WordPress xmlrpc.php -common vulnerabilites & how to exploit them
Hello there! , whats up ? ,Bilal Rizwan here hope your doing great & having fun learning from the community like I am.
What is this Post about ?
You might have seen a /xmlrpc.php file in many wordpress sites you visit , you might have even tried to search the error(XML-RPC server accepts POST requests only) that appears when you visit http://site.com/wp/xmlrpc.php.In this post I’ll try to highlight the common vulnerabilities associated with the xmlrpc.php file.
What is XML-RPC ?
Common Vulnerabilities in XML-RPC
The main weaknesses associated with XML-RPC are: Brute force attacks: Attackers try to login to WordPress using xmlrpc.php .
lets see how that is actually done & how you might be able to leverage this while your trying to test a wordpress site for any potential vulnerabilites
- This is what you originally see when you try to open the xmlrpc.php located at
http:// / /xmlrpc.php
2)Open your proxy (I am using burp )and resend the request
3)The first thing to do now is Send a POST request and list all the available methods , why ? cause that’s how we’ll know which actions are even possible to make and potentially use one of them for an attack.
TO list all methods Send a POST request with the following POST data,like shown in the picture,you’ll get a response with all the methods avaliable
Search for the following , if you find that they are available then we can proceed with the attack
NOTE:there are a few more methods but these are most commonly available & I have dealt with these before so just mentioning the ones that I can remember right now.
3)Now to perform the bruteforce login send send the following in the POST request , if you know any valid usernames that would be even better
I would recommand wp-scan to find a list of valid usernames ,almost all the time companies never try to prevent username enumeration on wordpress sites , idk why .
4) now can you can just load this in to intruder and bruteforce away.
Weather you enter the wrong Pass or the correct you will get a 200 OK response , so your suppose to decide which is correct and which is wrong on the basis of size of the response if your using intruder
the response on correct login will be like the following
Other attacks ?
XSPA or simply port scanning !
- List all the methods and search for the following
2)If you mange to find the pingback.ping string ,then lets proceed and try and get a ping back on our server , you can use netcat , or python server , nodejs server , or even the apache logs anything you want. I’ll be using the nodejs http-server .
Start your server and send the following request in post data
There are 2 thins to be filled here
1) The link of your server
2) link of some valid post from the wordpress site which is used to call the ping back
Using these same technique I was able to earn a small bounty of 600$ today , on a private bugcrowd program.
IF there is anything I missed or typed wrong , you can leave a comment or contact me at