近几天wordpress社区的小伙伴们反映遭到了利用xmlrpc.php进行暴力破解的攻击。利用xmlrpc.php提供的接口尝试猜解用户的密码,可以绕过wordpress对暴力破解的限制。已经发现了大规模的利用,启用了xmlrpc的同学需要尽快修复。安装或者升级Login Security Solutin插件
通常wordpress登录接口都是做了防暴力破解防护的,比如freebuf的登录只能有尝试5次。
这种利用xmlrpc.php的攻击可以绕过这些限制。攻击的方式直接POST以下数据到xmlrpc.php.
<?xml version="1.0" encoding="iso-8859-1"?> <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>username</value></param> <param><value>password</value></param> </params> </methodCall>
其中username字段是预先收集的用户名。password是尝试的密码。关于getUsersBlogs接口的更多信息可以参考官方的指南。如果密码正确,返回为:
密码错误返回为403:
使用intruder进行测试,发现服务端没有进行限制。
转自:http://www.freebuf.com/articles/web/38861.html
Blocking more WordPress xmlrpc.php attacks
Over the last few days, we’ve been tracking an ever-increasing distributed attack on the WordPress xmlrpc.php service.
We’ve previously seen and blocked attacks on this file that tried to post spam comments or act as a denial of service amplifier, but this attack is different: it tries to guess WordPress usernames and passwords.
As a result, we’ve applied more aggressive blocking than usual to the attack. It’s remotely possible that the blocking could cause legitimate third-party WordPress “apps” and services to be unable to access your blog (although it can’t cause problems when just visiting WordPress in a normal Web browser); don’t hesitate to contact us if you’re one of our customers having trouble.
Just so it’s clear, we’ve blocked this attack for all our hosting customers. But the rest of this post has some technical details that may help other people trying to do the same.
What does the attack look like?
The attackers are POSTing xmlrpc.php commands that look like this:
<?xml version="1.0" encoding="iso-8859-1"?> <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>username</value></param> <param><value>password</value></param> </params> </methodCall>
wp.getUsersBlogs is intended to be used by remote apps and services that need to find which blogs a username can access. However, the attacker is using this feature to test whether the username and password are valid, which they can do because WordPress returns “Incorrect username or password” in the XML result if they’re wrong. (The attacker is presumably stockpiling a list of valid WordPress logins for later use.)
We’ve so far tracked more than 30,000 IP addresses involved in the botnet carrying out the attack, with more being added all the time, averaging a few hundred total hits per day per WordPress site. It’s a slow attack — most of the IP addresses involved are making less than one connection every two hours to our servers, and the same IP address rarely attacks the same site twice in one day — so we can’t block it with rate limiting. Instead, we’re blocking most requests that send the rare “wp.getUsersBlogs” command, then attempting to whitelist any legitimate attempts based on the HTTP User-Agent or IP address.
What can I do to prevent these attacks?
Choose a strong password. Update WordPress and your plugins as soon as updates are available. Use two factor authentication.
Doing just those three things will ensure that attacks like this have no effect on your site, whether your hosting company is able to block them or not.
转自:http://blog.tigertech.net/posts/blocking-wordpress-xmlrpc-password-attempts/
——————————————————————————————————–
根据上面的介绍,利用urllib3模块写的破解程序如下:
