Analysis on the efficient cracking principle of WordPress using XMLRPC

Source: Internet
Author: User
Tags wordpress version

Analysis on the efficient cracking principle of WordPress using XMLRPC

Xmlrpc is an interface for remote calls in WordPress, and it was proposed and exploited a long time ago to use xmlrpc to call the interface for account brute-force cracking. SUCURI recently published an article about how to use xmlrpc to call the system in the interface. multicall improves the brute-force cracking Efficiency, allowing thousands of account and password combinations to complete one request, greatly compressing the number of requests, and avoiding log detection to a certain extent.

0x01 Principle Analysis

The definition code for the xmlrpc service in WordPress is mainly located in wp-initdes/class-IXR.php and wp-initdes/class-wp-xmlrpc-server.php. The base class IXR_Server defines three built-in call Methods: system. getCapabilities, system. listMethods, and system. multicall. The call ing is located in the IXR_Server base class definition:

function setCallbacks(){    $this->callbacks['system.getCapabilities'] = 'this:getCapabilities';    $this->callbacks['system.listMethods'] = 'this:listMethods';    $this->callbacks['system.multicall'] = 'this:multiCall';}

When the base class is initialized, setCallbacks () is called to bind the call ing relationship:

Function _ construct ($ callbacks = false, $ data = false, $ wait = false) {$ this-> setCapabilities (); if ($ callbacks) {$ this-> callbacks = $ callbacks;} $ this-> setCallbacks (); // bind the default three basic call mappings if (! $ Wait) {$ this-> serve ($ data );}}

Let's take a look at the corresponding processing functions of system. multicall:

function multiCall($methodcalls){    // See$1208    $return = array();    foreach ($methodcalls as $call) {        $method = $call['methodName'];        $params = $call['params'];        if ($method == 'system.multicall') {            $result = new IXR_Error(-32600, 'Recursive calls to system.multicall are forbidden');        } else {            $result = $this->call($method, $params);        }        if (is_a($result, 'IXR_Error')) {            $return[] = array(                'faultCode' => $result->code,                'faultString' => $result->message            );        } else {            $return[] = array($result);        }    }    return $return;}

It can be seen from the code that the program will parse the XML passed by the request, traverse each interface in multiple calls to call the request, and return the final call results together to the request end.

In this way, 500 or even 10000 types of account passwords can be cracked and included in a request. The server will soon finish processing and return results, which greatly improves the efficiency of brute-force cracking, multiple call interfaces are used to compress the number of requests. If you attempt to use a password of 10000 accounts, only one access log is left on the target server, which avoids Log Security Detection to a certain extent.

By reading the xmlrpc-related code in WordPress, a large number of xmlrpc calls can verify the user name and password:

if ( !$user = $this->login($username, $password) )    return $this->error;

By searching the preceding logon verification code, you can obtain a list of all calling methods that can be used for brute-force cracking:

wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost, wp.getPosts, wp.newTerm, wp.editTerm, wp.deleteTerm, wp.getTerm, wp.getTerms, wp.getTaxonomy, wp.getTaxonomies, wp.getUser, wp.getUsers, wp.getProfile, wp.editProfile, wp.getPage, wp.getPages, wp.newPage, wp.deletePage, wp.editPage, wp.getPageList, wp.getAuthors, wp.getTags, wp.newCategory, wp.deleteCategory, wp.suggestCategories, wp.getComment, wp.getComments, wp.deleteComment, wp.editComment, wp.newComment, wp.getCommentStatusList, wp.getCommentCount, wp.getPostStatusList, wp.getPageStatusList, wp.getPageTemplates, wp.getOptions, wp.setOptions, wp.getMediaItem, wp.getMediaLibrary, wp.getPostFormats, wp.getPostType, wp.getPostTypes, wp.getRevisions, wp.restoreRevision, blogger.getUsersBlogs, blogger.getUserInfo, blogger.getPost, blogger.getRecentPosts, blogger.newPost, blogger.editPost, blogger.deletePost, mw.newPost, mw.editPost, mw.getPost, mw.getRecentPosts, mw.getCategories, mw.newMediaObject, mt.getRecentPostTitles, mt.getPostCategories, mt.setPostCategories

Here, we use parameter transfer to test wp. getUsersBlogs, which is the most direct method for obtaining information. The two account and password attempts are included in the same request and the XML request content is constructed as follows:


Send the preceding XML request containing two sub-calls to the xmlrpc server portal. If the xmlrpc service is enabled, the following information is returned:

               Http: //
               WordPress 4.3.1
               Http: / php
           The user name or password is incorrect.

The results show that two account and password combinations are processed in the same request and the results are returned in a centralized manner. In this way, the account brute-force cracking efficiency can be greatly improved.

0x02 protection suggestions

This problem still exists in the latest WordPress version (4.3.1. Multi-call (multicall) is the standard of xmlrpc. To prevent attackers from using this point to launch brute-force attacks on the website, the following protection suggestions are provided:

Configure Web servers such as Apache and Nginx to restrict xmlrpc. php file access. xmlrpc can be deleted without affecting the website operation. php file; install and enable the Disable XML-RPC from the official plug-in Library; Add code add_filter ('xmlrpc _ enabled', '_ return_false'); To the WordPress configuration file wp-config.php;

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.