Re: XML-RPC PHP Command Execution

darin.marais · ‎08-18-2005

The follow captured packet is said to have caused the signature called “XML-RPC PHP Command Execution” (SIGID: 3254 SubSig: 0) to trigger

..~...........E..$..@.=....C....'O....QxE..+.UP....j....<?xml version="1.0"?>..<methodCall>..<methodName>test.method..</methodName>..<params>..<param>..<value><name>','')); echo ..'______BEGIN______'; ..passthru('id'); ..echo ..'_____FIM_____';..exit;/*</name></value>..</param>..</params>..</methodCall>....{.

The signature looks for 2 criteria before sending the alert to the console.

HeaderRegex:

[Cc][Oo][Nn][Tt][Ee][Nn][Tt][-][Tt][Yy][Pp][Ee][:]\x20?([Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn]|[Tt][Ee][Xx][Tt])[/\\][Xx][Mm][Ll]

RequestRegex:

[^\x5c]['][);\x0a\x0d\x20]+([Ee][Cc][Hh][Oo]|[Ss][Yy][Ss][Tt][Ee][Mm])

I am looking for the part in the triggered packet that has caused the event to trigger.

Could someone from the list please point out which part in the trigged packet caused the event?

darin.marais · ‎08-23-2005

this signature triggers often when the header contains the following

"tent-Type: application/xml..Content-Length: 250..Via: 1.1 annaka"

but the regular expression looks for more behond the word application. can you confirm that there are no false postives from this signature..??

thanks in advance

jdal · ‎08-23-2005

Hi Darin,

This signature is indeed firing because the following part is included into the XML file being posted:

','')); echo ..'______BEGIN______';

I'm not too sure if this is legitimate or not in your case, but that definitely looks like a code injection!

It is indeed pretty similar to the exploits related to this vulnerability:

http://www.securityfocus.com/bid/14088/exploit

JF