class Wpxf::Payload

The base class for all payloads.

Attributes

queued_commands[RW]

@return [Array] the commands queued to be executed on the target.

raw[RW]

@return the payload in its raw format.

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Options::new
# File lib/wpxf/core/payload.rb, line 10
def initialize
  super

  register_options([
    BooleanOption.new(
      name: 'encode_payload',
      desc: 'Encode the payload to avoid fingerprint detection',
      required: true,
      default: true
    )
  ])

  self.queued_commands = []
end

Public Instance Methods

check(mod) click to toggle source

Run checks to raise warnings to the user of any issues or noteworthy points in regards to the payload being used with the current module. @param mod [Module] the module using the payload.

# File lib/wpxf/core/payload.rb, line 87
def check(mod)
  nil
end
cleanup() click to toggle source

Cleanup any allocated resource to the payload.

# File lib/wpxf/core/payload.rb, line 80
def cleanup
  nil
end
constants() click to toggle source

@return [Hash] a hash of constants that should be injected at the

beginning of the payload.
# File lib/wpxf/core/payload.rb, line 93
def constants
  {}
end
encoded() click to toggle source

@return an encoded version of the payload.

# File lib/wpxf/core/payload.rb, line 26
def encoded
  compiled = _raw_payload_with_random_var_names
  if normalized_option_value('encode_payload')
    "<?php eval(base64_decode('#{Base64.strict_encode64(compiled)}')); ?>"
  else
    "<?php #{compiled} ?>"
  end
end
enqueue_command(cmd) click to toggle source

Enqueue a command to be executed on the target system, if the payload supports queued commands. @param cmd [String] the command to execute when the payload is executed.

# File lib/wpxf/core/payload.rb, line 116
def enqueue_command(cmd)
  queued_commands.push(cmd)
end
escape_single_quotes(val) click to toggle source

Helper method to escape single quotes in a string. @param val [String] the string with quotes to escape. @return [String] the string with quotes escaped.

# File lib/wpxf/core/payload.rb, line 38
def escape_single_quotes(val)
  val.gsub(/'/) { "\\'" }
end
generate_vars(keys) click to toggle source

Generate a hash of variable names. @param keys [Array] an array of keys. @return [Hash] a hash containing a unique name for each key.

# File lib/wpxf/core/payload.rb, line 51
def generate_vars(keys)
  vars = {}
  keys.each do |key|
    loop do
      var_name = random_var_name
      unless vars.value?(var_name)
        vars[key] = random_var_name
        break
      end
    end
  end
  vars
end
obfuscated_variables() click to toggle source

@return [Array] an array of variable names that should be obfuscated in

the payload that is generated.
# File lib/wpxf/core/payload.rb, line 99
def obfuscated_variables
  ['wpxf_disabled', 'wpxf_output', 'wpxf_exec', 'wpxf_cmd', 'wpxf_handle', 'wpxf_pipes', 'wpxf_fp']
end
php_preamble() click to toggle source

@return [String] the PHP preamble that should be included at the

start of all payloads.
# File lib/wpxf/core/payload.rb, line 105
def php_preamble
  preamble = DataFile.new('php', 'preamble.php').php_content
  constants.each do |k, v|
    preamble += "  $#{k} = " + (v.is_a?(String) ? "'#{escape_single_quotes(v)}'" : v.to_s) + ";\n"
  end
  preamble
end
post_exploit(mod) click to toggle source

Run payload specific post-exploit procedures. @param mod [Module] the module using the payload. @return [Boolean] true if successful.

# File lib/wpxf/core/payload.rb, line 75
def post_exploit(mod)
  true if mod
end
prepare(mod) click to toggle source

Do any pre-exploit setup required by the payload. @param mod [Module] the module using the payload. @return [Boolean] true if successful.

# File lib/wpxf/core/payload.rb, line 68
def prepare(mod)
  true if mod
end
random_var_name() click to toggle source

Generate a random variable name. @return [String] a random name beetween 5 and 20 alpha characters.

# File lib/wpxf/core/payload.rb, line 44
def random_var_name
  Utility::Text.rand_alpha(rand(5..20))
end

Private Instance Methods

_raw_payload_with_random_var_names() click to toggle source
# File lib/wpxf/core/payload.rb, line 128
def _raw_payload_with_random_var_names
  payload = +"#{php_preamble} #{raw}"
  vars = generate_vars(obfuscated_variables)
  obfuscated_variables.each { |v| payload.gsub!("$#{v}", "$#{vars[v]}") }
  payload
end