From 3ded7a2cf47faba84a845624f1f4c851a1884faa Mon Sep 17 00:00:00 2001 From: Soka Date: Sat, 14 Oct 2017 22:13:29 +0200 Subject: [PATCH] Updates global options and bruteforce engine --- README.md | 17 +++++++++++------ engine/brute.py | 50 ++++++++++++++++++++++++++++++------------------- main.py | 8 ++++++-- 3 files changed, 48 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index e2267b7..41e8b19 100644 --- a/README.md +++ b/README.md @@ -33,13 +33,18 @@ python main.py -u "http://localhost/wordpress" --update --random-agent ``` Example 2 : Basic bruteforce (option --brute, option --nocheck) +* bruteforce customs usernames +``` +python main.py -u "http://127.0.0.1/wordpress/" --brute --usernames "admin,guest" --passwords-list fuzz/wordlist.lst +``` +* bruteforce with usernames list +``` +python main.py -u "http://127.0.0.1/wordpress/" --brute --users-list fuzz/wordlist.lst --passwords-list fuzz/wordlist.lst +``` +* bruteforce detected users +``` +python main.py -u "http://127.0.0.1/wordpress/" --brute --passwords-list fuzz/wordlist.lst ``` -python main.py -u "http://127.0.0.1/wordpress/" --brute fuzz/wordlist.lst -python main.py -u "http://127.0.0.1/wordpress/" --brute admin - ---brute file.lst : Will bruteforce every username and their password ---brute username : Will bruteforce the password for the given username -it will also try to bruteforce the password for the detected users. diff --git a/engine/brute.py b/engine/brute.py index fc076e2..6abe135 100644 --- a/engine/brute.py +++ b/engine/brute.py @@ -12,36 +12,48 @@ from wordpress import * from thread_engine import ThreadEngine class Brute_Engine: - def __init__(self, wordpress, brute): - if brute != None: + def __init__(self, wordpress, brute, usernames, users_list, passwords_list): + # bruteforce customs users passed in --brute + # ex: --brute admin,guest,foo + if brute: + if usernames: + users_to_brute = usernames.split(',') + for user in users_to_brute: + user = user.replace(' ', '') + print notice("Bruteforcing " + user) + self.bruteforcing_pass(wordpress, user, passwords_list) - # Bruteforce username - if os.path.isfile(brute): - self.bruteforcing_user(wordpress) + # Bruteforce with usernames list + elif users_list: + for file_list in [users_list, passwords_list]: + if not os.path.isfile(file_list): + print critical("Can't found %s file" % file_list) + exit() + # launch users & passwords bruteforce + self.bruteforcing_user(wordpress, users_list, passwords_list) + + # if users detected, bruteforce them else: if len(wordpress.users) != 0: - print notice("Bruteforcing detected users") + if not os.path.isfile(passwords_list): + print critical("Can't found %s file" % passwords_list) + exit() + + print notice("Bruteforcing detected users: {}".format(wordpress.users)) for user in wordpress.users: print info("User found "+ user['slug']) - self.bruteforcing_pass(wordpress, user['slug']) + self.bruteforcing_pass(wordpress, user['slug'], passwords_list) - else: - print notice("Bruteforcing " + brute) - print info("User found "+ brute) - self.bruteforcing_pass(wordpress, brute) - - # Exit the bruteforce - exit() """ name : bruteforcing_user(self, wordpress) description : """ - def bruteforcing_user(self, wordpress): + def bruteforcing_user(self, wordpress, users_list, passwords_list): print notice("Bruteforcing all users") - with open('fuzz/wordlist.lst') as data_file: + with open(users_list) as data_file: data = data_file.readlines() thread_engine = ThreadEngine(wordpress.max_threads) users_found = [] @@ -52,7 +64,7 @@ class Brute_Engine: thread_engine.wait() for user in users_found: - self.bruteforcing_pass(wordpress, user) + self.bruteforcing_pass(wordpress, user, passwords_list) def check_user(self, user, users_found, wordpress): @@ -68,10 +80,10 @@ class Brute_Engine: name : bruteforcing_pass(self, wordpress) description : """ - def bruteforcing_pass(self, wordpress, user): + def bruteforcing_pass(self, wordpress, user, passwords_list): print info("Starting passwords bruteforce for " + user) - with open('fuzz/wordlist.lst') as data_file: + with open(passwords_list) as data_file: data = data_file.readlines() size = len(data) thread_engine = ThreadEngine(wordpress.max_threads) diff --git a/main.py b/main.py index f27b790..318a95f 100644 --- a/main.py +++ b/main.py @@ -29,12 +29,16 @@ if __name__ == "__main__": parser.add_argument('--update', action ='store_const', const='update', dest='update', help="Update the database") parser.add_argument('--aggressive', action ='store_const', const='aggressive', dest='aggressive', default=False, help="Aggressive scan for plugins/themes") parser.add_argument('--fuzz', action ='store_const', const='fuzz', dest='fuzz', default=False, help="Fuzz the files") - parser.add_argument('--brute', action ='store', dest='brute', default=None, help="Bruteforce users and passwords") + parser.add_argument('--brute', action ='store_const', const='brute', dest='brute', default=False, help="Bruteforce users and passwords") parser.add_argument('--nocheck', action ='store_const', const='nocheck',dest='nocheck', default=False, help="Check for a Wordpress instance") parser.add_argument('--random-agent', action ='store_const', const='random_agent', dest='random_agent', default=False, help="Random User-Agent") parser.add_argument('--threads', action ='store', dest='max_threads', default=1, help="Number of threads to use") + parser.add_argument('--usernames', action ='store', dest='usernames', default='', help="Usernames to bruteforce") + parser.add_argument('--users-list', action ='store', dest='users_list', default=None, help="Users list for bruteforce") + parser.add_argument('--passwords-list', action ='store', dest='passwords_list', default=None, help="Passwords list for bruteforce") results = parser.parse_args() + print results # Check wordpress url if results.url != None: # Disable warning for ssl verify=False @@ -49,7 +53,7 @@ if __name__ == "__main__": wp = Wordpress(format_url(results.url), results.random_agent, results.nocheck, results.max_threads) # Launch bruteforce - Brute_Engine(wp, results.brute) + Brute_Engine(wp, results.brute, results.usernames, results.users_list, results.passwords_list) # Launch fuzzing Fuzz_Engine(wp, results.fuzz)