Back to Articles

🧠 XML-RPC Open, phpinfo() Public — But They Came to Hire from My College 💀

AIwolfie 3 min read
"Main toh sirf recon kar raha tha, lekin server bola… bhaiya sab kuch le jao."
— A bored student who just wanted coffee, not credentials

So here's a story from a lazy afternoon. I wasn't looking to hack NASA or crack some zero‑day. Just chilling, sipping coffee, and casually scanning websites like a bored ethical hacker.

Suddenly I land on a tech company's site. One that, by the way, recently came to my college for placements. Roles: Frontend Developer and Software Quality Analyst. Irony: The site had zero frontend protection and questionable software quality.

🎯 The Discovery

☕ Step 1: Hello XML‑RPC, My Old Friend

curl -X POST https://<redacted>/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?><methodCall><methodName>demo.sayHello</methodName><params></params></methodCall>'

📬 Response:

<string>Hello!</string>

Bhaiya ne welcome message bhej diya. Server be like: "Namaste beta, XML‑RPC chalu hai, kya karna hai bolo?"

📚 Step 2: system.listMethods — Bhagwan Kasam, Kitne Methods?

curl -X POST https://<redacted>/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName><params></params></methodCall>'

Server dumped 70+ methods like it was Big Bazaar's year‑end sale.

You name it — metaWeblog.getUsersBlogs, pingback.ping, wp.uploadFile, wp.newPost, wp.deletePost

Server kaafi generous nikla. Even ChatGPT doesn't give this many options 😭

🚪 Step 3: Brute Force? Sure, Come In Sir

curl -X POST https://<redacted>/xmlrpc.php \
  -H "Content-Type: text/xml" \
  --data '<?xml version="1.0"?>
<methodCall>
  <methodName>metaWeblog.getUsersBlogs</methodName>
  <params>
    <param><value><string>admin</string></value></param>
    <param><value><string>wrongpassword</string></value></param>
  </params>
</methodCall>'

📬 Response:

<faultString>Incorrect username or password.</faultString>

So it is validating usernames/passwords silently. No rate limit. No WAF. No CAPTCHA. No sharam.

Ek tarah se bol rahe hai: "Bhaiya aap 10,000 try kar lo, hum toh dekhenge bhi nahi."

📂 Bonus: Index of /wp‑content/uploads/

Guess what? Publicly open. Like a locker room with no lock. PDFs, resumes, images… bas .aadhaar file hi nahi mila.

🔬 /test.php — Full phpinfo() Leak

I hit:

https://<redacted>//test.php

And boom — full PHP configuration dumped on my screen. Loaded extensions, server paths, environmental variables.

Server: "Bhai, lelo. Mujhe kuch chupana nahi."

⚠️ Real Risks

  • Brute Force — Unprotected XML‑RPC allows stealth attacks
  • SSRF/DDoSpingback.ping can be abused
  • File Exposure — Directory listing on uploads
  • Server Disclosure — phpinfo() leaks sensitive config

🛠 Suggestions (For Any QA Dev Reading This 👀)

  • 🔥 Disable XML‑RPC if not in use
  • ❌ Delete/Restrict test.php
  • 📂 Turn off directory listings via .htaccess
  • 🔒 Add WAF, rate‑limiting, monitoring

🤯 The Twist?

This company came to my college to hire for "Software Quality Analyst" roles.

Imagine sitting in their HR round like:

Interviewer: "Tell me about quality assurance."
Me: "Sir, I've seen your XML‑RPC. We both know there's no assurance there." 💀

😇 Closing Note

I didn't touch anything. Didn't access, exploit, or modify any data. Just looked, laughed, and reported it ethically.

— AIwolfie

XML-RPC phpinfo Recon Cybersecurity Bug Bounty