie2014 sheeraz-hacks-production dorkwiz theheartofraven saikoekos 76428778fada 8l4nk n1ghm4r3 seabreg orf53975 mubashirsiddique injectcode royrogers trrnt

wpforce's Issues

Some modules have issues with php-cgi

Some Yertle modules invoke PHP from the command line. I've found that in some cases, the PHP interpreter used is php-cgi. I found this to the case on servers that are in a shared hosting enviroment.

In the future, Yertle may be re-written to not require calling PHP on the command line. For now I am adding a safety check that will abort a module if it is found that the PHP interpreter is php-cgi.

Hi

Using Yertle - Help

Hi,

I got Yertle to load properly, but when I try to use the beef exploit, I get no hook back into beef. Yertle requested an IP address; which IP address am I supposed to provide so that beef can pick up the hook?

Thanks

Is it safe for my PC?

Windows Defender has been detected:
Trojan:PHP/RevWebshell.YA
Is this app safe?

How can I make it work for http://site.com/wordpress/?

No license and version numbering

Your project is being reviewed for a new security-related website I'm working on. Due to the license missing (both here and in the code or on the screen output), it is unclear how people can use the software. Also, a version number is missing.

Can you select a license and add it to the project? For version numbers, the semantic version numbering is typically advised.

Thanks for your project!

HTTP Error 400: Bad Request

Now the brute force will begin! >:)
HTTP Error 400: Bad Request - Try reducing Thread count
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "wpforce.py", line 66, in worker
PasswordAttempt(user,password,url,thread_no,verbose,debug,agent)
File "wpforce.py", line 164, in PasswordAttempt
if args.verbose is True or args.debug is True:
NameError: global name 'args' is not defined

HTTP Error 400: Bad Request - Try reducing Thread count
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "wpforce.py", line 66, in worker
PasswordAttempt(user,password,url,thread_no,verbose,debug,agent)
File "wpforce.py", line 164, in PasswordAttempt
if args.verbose is True or args.debug is True:
NameError: global name 'args' is not defined

dont understart why this is happening?

Proxy list support

Hi, thanks for good solution!
How can I use proxy list?
Can you add proxy support?
You can use flag:
-p proxy-list.txt

syntax errors

hi guys.
I'm trying to test my WP Website security Vulnerability with this amazing tool.
seriously its very nice , useful and beautiful.
but I've got some problems with run the tool.
here is the errors:
File "c:\WPForce\wpforce.py", line 72
print "Here is the content of the wordlists for each thread"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("Here is the content of the wordlists for each thread")?

File "c:\WPForce\wpforce.py", line 96
print banner
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(banner)?

Getting error with hashdump command

Hi,

I'm trying your program on a test site on my hosting (because I got hacked and I want to see what they were able to get) and when I try hashdump it is giving me this error. I tried to troubleshoot and I found out that sendcommand.text is empty but I cannot figure out why...

It does that also for dbcreds but not for keylogger, it is strange...

Here is the output of the error :

os-shell> hashdump
Traceback (most recent call last):
File "yertle.py", line 466, in
main()
File "yertle.py", line 447, in main
commandloop(args.target, uploaddir)
File "yertle.py", line 98, in commandloop
hashdump(host, uploaddir)
File "yertle.py", line 306, in hashdump
items = datacreds(host, uploaddir)
File "yertle.py", line 134, in datacreds
user = credextract(sendcommand.text, 'DB_USER')
File "yertle.py", line 147, in credextract
return se[2]
IndexError: list index out of range

Thanks a lot for your help

can you make mass maybe people more interesting !

can you make this tool list.txt of sites

Can someone help me with kinda a how to on this?

It says my question above I just don't really understand how to set i up.

NameError: global name 'passlist' is not defined

Wpforce runs fine for a short time, then the error comes up:
"NameError: global name 'passlist' is not defined"

Potential Issue

I am testing a site with admin and a user. The output with -v is showing it test admin the user and no user.

Exception in thread Thread

WAF or security plugin likely in use
Exception in thread Thread-4:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 763, in run
self.__target(*self.__args, **self.__kwargs)
File "wpforce.py", line 63, in worker
PasswordAttempt(user,password,url,thread_no,verbose,debug,agent)
File "wpforce.py", line 155, in PasswordAttempt
total = len(passlist)
NameError: global name 'passlist' is not defined

Traceback (most recent call last):
File "wpforce.py", line 213, in
main()
File "wpforce.py", line 203, in main
time.sleep(0.1)

USERNAME instead of USER LIST

Hello ,

If anyone can tell me how to run a username I already have instead of a list. Thank you
hash

Add an option (suggestion)

Hi,

First I wanted to thank you for this awesome tool. Would it be possible to add an option for running WPForce with all WordPress urls in a file?

e.g. : python wpforce.py -i usr.txt -w passwd.txt -f filename-containing-urls.txt

This would be awesome. Thanks again.

Remove Modules

Certain modules such as beef, persistence, and keylogger modify core wordpress files. Add functionality to remove these modifications.

Add new check to Yertle

When connecting to an existing shell, Yertle does not validate it exists before trying to send commands. Validate that this shell exists before giving the user a shell prompt.

wordpress 4.8 error

i runed yertle
python yertle.py -u dddddd -p dddddddd -t http://www.xxxxxx.com --interactive
got error
Post-exploitation Module for Wordpress

Traceback (most recent call last):
File "yertle.py", line 413, in
main()
File "yertle.py", line 393, in main
uploaddir = uploadbackdoor(args.target, args.username, args.password, "shell", args.verbose, args.agent)
File "yertle.py", line 29, in uploadbackdoor
r = session.post(url, headers=headers, data=payload)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 535, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 630, in send
history = [resp for resp in gen] if allow_redirects else []
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 111, in resolve_redirects
raise TooManyRedirects('Exceeded %s redirects.' % self.max_redirects, response=resp)
requests.exceptions.TooManyRedirects: Exceeded 30 redirects.

2to3

Hi, I have the obvious problem of (most recent call last) and it's not a matter of parentheses.
After many searches I ask you for help about:

wpforce.py", line 226, in
main()
wpforce.py", line 208, in main
passlist = open(args.wordlist, 'r').read().split('\n')

python3.9/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)

thank you

I need a lot of help please help me

root@Abkreno:/WPForce# python wpforce.py -i oot/D424D5CB24D5B12A/pass1.txt -u http://www.egywolf.com
,-~~-.. __ __ ____ _____
/ | x \ \ \ / /| _ \ | | _ __ ___ ___
( ) 0 \ \ /\ / / | |) || | / _ \ | '|/ |/ _ .
_/-, ,----' ____ \ V V / | / | || () || | | (| /
==== || _ _/_/ || || _/ |_| _|__|
/ -'; || | v.1.0.0
/ /~| ...||/|-" Brute Force Attack Tool for Wordpress
=( ||___| ~~n00py~~

Username List: /root/Desktop/egywolf (1)
Password List: /media/root/D424D5CB24D5B12A/pass1.txt (63)
URL: http://www.egywolf.com
Trying: http://www.egywolf.com/xmlrpc.php
HTTP Error 508: Loop Detected - Try reducing Thread count
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "wpforce.py", line 63, in worker
PasswordAttempt(user,password,url,thread_no,verbose,debug,agent)
File "wpforce.py", line 160, in PasswordAttempt
if args.verbose is True or args.debug is True:
NameError: global name 'args' is not defined

I have tried to read all the topics and did not find such a problem or solve it, please help if you can not tell me so I do not wait and thank you all thanks in all cases for your interest