攻击者是这样拿到你的Wordpress 【管理员用户名】的!!

lop 10天前 11

http://你的域名/wp-json/wp/v2/users/
我刚刚在各位MJJ的签名站点测试了一下。
约90% 的站点都可以看到管理员用户名
虽然作用不大。但是敏感信息的爆漏还是不太爽
我遇到的一次攻击的具体分析:
https://www.izcv.com/2691.html
(大佬轻点,小站扛不住)
最新回复 (57)
  • pulpfunction 10天前
    引用 2
    admin 不怕
    密码 我都不知道
  • 风为裳 10天前
    引用 3
    太感谢楼主了,我终于找到我博客的用户名了!
  • Sooele 10天前
    引用 4
    /batch/v1
    /oembed/1.0
    /oembed/1.0/embed
    /oembed/1.0/proxy
    /akismet/v1
    /akismet/v1/key
    /akismet/v1/settings
    /akismet/v1/stats
    /akismet/v1/stats/(?P<interval>[\w+])
    /akismet/v1/alert
    /jetpack/v4
    /jetpack/v4/plans
    /jetpack/v4/products
    /jetpack/v4/marketing/survey
    /jetpack/v4/jitm
    /jetpack/v4/connection/test
    /jetpack/v4/connection/test-wpcom
    /jetpack/v4/rewind
    /jetpack/v4/scan
    /jetpack/v4/connection/url
    /jetpack/v4/connection/data
    /jetpack/v4/connection/register
    /jetpack/v4/connection/owner
    /jetpack/v4/tracking/settings
    /jetpack/v4/connection
    /jetpack/v4/connection/user
    /jetpack/v4/site
    /jetpack/v4/site/features
    /jetpack/v4/site/products
    /jetpack/v4/site/purchases
    /jetpack/v4/site/benefits
    /jetpack/v4/site/activity
    /jetpack/v4/identity-crisis/confirm-safe-mode
    /jetpack/v4/identity-crisis/start-fresh
    /jetpack/v4/identity-crisis/migrate
    /jetpack/v4/module/all
    /jetpack/v4/module/all/active
    /jetpack/v4/module/(?P<slug>[a-z\-]+)
    /jetpack/v4/module/(?P<slug>[a-z\-]+)/active
    /jetpack/v4/module/(?P<slug>[a-z\-]+)/data
    /jetpack/v4/module/(?P<service>[a-z\-]+)/key/check
    /jetpack/v4/settings
    /jetpack/v4/settings/(?P<slug>[a-z\-]+)
    /jetpack/v4/options/(?P<options>[a-z\-]+)
    /jetpack/v4/updates/plugins
    /jetpack/v4/notice/(?P<notice>[a-z\-_]+)
    /jetpack/v4/plugins
    /jetpack/v4/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
    /jetpack/v4/plugins/akismet/activate
    /jetpack/v4/plugin/(?P<plugin>[a-z\/\.\-_]+)
    /jetpack/v4/widgets/(?P<id>[0-9a-z\-_]+)
    /jetpack/v4/verify-site/(?P<service>[a-z\-_]+)
    /jetpack/v4/verify-site/(?P<service>[a-z\-_]+)/(?<keyring_id>[0-9]+)
    /jetpack/v4/service-api-keys/(?P<service>[a-z\-_]+)
    /jetpack/v4/mobile/send-login-email
    /jetpack/v4/setup/questionnaire
    /jetpack/v4/licensing/error
    /jetpack/v4/jetpack_crm
    /jetpack/v4/verify_xmlrpc_error
    /jetpack/v4/remote_authorize
    /jetpack/v4/connection/plugins
    /jetpack/v4/connection/reconnect
    /wpcom/v2
    /wpcom/v2/business-hours/localized-week
    /wpcom/v2/admin-menu
    /wpcom/v2/external-media/list/(?P<service>google_photos|pexels)
    /wpcom/v2/external-media/copy/(?P<service>google_photos|pexels)
    /wpcom/v2/external-media/connection/(?P<service>google_photos)
    /wpcom/v2/instagram-gallery/connect-url
    /wpcom/v2/instagram-gallery/connections
    /wpcom/v2/instagram-gallery/gallery
    /wpcom/v2/mailchimp
    /wpcom/v2/mailchimp/groups
    /wpcom/v2/podcast-player
    /wpcom/v2/resolve-redirect/?(?P<url>.+)?
    /wpcom/v2/search
    /wpcom/v2/tweetstorm/gather
    /wpcom/v2/tweetstorm/parse
    /wpcom/v2/tweetstorm/generate-cards
    /wpcom/v2/gutenberg/available-extensions
    /wpcom/v2/hello
    /wpcom/v2/memberships/status
    /wpcom/v2/memberships/product
    /wpcom/v2/memberships/products
    /wpcom/v2/publicize/connections
    /wpcom/v2/publicize/connection-test-results
    /wpcom/v2/publicize/services
    /wpcom/v2/service-api-keys/(?P<service>[a-z\-_]+)
    /wpcom/v2/subscribers/count
    /jetpack/v4/hints
    /wp/v2
    /wp/v2/posts
    /wp/v2/posts/(?P<id>[\d]+)
    /wp/v2/posts/(?P<parent>[\d]+)/revisions
    /wp/v2/posts/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
    /wp/v2/posts/(?P<id>[\d]+)/autosaves
    /wp/v2/posts/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/pages
    /wp/v2/pages/(?P<id>[\d]+)
    /wp/v2/pages/(?P<parent>[\d]+)/revisions
    /wp/v2/pages/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
    /wp/v2/pages/(?P<id>[\d]+)/autosaves
    /wp/v2/pages/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/media
    /wp/v2/media/(?P<id>[\d]+)
    /wp/v2/media/(?P<id>[\d]+)/post-process
    /wp/v2/media/(?P<id>[\d]+)/edit
    /wp/v2/blocks
    /wp/v2/blocks/(?P<id>[\d]+)
    /wp/v2/blocks/(?P<id>[\d]+)/autosaves
    /wp/v2/blocks/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/feedback
    /wp/v2/feedback/(?P<id>[\d]+)
    /wp/v2/feedback/(?P<id>[\d]+)/autosaves
    /wp/v2/feedback/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/jp_pay_order
    /wp/v2/jp_pay_order/(?P<id>[\d]+)
    /wp/v2/jp_pay_order/(?P<id>[\d]+)/autosaves
    /wp/v2/jp_pay_order/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/jp_pay_product
    /wp/v2/jp_pay_product/(?P<id>[\d]+)
    /wp/v2/jp_pay_product/(?P<id>[\d]+)/autosaves
    /wp/v2/jp_pay_product/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/types
    /wp/v2/types/(?P<type>[\w-]+)
    /wp/v2/statuses
    /wp/v2/statuses/(?P<status>[\w-]+)
    /wp/v2/taxonomies
    /wp/v2/taxonomies/(?P<taxonomy>[\w-]+)
    /wp/v2/categories
    /wp/v2/categories/(?P<id>[\d]+)
    /wp/v2/tags
    /wp/v2/tags/(?P<id>[\d]+)
    /wp/v2/users
    /wp/v2/users/(?P<id>[\d]+)
    /wp/v2/users/me
    /wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords
    /wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords/(?P<uuid>[\w\-]+)
    /wp/v2/comments
    /wp/v2/comments/(?P<id>[\d]+)
    /wp/v2/search
    /wp/v2/block-renderer/(?P<name>[a-z0-9-]+/[a-z0-9-]+)
    /wp/v2/block-types
    /wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)
    /wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)/(?P<name>[a-zA-Z0-9_-]+)
    /wp/v2/settings
    /wp/v2/themes
    /wp/v2/plugins
    /wp/v2/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
    /wp/v2/block-directory/search
    /wp-site-health/v1
    /wp-site-health/v1/tests/background-updates
    /wp-site-health/v1/tests/loopback-requests
    /wp-site-health/v1/tests/dotorg-communication
    /wp-site-health/v1/tests/authorization-header
    /wp-site-health/v1/directory-sizes
    我可以提供一套类似的给你。就看你能力了!
  • wang3y2 10天前
    引用 5
    在当前主题目录的functions.php文件里添加以下代码:
    1. // 在账号未登录时禁用wp-json/wp/v2/,防止泄露信息
    2. add_filter( 'rest_authentication_errors', function( $result ) {
    3.     if ( ! empty( $result ) ) {
    4.         return $result;
    5.     }
    6.     if ( ! is_user_logged_in() ) {
    7.         return new WP_Error( 'Access denied', 'You have no permission to handle it.', array( 'status' => 401 ) );
    8.     }
    9.     return $result;
    10. });
  • allen314 10天前
    引用 6
    那么怎么屏蔽这个呢,哪位大佬来说说
  • sanquanjun 10天前
    引用 7
    万年用admin
  • 全球主机云 10天前
    引用 8
    没事我又不是在重要人物
  • intro 10天前
    引用 9
    好厉害啊
  • reizhi 10天前
    引用 10
    好的吧,还真的可以
    但是并没有什么鸟必要,我博客名就是登录用户名
  • cicvc 10天前
    引用 11
    的确有点厉害
  • chinayang 10天前
    引用 12
    我的防火墙也经常拦截到一些莫名其妙的攻击,不知道是干嘛的
  • Stellvia 10天前
    引用 13
    404 Not Found
    nginx
  • 月の天使 10天前
    引用 14
    厉害,改了名毫无用处
  • citywar 10天前
    引用 15
    好像没太多用啊 用户名很多
  • 楼主 lop 10天前
    引用 16
    citywar 发表于 2021-1-13 17:06
    好像没太多用啊 用户名很多
    伤害不高。侮辱性极强。。。
  • panghu 10天前
    引用 17
    我不是wp
  • beixiaoqian 10天前
    引用 18
    403 error 怎么搞?
  • day 10天前
    引用 19
    404
  • 风为裳 10天前
    引用 20
    太感谢楼主了,我终于找到我博客的用户名了!
  • asdii 10天前
    引用 21
    随机生成的20位密码,就算知道了用户名,爆破恐怕需要一段时间
  • 杀猪的 10天前
    引用 22
    测试下签名第一个
  • 引用 23
    {"code":"rest_disabled","message":"REST API disabled.","data":{"status":401}}
    搞了个,显示这玩意
  • 楼主 lop 10天前
    引用 24
    爱吃醋的醋醋 发表于 2021-1-13 17:29
    {"code":"rest_disabled","message":"REST API disabled.","data":{"status":401}}
    搞了个,显示这玩意 ...
    REST API disabled  说明你已经禁用了哇。
  • MoeWang 10天前
    引用 25
    我的貌似返回的是403,被防火墙拦住了
  • plumn 10天前
    引用 26
    约90% 的站点管理员用户名都是admin
  • cc0cc 10天前
    引用 27
    返回403
  • 孙长老 10天前
    引用 28
    那正好我属于那10%
  • zqm840527 10天前
    引用 29
    {"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}
  • 似毛非毛 10天前
    引用 30
    试了下VIR的。https://virmach.com/wp-json/wp/v2/users/
    {"code":"rest_cannot_access","message":"DRA: Only authenticated users can access the REST API.","data":{"status":401}}
  • 3721 10天前
    引用 31
    厉害了,大佬
  • 孫笑川 10天前
    引用 32
    风为裳 发表于 2021-1-13 17:21
    太感谢楼主了,我终于找到我博客的用户名了!
    发现用处了
  • gyjys43043 10天前
    引用 33
    {"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}
    装WAF插件可以拦截
  • cjjia 10天前
    引用 34
    "抱歉,您不能列出用户。"
  • jqbaobao 10天前
    引用 35

    无事发生
  • 胖虎 10天前
    引用 36
    其实吧,针对wp用户名的攻击不是走的rest api,不信你新建一篇文章,找个小号发布出去 等一会去后台就会发现有人用小号用户名去撞密码。
  • vipmobiletv 10天前
    引用 37
    rest api罢了,不会有人不关这玩意吧
  • 奈雅丽 10天前
    引用 38
    404 Not Found
    nginx
  • CCCP 10天前
    引用 39
    感谢分享,这就去设置权限
  • Yikmings 10天前
    引用 40
    You are not authorized to perform this action.
  • 柳逸寒 10天前
    引用 41
    404
  • 三七开 10天前
    引用 42
    无所谓反正20位数字大小写字母特殊字符的密码,我都记不住。让她破吧
  • 16qf 10天前
    引用 43
    名字admin,密码64位随机大小写字母数字符号
  • allen314 10天前
    引用 44
    那么怎么屏蔽这个呢,哪位大佬来说说
  • 三和大神 10天前
    引用 45
    不用wp保平安
  • Sooele 10天前
    引用 46
    /batch/v1
    /oembed/1.0
    /oembed/1.0/embed
    /oembed/1.0/proxy
    /akismet/v1
    /akismet/v1/key
    /akismet/v1/settings
    /akismet/v1/stats
    /akismet/v1/stats/(?P<interval>[\w+])
    /akismet/v1/alert
    /jetpack/v4
    /jetpack/v4/plans
    /jetpack/v4/products
    /jetpack/v4/marketing/survey
    /jetpack/v4/jitm
    /jetpack/v4/connection/test
    /jetpack/v4/connection/test-wpcom
    /jetpack/v4/rewind
    /jetpack/v4/scan
    /jetpack/v4/connection/url
    /jetpack/v4/connection/data
    /jetpack/v4/connection/register
    /jetpack/v4/connection/owner
    /jetpack/v4/tracking/settings
    /jetpack/v4/connection
    /jetpack/v4/connection/user
    /jetpack/v4/site
    /jetpack/v4/site/features
    /jetpack/v4/site/products
    /jetpack/v4/site/purchases
    /jetpack/v4/site/benefits
    /jetpack/v4/site/activity
    /jetpack/v4/identity-crisis/confirm-safe-mode
    /jetpack/v4/identity-crisis/start-fresh
    /jetpack/v4/identity-crisis/migrate
    /jetpack/v4/module/all
    /jetpack/v4/module/all/active
    /jetpack/v4/module/(?P<slug>[a-z\-]+)
    /jetpack/v4/module/(?P<slug>[a-z\-]+)/active
    /jetpack/v4/module/(?P<slug>[a-z\-]+)/data
    /jetpack/v4/module/(?P<service>[a-z\-]+)/key/check
    /jetpack/v4/settings
    /jetpack/v4/settings/(?P<slug>[a-z\-]+)
    /jetpack/v4/options/(?P<options>[a-z\-]+)
    /jetpack/v4/updates/plugins
    /jetpack/v4/notice/(?P<notice>[a-z\-_]+)
    /jetpack/v4/plugins
    /jetpack/v4/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
    /jetpack/v4/plugins/akismet/activate
    /jetpack/v4/plugin/(?P<plugin>[a-z\/\.\-_]+)
    /jetpack/v4/widgets/(?P<id>[0-9a-z\-_]+)
    /jetpack/v4/verify-site/(?P<service>[a-z\-_]+)
    /jetpack/v4/verify-site/(?P<service>[a-z\-_]+)/(?<keyring_id>[0-9]+)
    /jetpack/v4/service-api-keys/(?P<service>[a-z\-_]+)
    /jetpack/v4/mobile/send-login-email
    /jetpack/v4/setup/questionnaire
    /jetpack/v4/licensing/error
    /jetpack/v4/jetpack_crm
    /jetpack/v4/verify_xmlrpc_error
    /jetpack/v4/remote_authorize
    /jetpack/v4/connection/plugins
    /jetpack/v4/connection/reconnect
    /wpcom/v2
    /wpcom/v2/business-hours/localized-week
    /wpcom/v2/admin-menu
    /wpcom/v2/external-media/list/(?P<service>google_photos|pexels)
    /wpcom/v2/external-media/copy/(?P<service>google_photos|pexels)
    /wpcom/v2/external-media/connection/(?P<service>google_photos)
    /wpcom/v2/instagram-gallery/connect-url
    /wpcom/v2/instagram-gallery/connections
    /wpcom/v2/instagram-gallery/gallery
    /wpcom/v2/mailchimp
    /wpcom/v2/mailchimp/groups
    /wpcom/v2/podcast-player
    /wpcom/v2/resolve-redirect/?(?P<url>.+)?
    /wpcom/v2/search
    /wpcom/v2/tweetstorm/gather
    /wpcom/v2/tweetstorm/parse
    /wpcom/v2/tweetstorm/generate-cards
    /wpcom/v2/gutenberg/available-extensions
    /wpcom/v2/hello
    /wpcom/v2/memberships/status
    /wpcom/v2/memberships/product
    /wpcom/v2/memberships/products
    /wpcom/v2/publicize/connections
    /wpcom/v2/publicize/connection-test-results
    /wpcom/v2/publicize/services
    /wpcom/v2/service-api-keys/(?P<service>[a-z\-_]+)
    /wpcom/v2/subscribers/count
    /jetpack/v4/hints
    /wp/v2
    /wp/v2/posts
    /wp/v2/posts/(?P<id>[\d]+)
    /wp/v2/posts/(?P<parent>[\d]+)/revisions
    /wp/v2/posts/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
    /wp/v2/posts/(?P<id>[\d]+)/autosaves
    /wp/v2/posts/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/pages
    /wp/v2/pages/(?P<id>[\d]+)
    /wp/v2/pages/(?P<parent>[\d]+)/revisions
    /wp/v2/pages/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
    /wp/v2/pages/(?P<id>[\d]+)/autosaves
    /wp/v2/pages/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/media
    /wp/v2/media/(?P<id>[\d]+)
    /wp/v2/media/(?P<id>[\d]+)/post-process
    /wp/v2/media/(?P<id>[\d]+)/edit
    /wp/v2/blocks
    /wp/v2/blocks/(?P<id>[\d]+)
    /wp/v2/blocks/(?P<id>[\d]+)/autosaves
    /wp/v2/blocks/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/feedback
    /wp/v2/feedback/(?P<id>[\d]+)
    /wp/v2/feedback/(?P<id>[\d]+)/autosaves
    /wp/v2/feedback/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/jp_pay_order
    /wp/v2/jp_pay_order/(?P<id>[\d]+)
    /wp/v2/jp_pay_order/(?P<id>[\d]+)/autosaves
    /wp/v2/jp_pay_order/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/jp_pay_product
    /wp/v2/jp_pay_product/(?P<id>[\d]+)
    /wp/v2/jp_pay_product/(?P<id>[\d]+)/autosaves
    /wp/v2/jp_pay_product/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
    /wp/v2/types
    /wp/v2/types/(?P<type>[\w-]+)
    /wp/v2/statuses
    /wp/v2/statuses/(?P<status>[\w-]+)
    /wp/v2/taxonomies
    /wp/v2/taxonomies/(?P<taxonomy>[\w-]+)
    /wp/v2/categories
    /wp/v2/categories/(?P<id>[\d]+)
    /wp/v2/tags
    /wp/v2/tags/(?P<id>[\d]+)
    /wp/v2/users
    /wp/v2/users/(?P<id>[\d]+)
    /wp/v2/users/me
    /wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords
    /wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords/(?P<uuid>[\w\-]+)
    /wp/v2/comments
    /wp/v2/comments/(?P<id>[\d]+)
    /wp/v2/search
    /wp/v2/block-renderer/(?P<name>[a-z0-9-]+/[a-z0-9-]+)
    /wp/v2/block-types
    /wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)
    /wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)/(?P<name>[a-zA-Z0-9_-]+)
    /wp/v2/settings
    /wp/v2/themes
    /wp/v2/plugins
    /wp/v2/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
    /wp/v2/block-directory/search
    /wp-site-health/v1
    /wp-site-health/v1/tests/background-updates
    /wp-site-health/v1/tests/loopback-requests
    /wp-site-health/v1/tests/dotorg-communication
    /wp-site-health/v1/tests/authorization-header
    /wp-site-health/v1/directory-sizes
    我可以提供一套类似的给你。就看你能力了!
  • wifitry 10天前
    引用 47
    不明觉厉
  • xlouspeng 10天前
    引用 48
    我这种自己都不记得密码的人,它弄到了我也无法
  • 战神赵日天 10天前
    引用 49
    这个信息狠有用,如果站长用自己常用网名,且密码已经是明文在外,基本被攻破就是分分钟的事情
  • dahai0405 10天前
    引用 50
    [{"id":1,"name":"gongyi","url":"","description":"","link":"https:\/\/www.zhujiceping.com\/author\/admin\/","slug":"admin","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/d2ad946411bb7848e873d0c3588bfe45?s=24&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/d2ad946411bb7848e873d0c3588bfe45?s=48&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/d2ad946411bb7848e873d0c3588bfe45?s=96&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/www.zhujiceping.com\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/www.zhujiceping.com\/wp-json\/wp\/v2\/users"}]}}]
  • 楼主 lop 10天前
    引用 51
    Sooele 发表于 2021-1-13 20:16
    /batch/v1
    /oembed/1.0
    /oembed/1.0/embed
  • eate 10天前
    引用 52
    利用XMLRPC接口攻击啊?我直接把XMLRPC给关了,cloudflare那边还用防火墙拦了,稳当的
  • 蓝色的信封 10天前
    引用 53
    WP的API,文章都是admin,给别人随便破吧
  • diyes 10天前
    引用 54
    admin
  • hjz 10天前
    引用 55
    明白了,谢谢!已上Cloudflare防火墙。
  • wang3y2 10天前
    引用 56
    在当前主题目录的functions.php文件里添加以下代码:
    1. // 在账号未登录时禁用wp-json/wp/v2/,防止泄露信息
    2. add_filter( 'rest_authentication_errors', function( $result ) {
    3.     if ( ! empty( $result ) ) {
    4.         return $result;
    5.     }
    6.     if ( ! is_user_logged_in() ) {
    7.         return new WP_Error( 'Access denied', 'You have no permission to handle it.', array( 'status' => 401 ) );
    8.     }
    9.     return $result;
    10. });
  • cange 10天前
    引用 57
    NB,一试就知道了
  • micms 10天前
    引用 58
    牛啊  真的显示出来了
  • 游客
    59
返回