topic Re: XML-RPC PHP Command Execution in Network Security

XML-RPC PHP Command Execution

darin.marais — Sun, 10 Mar 2019 09:35:31 GMT

The follow captured packet is said to have caused the signature called “XML-RPC PHP Command Execution” (SIGID: 3254 SubSig: 0) to trigger

..~...........E..$..@.=....C....'O....QxE..+.UP....j....<?xml version="1.0"?>..<methodCall>..<methodName>test.method..</methodName>..<params>..<param>..<value><name>','')); echo ..'______BEGIN______'; ..passthru('id'); ..echo ..'_____FIM_____';..exit;/*</name></value>..</param>..</params>..</methodCall>....{.

The signature looks for 2 criteria before sending the alert to the console.

HeaderRegex:

[Cc][Oo][Nn][Tt][Ee][Nn][Tt][-][Tt][Yy][Pp][Ee][:]\x20?([Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn]|[Tt][Ee][Xx][Tt])[/\\][Xx][Mm][Ll]

RequestRegex:

[^\x5c]['][);\x0a\x0d\x20]+([Ee][Cc][Hh][Oo]|[Ss][Yy][Ss][Tt][Ee][Mm])

I am looking for the part in the triggered packet that has caused the event to trigger.

Could someone from the list please point out which part in the trigged packet caused the event?

Re: XML-RPC PHP Command Execution

darin.marais — Tue, 23 Aug 2005 12:39:39 GMT

this signature triggers often when the header contains the following

"tent-Type: application/xml..Content-Length: 250..Via: 1.1 annaka"

but the regular expression looks for more behond the word application. can you confirm that there are no false postives from this signature..??

thanks in advance

Re: XML-RPC PHP Command Execution

jdal — Tue, 23 Aug 2005 15:15:25 GMT

Hi Darin,

This signature is indeed firing because the following part is included into the XML file being posted:

','')); echo ..'______BEGIN______';

I'm not too sure if this is legitimate or not in your case, but that definitely looks like a code injection!

It is indeed pretty similar to the exploits related to this vulnerability:

http://www.securityfocus.com/bid/14088/exploit