For this install Burp suite community edition or use the one you get pre-installed in Kali Linux. Fire up Burp Suite and open WordPress login page then turn on intercept tab in Burp Proxy, next supply any username and password of your choice to login into the wordpress website. This will intercept the response of the current request. Posts about Burp Suite written by elearnhacking. Burpsuite is one of the best tools available for web application testing.
Java applets serialize the data being sent to server. Serialized java requests and responses are not displayed in readable format in typical proxy tools. In order to perform penetration testing on such applications, we need to deserialize these request and analyze them as we do for normal web applications.
Burp proxy and JDser plugin can be used to do this. JDSer-ng will deserialize Java Objects into XML using the XStream library.
Steps to use JDser plugin for applets pen testing
1) Download burpjdser.jar and xstream.jar. Ref: https://github.com/omercnet/BurpJDSer-ng
2) Copy all the application jars to a folder on your system (Eg: D:jars). In windows machines, jars are stored in java cache ( Control Panel -> Java -> Temporary Internet Files -> View). The jars in java cache can be deleted from Control Panel -> Java -> Temporary Internet Files -> Settings. Clear the java cache to download the application jars afresh. Enable a proxy tool to view the jars URL in the proxy. The jars URLs can be copied and pasted on another browser to save them onto your local directory.
3) Install Java on your machine and set the PATH environment variable appropriately.
4) Run the below command to run burp using JDser plungin.
D:> java -Djava.lo.tmpdir=D:Temp -classpath burpsuite.jar;burpjdser.jar;xstream.jar; D:jars* burp.StartBurp
D:jars* is the location of the folder in which application jars are stored
D:Temp is a temporary folder.
Make sure all the three jars i.e., Burpsuite.jar, burpjdser.jar, xstream.jar are in the directory in which you are running the command. Else, specify complete path of the jars in the above command
5) Now, browse through the application with applets and observe the HTTP traffic in Burp Suite. The applets requests will now be displayed in XML format.
It will now be feasible for penetration testing. Applets are most commonly tested for SQL injection vulnerability.
Recently i was playing with one of my client project which is a WordPress site.then i’ve seen interesting path that burp suite caught which is something like this
then eventually i googled and did some research about wordpress xmlrpc, and its says
XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface
and its enable performs following operations such as
- Publish a post
- Edit a post
- Delete a post.
- Upload a new file (e.g. an image for a post)
- Get a list of comments
- Edit comments
Exploiting XML RPC
1.Brute force attacks
When looking into the above mentioned APIs calls; it’s required a user authentication to perform successful operation. In order to obtain the user credentials, we can perform brute force attack against the user accounts. And the most important thing is most of the security plugins hide WordPress login page and add captcha when users are unable to provide correct credentials more than 3 times, but using XMLRPC we can bypass all these and perform attacks. Before we move into that we should check whether XMLRPC is enabled or not in the target website, to check that we need to send following GET request to WordPress site
in this example I’m using burp suite to intercept and send requests.
If XMLRPC is enabled, server returns something like this “XML-RPC server accepts POST requests only.”
Now let’s check what API functions that we can actually access. To do that we need to send a POST request to xmlrpc with following body:
As you can see it returns us a response with available list of functions that we can access.
There are several functions that we can use to do brute force attacks, but we are going to focus on few functions that are good and fast. such as
Burp Suite Free Download
Lets try wp.getUsersBlogs function
As you can see if user name and/or password is incorrect it returns the error message by saying “incorrect username or password”
Doremisoft pdf to flash converter for macfarmbertyl. PDF to Flash Converter for Mac Doremisoft PDF to Flip Book Maker for Mac enables users to convert static PDFs into dynamic Flash SWF files. Provides you an easy way to create eye-catching Flash flip books from PDF for publishing on Mac OS.
Else you can see a nice response depicted above. If brute forced user is an admin, it returns the value isAdmin with numeric value 1
The Second function is “system.multicall”which is a special one because we can try out high number of combinations with a single request(Amplification Brute force attack). for example if we try out 20 combinations of user name and passwords with wp.getUsersBlogs its send 20 request to server, but with multicall we can do it with single request.lets see how to do it.
In the above code we tried out 4 combinations with single request.
Now let’s try wp.uploadFile function. This is my favorite method, because a lot of sites allow this by default and always works.
Burp Suite Wordpress Theme
if the username and password is not correct its return incorrect password message in return like every other function,else its return the response like this
Now let’s Combine multicall and wp.UploadFilefunction and try it out.
Burp Suite Wordpress Themes
And yes using XMLRPC we can Simply ping back other servers by giving simple post Request like this.