Honey, I shrunk the PHP payloads
This release contains more PHP payload improvements from Julien Voisen. Last week we landed a PR from Julien that added a datastore option to the php/base64 encoder that when enabled, will use zlib to compress the payload which significantly reduced the size, bringing a payload of 4040 bytes down to a mere 1617 bytes. This week's release includes a php/minify encoder which removes all unnecessary characters from the payload including comments, empty lines, leading spaces, trailing spaces, spaces after keywords and spaces before block openings. Using the php/minify encoder can take a payload of size 4052 bytes down to 2839 bytes. We'd like to thank Julien for their continued commitment to improving PHP payloads!
New module content (1)
PHP Minify Encoder
Author: Julien Voisin
Type: Encoder
Pull request: #19435 contributed by jvoisin
Path: php/minify
Description: This encoder minifies PHP payloads by removing spaces after keywords and before block openings. It removes comments, empty lines, new lines and leading and trailing spaces.
Enhancements and features (2)
#19368 from h00die-gr3y - This adjusts the exploit/multi/http/geoserver_unauth_rce_cve_2024_36401 to dynamically pull and test the feature_type list to establish an RCE. This will make the module more robust towards installations with different feature_type configurations.
#19401 from jvoisin - Add a mixin to get SPIP version and make use of it.
Bugs fixed (2)
metasploit weekly