Sign up for FREE daily Updates.

Wordpress XML-RPC Brute Force Attack Vulnerability

Today i'll be sharing a easy & quite  interesting tutorial on Wordpress XML-RPC Brute Force Attack.
As we all know nowadays when every an attacker gets his hands on a WordPress website, the first thing he would try to do in order to compromise the website is a brute force attack. The attacker loads a list of user & password combination in order to guess the correct one. Its always the first & mandatory option to try in point of view of a newbie attacker. The result of an increase in brute force attack day buy day, the developers have started using Login captcha plugins to protect them selves form such attack.


XML-RPC is a word press interface & this functionality is turned by default since WordPress 3.5. Recently we have seen very critical vulnerability been found in the same which effected a quarter of the internet - Ping Back DDOS Vulnerability, Arbitrary code Execution etc. Recently it has came to known that attackers are taking advent of the XML-RPC wp.getUsersBlogs method in order to launch a brute force attack against the website. In XML-RPC many of the calls need the credentials in order to implement. Then attacker can try different combinations on user & passwords. The output is thrown on the webpage weather its valid or invalid.



Step by step guide -



 - Locate the XMLRPC on the target website - localhost/xmlrpc.php


















- Send a POST request with the following code given below.

<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value> <string>user</string></value></param>  <param><value><string>password</string></value></param></params></methodCall>












- Check the response

If wrong combination - faultCode


  


If right - isAdmin









Hope you all liked this tutorial.  Any queries? Drop it down in comments!.


Share this article :
 

Post a Comment

 
Support : Blog | Hacking-Sec | PHP-Sec
Copyright © 2014. Hacking-Sec - All Rights Reserved

UA-55004066-1