The last step of the attack process is create a backdoor to compromise with victim’s system. In preview post i have write about some modules of Metasploit for pentest web application. In this article i will show you how to create a web backdoor payload with Metasploit.
Creating a Web backdoor payload with metasploit
In this example i use Damn Vulnerable Web Application (DVWA) run on server has IP address is 192.168.28.129.
1. Generating a PHP Meterpreter bind payload
First of all, we’ll generate a PHP Meterpreter bind payload, which will drop us with a basic PHP Meterpreter shell. The tool of the trade is msfvenom. Msfvenom is the de-facto tool in the Metasploit framework to create and encode various payloads. Msfvenom surpasses the older tools for generating and encoding payloads, namely msfpayload and msfencode. Let us now use the msfvenom command to see everything in action.
A list of payloads that arre available under msfvenom can be viewed by command:
msfvenom -l payoads
Metasploit has over 400 payloads. In this example we’ll use a payload known as php/meterpreter/bind_tcp which basically listens on a pre-specified port on the compromised server and returns a Meterpreter shell once a connection is made on that port.
Now we shall create the mentioned payload in the form of a PHP script.
The first, We should understand payload’s information and configuration options there are present in the payload, web can use arguments: “–payload-options” to list the configuration options, “-p” to select the payload.
msfvenom -p php/meterpreter/bind_tcp --payload-options
This returns a page with all configuration options, payload metadata, and descriptions.
Now we’ll generate our payload and set LPORT to 4000 as following:
msfvenom -p php/meterpreter/bind_tcp LPORT=4000 > /root/msf/php_backdoor.php
Through any file upload vulnerability, we upload the script which was generated as a php_backdoor.php file on the vulnerable server’s webroot or any accessible directory inside webroot.
2. Create a payload handler
Payloads handler will allow us to send a request to the bind payload which will listen for a connection. We’ll use msfconsole and setup our handler payload that will establish a connection with a bind shell when run.
Now Let’s execute the uploaded PHP Meterpreter by calling it through Apache via a web browser, and executing the handler by run command “exploit“. The will result in a Meterpreter via PHP. You can see the output in the following:
Then we can run command line shell on victim’s system through Meterpreter:
3. Create linux meterpreter payload
The PHP-based payloads has a problem that is the session can get terminated after some time. To overcome this, we can create a linux meterpreter payload in a similar way to the PHP Meterpreter payload before. We’ll use the linux/x86/meterpreter/bind_tcp payload and configure it in the same way, but just tweak the LPORT to 50000 and save the output as linux_backdoor:
msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=5000 > /root/msf/linux_backdoor
Upload linux payload using php web backdoor:
Run PHP-based payload’s session in background:
Reconfigure our handler and run it in the background with “exploit –j”
Then move back to our original PHP session and then execute the Linux payload, and we get a more stable Linux Meterpreter session: