I was running a test on a specific website and I stumbled upon an xmlrpc.php file.
The XMLRPC is a system that allows remote updates to WordPress from other applications. For instance, the Windows Live Writer system is capable of posting blogs directly to WordPress because of xmlrpc.php. In essence, xmlrpc.php could open the site to various attacks and other issues.
The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments
Knowing all that, it is time to test the theory. I used Burpsuite Repeater to check the responses to my every request.
POST request:
And viola!~ I got a 200 OK Response!
This means that a successful response is received showing that xmlrpc.php is enabled.
DDOS ATTACK
Now, considering that file discussed above could potentially be abused to cause a DDOS attack against a victim host. This is achieved by simply sending a request that looks like below.
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://<YOUR SERVER ></string></value>
</param>
<param>
<value><string>https://example.com/</string></value>
</param>
</params>
</methodCall>
This can be automated from multiple hosts and be used to cause a mass DDOS attack on the victim.
BRUTEFORCE ATTACK
To perform a bruteforce login attack, send the following in the POST request, if you know any valid usernames that would be even better (wp-scan would help).
Though you should always get a 200 OK response, you should be able to tell if the login you entered on the intruder is correct.
Remediation:
If the XMLRPC.php file is not being used, it should be disabled and removed completely to avoid any potential risks. Otherwise, it should at the very least be blocked from external access.
