Created
July 25, 2014 07:45
-
-
Save shanept/f63d22cd653728f87bea to your computer and use it in GitHub Desktop.
XMLRPC Brute Force Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// This code is released into the public domain. | |
// I will not be held responsible for what this code does. | |
// I release myself of all legal responsibilites to this code. | |
/** These links helped in figuring this all out :) | |
* wp_xmlrpc_server::login | |
* https://core.trac.wordpress.org/browser/tags/3.9.1/src/wp-includes/class-wp-xmlrpc-server.php#L182 | |
* | |
* Support Forum link | |
* http://wordpress.org/support/topic/brute-forcing-via-xmlrpc | |
* | |
* wp_authenticate | |
* https://core.trac.wordpress.org/browser/tags/3.9.1/src/wp-includes/pluggable.php#L511 | |
* | |
* wp_authenticate_username_password | |
* https://core.trac.wordpress.org/browser/tags/3.9.1/src/wp-includes/user.php#L104 | |
**/ | |
// If this isn't an XMLRPC request, don't bother | |
if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { | |
xmlrpc_protectme(); | |
} | |
// Hooks wp_authenticate to make this login look incorrect | |
function modify_xmlrpc_auth( $username, $password ) { | |
return new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.')); | |
} | |
function xmlrpc_protectme() { | |
// Limit Login Attempts plugin | |
if ( function_exists( 'is_limit_login_ok' ) ) { | |
if ( !is_limit_login_ok() ) { | |
add_filter( 'authenticate', 'modify_xmlrpc_auth', 20, 2 ); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment