VDP-VITBHOPAL
commented
11 months ago Will get back to you once the issue is fixed
Open Tanmay-x07 opened 11 months ago
VDP-VITBHOPAL
commented
11 months ago Will get back to you once the issue is fixed
VDP-VITBHOPAL
commented
10 months ago This issue have been resolved kindly provided the name and social handle for the HOF page
Tanmay-x07
commented
10 months ago Tanmay Vishwakarma
Hello , The website https://admission.vitbhopal.ac.in/xmlrpc.php has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts. Wordpress that have xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS.
URL: https://admission.vitbhopal.ac.in/xmlrpc.php
IMPACT OF BUG:
1) DDoS Attacks via XML-RPC Pingbacks 2) Brute force attacks XML-RPC
If XML-RPC is enabled on your site, a hacker could potentially mount a [DDoS attack] on your site by exploiting xmlrpc.php to send vast numbers of pingbacks to your site in a short time. This could overload your server and put your site out of action.
Brute Force Attacks via XML-RPC Each time xmlrpc.php makes a request, it sends the username and password for authentication. This presents a significant security liability and is something that the REST API does not do. In fact, which sends tokens for authentication instead of usernames or passwords.
Because xmlrpc.php sends authentication information with every request, [hackers could use it to try to access your site]. A brute force attack like this might allow them to insert content, delete code, or [damage your database]
If an attacker sends enough requests to your site, each with a different username and password pair, there is a chance they could eventually hit on the right one, giving them access to your site.
To Reproduce Steps to reproduce the behavior:
Use Burp Suite and visit this and add this
<?xml version="1.0" encoding="utf-8"?>
at the end of the request like given below:
POST REQUEST: POST /xmlrpc.php HTTP/2 Host: https://admission.vitbhopal.ac.in/ Cookie: _fbp=fb.1.1690390739850.1225741961; _gcl_au=1.1.2098717696.1690390740; _ga=GA1.1.1358944395.1690390740; crisp-client%2Fsession%2F3e9d1351-f1a3-4320-986d-a97e915064bd=session_d23243e8-8ead-4969-8d59-2fd22b8633e1; amp_824c80=WSPN07ostO3ZdGpOGf9hFQ...1h72jfj63.1h72jfj63.0.2.2=WSPN07ostO3ZdGpOGf9hFQ...1h72jfj69.1h72jfj6d.0.2.2; _clck=1s05ohr|2|fdw|0|1302; _clsk=faut8s|1691230916858|1|1|q.clarity.ms/collect; _ga_5Q1YFB1R0F=GS1.1.1691230916.3.1.1691230940.36.0.0; wordpress_test_cookie=WP%20Cookie%20check Cache-Control: max-age=0 Sec-Ch-Ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 136
<?xml version="1.0" encoding="utf-8"?>
See error
you will get this in response
and more also,
As, this can be escalated to XML-RPC pingbacks attacks
Reference Hackerone Reports:
https://hackerone.com/reports/325040 https://hackerone.com/reports/448524 https://hackerone.com/reports/752073
Screenshots/POC Attached below
Additional context If require more information I can provide
Thankyou, Looking for further response Tanmay_x07