<?php set_time_limit(0); $domain = "http://www.linux.zone/"; $url = $domain . "/wp-login.php"; $password="haikexihuanritaniang";//贼一样的骇客喜欢日他亲娘。呵呵。 $post = "log=admin&pwd=" . urlencode($password) . "&wp-submit=%E7%99%BB%E5%BD%95&redirect_to=" . urlencode($domain) . "%2Fwp-admin%2F&testcookie=1"; //$pos = strpos(httprequest($url, $post), 'div id="login_error"'); //if ($pos === false) { // echo "done"; //} print httprequest($url, $post); function httprequest($url, $post){$ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); if ($post){ curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); }$output = curl_exec($ch); $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if ($httpcode == 404){return 404; }else {return $output; }}?>
保存为wp-post-test.php文件之后,用php wp-post-test.php命令运行之,通过输出结果可以看到密码是否破解:如果含有div id="login_error"则说明没有成功破解登录;如果像我的linux.zone做了跳转,则会显示跳转后页面的信息。
结果证明,我的wordpress博客后台密码无法通过post到wp-login.php文件来破解。所谓魔高一尺道高一丈,骇客每天上百次的攻击只是白白浪费资源,真是一群人渣!
如果上天再给我一次机会,我会对你的博客说,下次还来看你!
为了推广网站,你也是用尽了心思。已经禁止N条了,这条就暂且放过吧。
站长也是不容易啊233