🧠 XML-RPC Open, phpinfo() Public — But They Came to Hire from My College 💀

“Main toh sirf recon kar raha tha, lekin server bola… bhaiya sab kuch le jao.”
— A bored student who just wanted coffee, not credentials

So here’s a story from a lazy afternoon. I wasn’t looking to hack NASA or crack some zero-day. Just chilling, sipping coffee, and casually scanning websites like a bored ethical hacker.

Suddenly I land on a tech company’s site.

One that, by the way, recently came to my college for placements.
Roles: Frontend Developer and Software Quality Analyst.
Irony: The site had zero frontend protection and questionable software quality.

🎯 The Discovery

☕ Step 1: Hello XML-RPC, My Old Friend

curl -X POST https://<redacted>/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall>'

📬 Response:

<string>Hello!</string>

Bhaiya ne welcome message bhej diya.
Server be like: “Namaste beta, XML-RPC chalu hai, kya karna hai bolo?”

📚 Step 2: system.listMethods — Bhagwan Kasam, Kitne Methods?

Ran:

curl -X POST https://<redacted>/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName><params></params></methodCall>'

Server dumped 70+ methods like it was Big Bazaar’s year-end sale.

You name it —
metaWeblog.getUsersBlogs,
pingback.ping,
wp.uploadFile,
wp.newPost,
wp.deletePost...

Server kaafi generous nikla. Even ChatGPT doesn’t give this many options 😭

🚪 Step 3: Brute Force? Sure, Come In Sir

curl -X POST https://<redacted>/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?>
<methodCall>
  <methodName>metaWeblog.getUsersBlogs</methodName>
  <params>
    <param><value><string>admin</string></value></param>
    <param><value><string>wrongpassword</string></value></param>
  </params>
</methodCall>'

📬 Response:

<faultString>Incorrect username or password.</faultString>

So it is validating usernames/passwords silently.
No rate limit.
No WAF.
No CAPTCHA.
No sharam.

Ek tarah se bol rahe hai: “Bhaiya aap 10,000 try kar lo, hum toh dekhenge bhi nahi.”

📂 Bonus: Index of /wp-content/uploads/

Guess what? Publicly open. Like a locker room with no lock.
PDFs, resumes, images… bas .aadhaar file hi nahi mila.

🔬 /test.php — Full phpinfo() Leak

I hit:

https://<redacted>//test.php

And boom — full PHP configuration dumped on my screen.
Loaded extensions, server paths, environmental variables.

Server: “Bhai, lelo. Mujhe kuch chupana nahi.”

⚠️ Real Risks

Brute Force — Unprotected XML-RPC allows stealth attacks

SSRF/DDoS — pingback.ping can be abused

File Exposure — Directory listing on uploads

Server Disclosure — phpinfo() leaks sensitive config

🛠 Suggestions (For Any QA Dev Reading This 👀)

• 🔥 Disable XML-RPC if not in use
• ❌ Delete/Restrict test.php
• 📂 Turn off directory listings via .htaccess
• 🔒 Add WAF, rate-limiting, monitoring

🤯 The Twist?

This company came to my college to hire for “Software Quality Analyst” roles.

Imagine sitting in their HR round like:

Interviewer: “Tell me about quality assurance.”
Me: “Sir, I’ve seen your XML-RPC. We both know there’s no assurance there.

💀

😇 Closing Note

I didn’t touch anything. Didn’t access, exploit, or modify any data.
Just looked, laughed, and reported it ethically.

📬 Wanna chat bug bounty, automation, or the philosophical depth of “index of/”?
Hit me up:
LinkedIn