top of page
OTW

Web App Hacking, Part 6: Exploiting XMLRPC for Bruteforcing WordPress Sites

Updated: Dec 30, 2022


WordPress is the world's most widely used Content Management System (CMS) for websites, comprising almost 28% of all sites on the Internet. This means that tens of millions of websites use this CMS and the vulnerabilities we find there can be used on so many sites that it makes sense to devote significant time and attention to WordPress websites

In Part 5 of this series, I showed you how to enumerate users on WordPress sites and then brute force their passwords using the GUI-based "wp-login". In many cases, brute forcing passwords with wpscan at wp-login will not be possible due to failed password lockouts or other security devices that will block your repeated attempts. In those cases, you will need a different approach to test passwords against and this is where the XML-RPC interface becomes useful to the hacker.

The XML-RPC or XML Remote Procedure Call enables WordPress users and developers to access their sites remotely, hence remote procedure call. In this way, developers and writers can access their websites via smartphones and other devices remotely. The smartphone and other remote device apps access the WordPress sites by presenting the user credentials through the XML-RPC.

Usually, when we attempt to brute force a password, the system sees one login attempt for each user password we attempt. Once we hit some limit of attempts, the system will lock us out. XMLRPC, though, has a system.multicall where we can send hundreds or thousands of password with a single HTTP request. The hacker can use the XMLRPC for presentation of thousands of credentials without the risk of lockouts or other security device interference.

The XMLRPC was released in WordPress 2.6 and since version 3.5, it has been turned on by default. This vulnerability has been mitigated in newer versions of WordPress, but we all know there are millions of unpatched WordPress sites out on the Internet. We simply need to be patient to find these unpatched sites via Google hacking and other methods.

Step #1 Download and install WordPress XMLRPC Brute Force Exploitation tool

The first step, of course, is to fire up Kali and open a terminal. Since this tool is NOT built into Kali, we will need to download and install it. This means that if you are using a different version of Linux, these instructions will work just as well for you.

We can get this tool from github.com, so we only need to use the git clone command to retrieve it such as;

Now that we have cloned this tool into our system, let's make certain it is there by doing a long listing on our directory.

kali > ls -l

As we can see above, we have created a directory named WordPress-XMLRPC-Brute-Force-Exploit. Now, let's move to that directory.

kali > cd Wordpress-XMLRPC-Brute-Force-Exploit

As you can see above, this exploit has two versions, a password list and a README file. We will be using the v2 in this tutorial.

Step #2 Enumerate Users with wpscan

Now that we have our XMLRPC exploit tool ready to roll, let's use our wpscan tool to enumerate some users from an actual WordPress website. I found this site using some of the Google hacks I outlined in my article on finding WordPress sites.

To enumerate the users, we can use the following command;

kali > wpscan -u <domain> --enumerate u

When wpscan runs, it finds that this particular site is using WordPress 4.6.1 and then enumerates all the users as seen below.

Now that we have the users, let's see if we can brute force their passwords with XMLRPC Brute-Force!

Step #3 Brute Force Passwords with XMLRPC

The final step then is to use the XMLRPC tool against these accounts. Since this tool is not using the standard login interface, you will likely be able attempt thousands of potential passwords. When you do find the right password, the script will stop and present you with the correct password.

Before using this script we need to give ourselves permissions to execute it.

Now that we have permission, let's execute the script to see its help page.

kali > ./wordpress-xmlrpc-brute-v2.py

Below the splash screen, we can see that the script displays its "usage". The syntax here is simple; the command followed by the website URL, a password list and the username we want to brute force.

kali > ./wordpress-b <URL> <password list> <username>

In our case here, we can construct a command to brute force our website with the following (the website has been obscured to protect the insecure).

kali > ./wordpress http://wordpress_domain passwords.txt taskfleet

Note that we are using the user "taskfleet" and the password list included with this script. In the real world, you will likely want to use your own password list.

Let's hit enter and let her rip!

Within a few minutes, our script has found the password for the user "taskfleet". With this password, we now login at the wp-login screen and have total control of this website!


23,807 views
bottom of page