Wordpress xmlrpc bug allows you bruteforce for logging in.

Hi everybody! Let’s hope you all are using this quarantine to learn new things as I am doing.

I’m back again with an easy bug which allows you to bruteforce the login functionalities and it is found in the wordpress sites. It allows only POST requests since XML-RPC server accepts POST requests only. You might have seen a /xmlrpc.php file in many wordpress sites you visit , you might have even tried to search the error that appears when you visit http://site.com/wp/xmlrpc.php.

What is XML-RPC:-

This is an API on wordpress sites which gives developers the ability to talk to your WordPress site who make mobile apps, desktop apps and other services. It can do many of the things that you can do when logged into WordPress via the web interface.

I was doing the pentest on the website “xyz.com”(due to their policy) and while looking for a vulnerability, I found this parameter using dirsearch. The whole URL was like :- https://xyz.com/xmlrpc.php. I opened it in the website and got the result as it accepts only POST requests.

I captured the request in burp and got a GET request. I changed it to POST and it shows you the response in which “server accepts POST request” is mentioned.

Now, Important step comes here:-

In the request page, you need to put this code:-

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

And, you will get the methods used by the website.

Search for the following , if you find that they are available then we can proceed with the attack
*wp.getUserBlogs
*wp.getCategories
*metaWeblog.getUsersBlogsserBlogs
*wp.getCategories
*metaWeblog.getUsersBlogs

NOTE: There are a few more methods but these are most commonly available so just mentioning the ones that I can remember right now.

Now to perform the bruteforce login send send the following in the POST request , if you know any valid usernames that would be even better
I would recommand wp-scan to find a list of valid usernames ,almost all the time companies never try to prevent username enumeration on wordpress sites , weird!

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

You should get an error for incorrect username and password. now can you can just load this in to intruder and bruteforce away. Weather you enter the wrong Pass or the correct you will get a 200 OK response , so you’re supposed to decide which is correct and which is wrong on the basis of size of the response if your using intruder.

So it was a cool bug and it’s super easy. I don’t know about bugcrowd and H1 but almost all the private programs count it as P3:)

Suggestions are most welcome as always. I will keep posting my findings. If you got anything from it, you can press the clap icon below and ya, don’t forget to follow me on twitter as well. See you all next time.

Cheers!

Twitter:- “@manas_hunter”