Skip to content

WordPress XMLRPC BruteForce Tool. With the use of this tool you will be able, given a username and a password dictionary, to bruteforce any given WordPress website through the use of its XML-RPC API.

License

Notifications You must be signed in to change notification settings

NicoloLazzaroni/WordPress-XMLRPC-BruteForce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 

Repository files navigation

WordPress XML-RPC BruteForce Tool

Example

With the use of this tool you will be able, given a username and a password dictionary, to bruteforce any given WordPress website through the use of its XML-RPC API.

Disclaimer: For educational purposes only. Not intended for illegal activities. The author is not responsible for any action performed by the software user.

Features

  • Accepts SOCKS 4/5 Proxies.
  • Allows to set a Custom Delay to be used when Rate-Limited.
  • Allows Custom URLs (to use when the XMLRCP.php file has been moved or renamed).
  • Fast and Reliable (100% Java).
  • Supports any password dictionary formatted with one password per line.

Example of a password dictionary:
Sample-Dictionary

Installation

Download the latest release from here.

Requires Java 17.

How to Use

In a shell run the program with java -jar WordpressXMLBruteForce.jar and configure it with your preferred parameters.

When the program finds a correct match, that is both printed in the shell and saved in a file called LoginDetails; you will find it in the same directory as the jar file.

If you want to run the program in proxy mode you will first have to create a file called Proxies in the same directory as the jar file.
The proxies have to either be SOCKS 4 or 5 and the file has to be formatted with one proxy per line in the format:
IP:PORT.

Proxies Example