CMS BruteForce PRO is an advanced cybersecurity tool designed for penetration testers and security researchers. This powerful application automatically detects whether a target website uses Joomla or WordPress and then launches the appropriate brute-force attack with sophisticated enumeration capabilities.
Developed by HackFutSec, this tool combines cutting-edge techniques with a sleek cyberpunk-themed interface for the ultimate security assessment experience.
- Automatic CMS Identification - Detects Joomla vs WordPress with version checking
- Mass Target Processing - Scan multiple URLs with automatic CMS classification
- Version Fingerprinting - Identifies CMS versions for vulnerability assessment
- User enumeration via multiple methods (JSON API, HTML parsing, metadata)
- Administrator path detection and exploitation
- CSRF token handling and session management
- Advanced response analysis for login validation
- REST API user enumeration
- Author sitemap and feed analysis
- User existence testing through login responses
- WP-JSON endpoint exploitation
- Transparent glass-morphism design with animated backgrounds
- Real-time logging with color-coded output
- Progress tracking with animated progress bars
- Multi-tab interface for single and mass target operations
- Multi-threaded attacks (configurable thread count)
- Proxy support with rotation capabilities
- Custom delay settings between requests
- Auto-password generation based on usernames and domains
- Comprehensive wordlist management
# For Debian/Ubuntu
sudo apt-get update
sudo apt-get install python3-pip python3-tk
# For Windows
# Install Python 3.8+ from python.orgpip install requests beautifulsoup4 tqdm pyqt5git clone https://github.com/HackFutSec/CMS-BruteForce-PRO.git
cd CMS-BruteForce-PRO
python3 cms_bruteforce.py- Enter the target URL in the "Target URL" field
- Configure username options:
- Manual username input
- User list file import
- Auto user discovery (recommended)
- Set password options:
- Default password list
- Custom wordlist
- Auto-password generation with domain
- Adjust advanced settings (proxy, delay, threads)
- Click "Start Attack"
- Load a list of URLs from a text file
- Configure global attack parameters
- Set user enumeration preferences
- Start mass scan - tool will automatically:
- Detect CMS for each URL
- Apply appropriate attack method
- Save results separately
- Proxy Setup: Configure HTTP proxies for anonymity
- User Agents: Rotate user agents to avoid detection
- Timeout Settings: Adjust request timeouts
- Thread Management: Control concurrent connections
- ✅ Full Access: Administrator privileges obtained
- 🔓 Limited Access: User profile access only
- 📝 Credentials Saved: Automatically exported to files
joooAccess.txt- Joomla administrator credentialsfullaccess.txt- Full access credentials (both CMS)limitaccess.txt- Limited access credentialspassword_reset_success.txt- Successful password resets
# Generates passwords based on:
- Username variations (admin, admin123, Admin123!, etc.)
- Domain patterns (example, example123, example2023)
- Common password patterns with special characters
- Sequential numbers and years
- Custom character combinations# Joomla:
- com_users component exploitation
- JSON API endpoint analysis
- Metadata extraction
- Author information parsing
# WordPress:
- WP-JSON API user discovery
- Author sitemap analysis
- RSS feed extraction
- Login response analysis- Authorized penetration testing
- Security research and education
- Vulnerability assessment with permission
- Cybersecurity training exercises
🚫 Illegal use of this tool is strictly prohibited. The developer assumes no liability for misuse of this software. Always obtain proper authorization before testing any system.
- ✅ Combined Joomla & WordPress capabilities
- ✅ Automatic CMS detection system
- ✅ Enhanced cyberpunk GUI theme
- ✅ Improved user enumeration algorithms
- ✅ Advanced password generation engine
- ✅ Multi-threading optimization
- ✅ Initial Joomla brute force implementation
- ✅ Basic GUI interface
- ✅ User discovery features
- ✅ Wordlist management
Found a bug or have a feature idea? Please open an issue on GitHub:
- Check existing issues to avoid duplicates
- Provide detailed description of the problem
- Include steps to reproduce
- Add screenshots if applicable
- Specify your environment (OS, Python version)
We welcome contributions from the security community! To contribute:
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE.md file for details.
- Cybersecurity community for continuous research
- Open-source projects that inspired this tool
- Beta testers who helped refine the functionality
- Contributors who submitted improvements
"Knowledge is power. Use it responsibly." - HackFutSec
⭐ Don't forget to star this repository if you find it useful! ⭐
🔒 Remember: Always conduct security testing ethically and with proper authorization. The goal is to improve security, not compromise it.