/ 
SOAP-Lite-0.70_07
/ XMLRPCsh.pl
Security Advisories (1)
CVE-2015-8978 (2015-07-21)

An example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML.

NAME

XMLRPCsh.pl - Interactive shell for XMLRPC calls

SYNOPSIS

perl XMLRPCsh.pl http://betty.userland.com/RPC2 
> examples.getStateName(2)
> examples.getStateNames(1,2,3,7)
> examples.getStateList([1,9])
> examples.getStateStruct({a=>1, b=>24})
> Ctrl-D (Ctrl-Z on Windows)

or

# all parameters after uri will be executed as methods
perl XMLRPCsh.pl http://betty.userland.com/RPC2 examples.getStateName(2)
> Ctrl-D (Ctrl-Z on Windows)

DESCRIPTION

XMLRPCsh.pl is a shell for making XMLRPC calls. It takes one parameter, endpoint (actually it will tell you about it if you try to run it). Additional commands can follow.

After that you'll be able to run any methods of XMLRPC::Lite, like autotype, readable, etc. You can run it the same way as you do it in your Perl script. You'll see output from method, result of XMLRPC call, detailed info on XMLRPC faulure or transport error.

For full list of available methods see documentation for XMLRPC::Lite.

Along with methods of XMLRPC::Lite you'll be able (and that's much more interesting) run any XMLRPC methods you know about on remote server and see processed results. You can even switch on debugging (with call something like: on_debug(sub{print@_})) and see XMLRPC code with headers sent and recieved.

COPYRIGHT

Copyright (C) 2000 Paul Kulchenko. All rights reserved.

AUTHOR

Paul Kulchenko (paulclinger@yahoo.com)