XML-RPC Vulnerability: Easy Exploit, Easy Bounty!
During hunting on target
Let’s called it target.com
During discovering directories I found that target.com/blog is running using Wordpress.
So first thing I made was scanning with wpscan to know plugins, themes and other things.
I used this command:
wpscan --url https://target.com/blog --random-user-agent
From the results, It says that XML-RPC seems to be enabled
XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, this was used to handle that job.
So let’s open target.com/blog/xmlrpc.php to see
As we can see It accepts post requests
So let’s open Burp Suite to Test
As a PoC I used this xml code
<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>This code lists available methods using the system.listMethods call
Boom! It’s succeed
Impact:
The exposed xmlrpc.php file can be exploited in several ways:
- Brute Force Attacks: Attackers can use methods like wp.getUsersBlogs to enumerate valid usernames and perform brute force attacks.
- DDoS Amplification: The system.multicall method can be abused to send multiple requests in a single call, potentially leading to DDoS attacks.
- Information Disclosure: The system.listMethods call reveals available methods, which could expose sensitive functionality.
- Pingback Abuse: The pingback.ping method can be exploited for Server-Side Request Forgery (SSRF) attacks.
If you reach to here so, thanks so much for reading.
My Linkedin account: https://www.linkedin.com/in/kerolos-ayman-19a569255
My channels on Telegram:
https://t.me/CyberSecurityforall24
