aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2024-07-06 11:42:43 +0200
committerHarald Eilertsen <haraldei@anduin.net>2024-07-06 11:49:34 +0200
commit6d91832dd4234e28e9786ab958e8dec2ac19b97c (patch)
tree2216b8c6114dadab0966f9df55b237468ac9fa42
parentf6132cac7e534d26ae3189b09f55be3a06aa7beb (diff)
downloadvolse-webtrap-6d91832dd4234e28e9786ab958e8dec2ac19b97c.tar.gz
volse-webtrap-6d91832dd4234e28e9786ab958e8dec2ac19b97c.tar.bz2
volse-webtrap-6d91832dd4234e28e9786ab958e8dec2ac19b97c.zip
Process XML-RPC requests separately.
If the XML-RPC method is wp.getUsersBlogs, we just save submitted credentials and otherwise ignore the request. We get a lot of these, and they're not really that interesting, so we don't need to save the full payload. But let's keep the credentials, so that we can build a list of passwords and user names. Other requests will be saved in full as before.
-rw-r--r--index.php1
-rw-r--r--src/process-request.php16
2 files changed, 17 insertions, 0 deletions
diff --git a/index.php b/index.php
index cbe3802..37ce8a3 100644
--- a/index.php
+++ b/index.php
@@ -4,4 +4,5 @@
//
// SPDX-License-Identifier: AGPL-3.0-or-later
+require __DIR__ . '/vendor/autoload.php';
require __DIR__ . '/src/process-request.php';
diff --git a/src/process-request.php b/src/process-request.php
index 9c6a006..fd290ce 100644
--- a/src/process-request.php
+++ b/src/process-request.php
@@ -5,6 +5,8 @@
//
// SPDX-License-Identifier: AGPL-3.0-or-later
+use VolseNet\Webtrap\XmlRpcMethod;
+
$data = [
'SERVER_NAME' => $_SERVER['SERVER_NAME'],
'REMOTE_ADDR' => $_SERVER['REMOTE_ADDR'],
@@ -19,7 +21,21 @@ $data = [
'BODY' => file_get_contents('php://input'),
];
+if (preg_match('/xmlrpc\.php/i', $data['REQUEST_URI']) && $data['REQUEST_METHOD'] === 'POST') {
+ $method = XmlRpcMethod::parse($data['BODY']);
+ if ($method->name === 'wp.getUsersBlogs') {
+ $file_name = dirname(__DIR__) . '/payloads/credentials.txt';
+ $file = new SplFileObject($file_name, 'a');
+ $file->fwrite("{$method->params[0]}: {$method->params[1]}\n");
+ error_log("Trapped XML-RPC request, saving credentials to {$file_name}");
+
+ header("HTTP/1.1 404 Not Found");
+ die();
+ }
+}
+
$file_name = dirname(__DIR__) . "/payloads/{$data['REQUEST_TIME']}-{$data['SERVER_NAME']}.json";
error_log("Trapped request, saving to {$file_name}");
file_put_contents($file_name, json_encode($data));
+
header("HTTP/1.1 404 Not Found");