The developer of this program is not responsible for any damages caused by the consumer's use of the program, including any immoral or unethical actions or consequences thereof.
This is a program made to brute force passwords on wordpress logins using XMLRPC.
Note: This is more of a Proof-of-Concept as brute-forcing an account password would take a long time.
This will work only if the password is weak enough or the wordlist has that password in it.
All that's needed is to clone the repo or download a ZIP copy, then run the xmlrpcbrute.py with python and go through the steps.
-
Clone the repo
git clone https://github.com/GuardianN06/XMLBrute.git
-
Change directory to that folder
cd XMLBrute -
Then just run the python program
python xmlrpcbrute.py
You input the link of the xmlrpc endpoint, you input the username, a wordlist (preferably shorter) and the amount of threads (5 is recommended).
How you get the username is you do https://site.com/wp-json/wp/v2/users and this should supply you with a json format text. From that json, you should look for a variable after the "slug" object which is the username. Note, there can be multiple usernames on a single wordpress install.