documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md from rapid7/metasploit-framework

documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md
Summary

Maintainability

Test Coverage

Issues
## Vulnerable Application

  This module attempts to authenticate against a Wordpress-site (via 
  XMLRPC) using username and password combinations indicated by the 
  `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.

### Setup using Docksal

Install [Docksal](https://docksal.io/)

Create a new WordPress installation using `fin project create`

```
fin project create
1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf-wp

2. What would you like to install?
  PHP based
    1.  Drupal 8
    2.  Drupal 8 (Composer Version)
    3.  Drupal 7
    4.  Wordpress
    5.  Magento
    6.  Laravel
    7.  Symfony Skeleton
    8.  Symfony WebApp
    9.  Grav CMS
    10. Backdrop CMS

  Go based
    11. Hugo

  JS based
    12. Gatsby JS
    13. Angular

  HTML
    14. Static HTML site

Enter your choice (1-14): 4

Project folder:   /home/weh/dev/msf-wp
Project software: Wordpress
Project URL:      http://msf-wp.docksal

Do you wish to proceed? [y/n]: y
Cloning repository...
Cloning into 'msf-wp'...
...
3. Installing site
 Step 1  Initializing stack...
Removing containers...
...
Starting services...
Creating network "msf-wp_default" with the default driver
Creating volume "msf-wp_cli_home" with default driver
Creating volume "msf-wp_project_root" with local driver
Creating volume "msf-wp_db_data" with default driver
Creating msf-wp_db_1  ... done
Creating msf-wp_cli_1 ... done
Creating msf-wp_web_1 ... done
Connected vhost-proxy to "msf-wp_default" network.
Waiting for project stack to become ready...
 Step 2  Initializing site...
 Step 2  Generating wp-config.php...
Success: Generated 'wp-config.php' file.
 Step 3  Installing site...
msmtp: envelope-from address is missing
Success: WordPress installed successfully.

Open http://msf-wp.docksal in your browser to verify the setup.
Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin  
 DONE!  Completed all initialization steps.
```

## Verification Steps

1. Do: ```use auxiliary/scanner/http/wordpress_xmlrpc_login```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set VHOST [HOSTNAME]```
4. Do: ```set USERNAME [user]```
5. Do: ```set PASSWORD [pass]```
6. Do: ```run```

## Options

**USERNAME**

A specific username to authenticate as

**USER_FILE**

File containing usernames, one per line

**PASSWORD**

A specific password to authenticate with

**PASS_FILE**

File containing passwords, one per line

**USERPASS_FILE**

File containing users and passwords separated by space, one pair per line

**USER_AS_PASS**

Try the username as the password for all users (default: `false`)


## Scenarios

### Wordpress 5.2 running in Docksal

Follow the Instructions above to setup the Docksal Containers.

```
msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login 
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal
RHOST => msf-wp.docksal
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set VHOST msf-wp.docksal
VHOST => msf-wp.docksal
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin
USERNAME => admin
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin
PASSWORD => admin
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run

[*] 192.168.64.100:80    :/xmlrpc.php - Sending Hello...
[+] 192.168.64.100:80 - XMLRPC enabled, Hello message received!
[*] Starting XML-RPC login sweep...
[+] 192.168.64.100:80 - Success: 'admin:admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > 

```


### Wordpress 5.2 with disabled or protected XMLRPC

You may see this message also, if you forgot to set the `VHOST` option.


```
msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login 
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal
RHOST => msf-wp.docksal
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin
USERNAME => admin
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin
PASSWORD => admin
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run

[*] 192.168.64.100:80    :/xmlrpc.php - Sending Hello...
[-] XMLRPC is not enabled! Aborting
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > 

```