WP-Exploiter is a tool for testing and exploiting a wide range of WordPress websites.
- Identifying WordPress websites by several methods.
- Identifying WordPress versions by several methods
- Enumerating WordPress users by several methods.
- Detect & exploit weaknesses in specific versions.
- Python3 (tested on 3.7).
- Python modules as specified on requirements.txt.
Can be changed at config/conf.json.
{
"http_data": {
"max_retries": "The maximum retries for http requests.",
"timeout": "In mil sec.",
"retries_reason": "The reason that will invoke another retry.",
"retries_break_time": "In sec.",
"user_agent": "User agent for the HTTP requests."
},
"detector_data": {
"admin_path": "The default WordPress admin panel path.",
"login_path": "The default WordPress login path.",
"feed_path": "The default WordPress feed path.",
"upgrade_path": "The default WordPress upgrade path.",
"timeout": "Timeout in sec.",
"css_path": "common css files at WordPress systems.",
"detect_th": "Smart detector threshold (the lower the number - the higher the sensitivity)."
},
"enumerator_data": {
"start_enumeration": "Default user id to start enumeration with.",
"enumeration_chunk": "Every iteration will enumerate this number of users.",
"rest_api_path": "The default WordPress rest-api path.",
"rest_api_id_col": "The default WordPress rest-api id key.",
"rest_api_slug_col": "The default WordPress rest-api slug key.",
"rest_api_name_col": "The default WordPress rest-api name key.",
"rest_api_status_col": "The default WordPress rest-api status key.",
"author_path": "The default WordPress author path for enumeration.",
"success_code": "The default success code for user enumeration (by author method)."
},
"exploiter_data": {
"WPPluginExploiter": {
"readme_path": "The default WPPluginExploiter class readme path."
},
"WPDatabaseResetExploiter": {
"readme_path": "The default readme path for this plugin."
},
"WPTimeCapsuleExploiter": {
"readme_path": "The default readme path for this plugin."
}
},
"register_data": {
"register_required_data": "The default necessary data for registering new WordPress user."
},
"bruteforce_data": {
"success": "The default 'success' cookie for successful login.",
"num_of_threads": "The default number of threads for the bruteforce attack.",
"error_limit": "The error threshold to determine that this website is not allowing bruteforce.",
"wp_admin": "The login path (default).",
"test_cookie": "Test cookie."
}
}python cliy.py [COMMAND] [ARGS]- detect - Detect if URL/IP is a WordPress site and try to get the WordPress system version. Args:
- --url / -u: The URL/IP to test (for example: http://example.com).
- --timeout / -to: Maximum timeout for each HTTP request, in msecs and only integer (for example 100).
- --proxy / -p: Proxy (URL/IP) to use (for example: 192.192.192.192).
- enumerate - Try to enumerate user names of WordPress System. Args:
- --url / -u: The URL/IP to test (for example: http://example.com).
- --proxy / -p: Proxy (URL/IP) to use (for example: 192.192.192.192).
- minid: The id to start enumerate from (for example 1, will try enumerate user with id 1 and above).
- maxid: The user id to stop enumerate (for example 5, will try enumerate from the minid until id 5).
- bruteforce - Try to do login Bruteforce and crack passwords with a dictionary attack. Args:
- --url / -u: The URL/IP to test (for example: http://example.com)
- --proxy / -p: Proxy (URL/IP) to use, (for example: 192.192.192.192).
- --usernames / -un: Path to a file containing usernames to enumerates (each username in a separate line).
- --passwords / -pass: Path to a file containing passwords to try for each username (each password in a separate line).
- --threads, -t: Number of working threads (default is 1, only integer).
- exploit - Try to exploit WordPress Website and gain control over the admin user. Args:
- --url / -u: The URL/IP to test (for example: http://example.com).
- --proxy / -p: Proxy (URL/IP) to use (for example: 192.192.192.192).
- --type / -ex: The exploite you wish to try, choose from [time-capsule, reset-database, all].
- readme - prints the readme file.
Of course, you can clone & implement other exploits. Our interface is generic and supports several exploiting methods.
WP-Exploiter has the potential to be automated in different ways. We are going to leave this to you. You can find an example at examples/run.py.
- We do not claim the description or the purpose of this tool to be 100% accurate. If you see anything which is incorrect in this document, please submit a pull request or open a new issue.
- We do not encourage using it on real websites, this is tool is for educational purposes only. We are not responsible for any usage of anyone on this tool.