GET /XMLRPC vulnerability / DDoS / Brute Force attack

on


sample : GET /XMLRPC.php

XML-RPC works as an API.


XML-RPC is a mechanism for transferring calls and HTTP using XML.

In WordPress, it is performed through xmlrpc.php.


XML-RPC of xmlrpc.php is an RPC protocol,

and wordpress uses HTTP protocol to exchange XML-encoded data.


Typically, it is used to write new articles using a separate client program

without accessing WordPress, or to write trackbacks or pingbacks.


API : Application Program Interface

- gives mobile/desktop app developers the ability to talk to Wordpress site.

                                                                (also) write applications 


If the prevention policy does not have a separate setting,
it will be browsed as shown below when you connect.


When XML-RPC is enabled on a target site;

1) DDoS
- a hacker could potentially mount a DDoS attack on a target site
   by exploiting xmlrpc.php to send vast numbers of pingbacks to a target site
   in a short time.
This could overload a server and put a target site out of action(down).


2) Brute Force attack

xmlrpc.php system Multicall function affecting the most current version of Wordpress (3.5.1).

The exploit works by sending 1,000+ auth attempts per request to xmlrpc.php in order to "brute force".
Valid Wordpress users and will iterate through whole wordlists
until a valid user response is acquired.

It will then selectively acquire and display the valid username and password to login.



[Solution]

1) If Apache :

- You can set up additional setting by using .htaccess and .conf file.

1; .htaccess

[root]# vi .htaccess

<files xmlrpc.php>
Order allow,deny
Deny from all
# ErrorDocument 403 /403.html
</files>

or

<Files xmlrpc.php>
Require all denied
# ErrorDocument 403 /403.html
</Files>

If you wanna use a html and if there is an annotated one  in the file,

you can unpack an annotation and use it.


2; .conf


(sample)

[root]# grep -i include httpd.conf | grep -v "#"

IncludeOptional conf.d/*.conf


You can create conf.d /.. .conf file and apply this setting

throughout various web source and virtualhost simultaneously.

[root]# conf.d
[root]# vi httpd-wordpress-security.conf

<Files xmlrpc.php>
Require all denied
#ErrorDocument 403 /403.html
</Files>

[root]# systemctl reload httpd

(When reloaded, several virtualhosts will receive this setting and be applied )




2) If Nginx :

move to   ---------------->  /etc/nginx/conf.d  , and apply setting to each server block.

location = /xmlrpc.php {
deny all;
error_page 403 = /403.html;
}

when finished, reload nginx.

$ sudo systemctl reload nginx




[Reference]

오늘의 웹서버 공격 로그, XML-RPC, Open Proxy (webhack.dynu.net)

How I Exploit xmlrpc.php (linkedin.com)

Comments

Post a Comment