Wordpress xmlrpc.php- My First Resolved Report

Wolfdroid
3 min readAug 29, 2018

--

Hi there ! This is my first ever write up i am publishing based on my finding a flaw in a private site on hackerone . So Lets start

I got this site as a private invite (Can’t disclose the name sorry) on hackerone and simple as ever i started scanning for subdomains, ports scan , and all the usual stuff just for the Recon . Although it was easy to play around as site mentioned a wide scope in it to find the flaws.

Then , again thanks to wappalyzer for showing the CMS and frameworks used by the site, and there i got the wordpress, although it didn’t mentioned the version the site was using , at that time ‘wp-scan’ rocks . I fired up on my terminal and YES the version was quite old when detected and shows multiple vulnerabilites , i tried to exploit some but didn’t had my luck into it .

Also there i had this link blog.redacted.com which was leaking the xmlrpc.php file and when checked the source code i found some other REST API to play with but those were not leaking any data so i turned back to this,

So what is XMLRPC :- XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. “XML-RPC” also refers generically to the use of XML for remote procedure call, independently of the specific protocol.Basically its a file which can be used for pulling POST data from a website through Remote Procedure Call.

in wordpress its a API which allows developers for doing manipulations in the wordpress site for eg:

Publish a post, Edit a post , Delete a post and even possible to upload some files.

So the new link was http://blog.redacted.com/xmlrpc.php which i opened once and intercepted the request into burp

  1. Change the request from GET to POST along with some POST data for viewing all the procedure calls available in the site for us .
  2. <methodCall>
    <methodName>system.listMethods</methodName>
    <params></params>
    </methodCall>

3. Attacker mainly looks for these files and as these are available he can proceed with the attack

wp.getUserBlogs
wp.getCategories
metaWeblog.getUsersBlogs

4. To perform the bruteforce login send the following in the POST request , I would recommand wp-scan to find a list of valid usernames ,most sites don’t care for their username enumeration so its easy to find.

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

I think now you can assume the impact of this vulnerability , it can be used to perform bruteforce attacks for secure credentials and also can automate a major DDOS attack.

This was my simple and nice finding on hackerone since the company had no reward program other than kudos and reputation . But yeah for a hacker its a win win situation . REPUTATION MATTERS… :P

THANK YOU

--

--