diff options
author | Harald Eilertsen <haraldei@anduin.net> | 2024-07-06 11:42:43 +0200 |
---|---|---|
committer | Harald Eilertsen <haraldei@anduin.net> | 2024-07-06 11:49:34 +0200 |
commit | 6d91832dd4234e28e9786ab958e8dec2ac19b97c (patch) | |
tree | 2216b8c6114dadab0966f9df55b237468ac9fa42 | |
parent | f6132cac7e534d26ae3189b09f55be3a06aa7beb (diff) | |
download | volse-webtrap-6d91832dd4234e28e9786ab958e8dec2ac19b97c.tar.gz volse-webtrap-6d91832dd4234e28e9786ab958e8dec2ac19b97c.tar.bz2 volse-webtrap-6d91832dd4234e28e9786ab958e8dec2ac19b97c.zip |
Process XML-RPC requests separately.
If the XML-RPC method is wp.getUsersBlogs, we just save submitted
credentials and otherwise ignore the request.
We get a lot of these, and they're not really that interesting, so we
don't need to save the full payload. But let's keep the credentials,
so that we can build a list of passwords and user names.
Other requests will be saved in full as before.
-rw-r--r-- | index.php | 1 | ||||
-rw-r--r-- | src/process-request.php | 16 |
2 files changed, 17 insertions, 0 deletions
@@ -4,4 +4,5 @@ // // SPDX-License-Identifier: AGPL-3.0-or-later +require __DIR__ . '/vendor/autoload.php'; require __DIR__ . '/src/process-request.php'; diff --git a/src/process-request.php b/src/process-request.php index 9c6a006..fd290ce 100644 --- a/src/process-request.php +++ b/src/process-request.php @@ -5,6 +5,8 @@ // // SPDX-License-Identifier: AGPL-3.0-or-later +use VolseNet\Webtrap\XmlRpcMethod; + $data = [ 'SERVER_NAME' => $_SERVER['SERVER_NAME'], 'REMOTE_ADDR' => $_SERVER['REMOTE_ADDR'], @@ -19,7 +21,21 @@ $data = [ 'BODY' => file_get_contents('php://input'), ]; +if (preg_match('/xmlrpc\.php/i', $data['REQUEST_URI']) && $data['REQUEST_METHOD'] === 'POST') { + $method = XmlRpcMethod::parse($data['BODY']); + if ($method->name === 'wp.getUsersBlogs') { + $file_name = dirname(__DIR__) . '/payloads/credentials.txt'; + $file = new SplFileObject($file_name, 'a'); + $file->fwrite("{$method->params[0]}: {$method->params[1]}\n"); + error_log("Trapped XML-RPC request, saving credentials to {$file_name}"); + + header("HTTP/1.1 404 Not Found"); + die(); + } +} + $file_name = dirname(__DIR__) . "/payloads/{$data['REQUEST_TIME']}-{$data['SERVER_NAME']}.json"; error_log("Trapped request, saving to {$file_name}"); file_put_contents($file_name, json_encode($data)); + header("HTTP/1.1 404 Not Found"); |