Jump to content

php payload ,metasploit not working (localhost)


Recommended Posts

hello, i am using Kali linux 2.0,so first of all i need to know my localhost address so "ifconfig"



than i create a payload with msfvenom :



without any encoder just for test )) ,now i need to start listener ,i have start it ,than i start apache "service apache2 start"


upload payload to var/www/html


view payload on another machine(windows 7) not virtual box or some else virtual machine.... and here what happened :



it hacked itself ((((why ? what i did wrong? why it hacking attacker machine? can anyone help?

Link to comment
Share on other sites

You have this a bit backwards. The php code from your original command, is trying to connect back to your kali ip. Kali is the machine you want to both start a listener on and visit the page from. Otherwise you need to change the payload's IP address to the windows 7 box in order for it to initiate the payload via browser off the win 7 machine.

View your php code in a text editor, look at what it's doing. you need to upload the payload, to a vulnerable server and then on your kali box, start a listener on the port 4444 and it will connect back to you on that port. If you want it to connect to the Windows 7 box you need to change the script to point to the windows 7 box's IP, not the kali box(can be done manually by editing the php file as well), and you need 2 things. 1, open netcat to listen on port 4444 (ie: nc or ncat) "nc -nlvp 4444" on either the windows machine(if set in the php file) or kali(which is already set) and then in a browser, visit the vulnerable site at the php page, and it should then connect back to your netcat listener. You'll see it say so in the nc window.


This can be done a few ways, without the need for msf too, depending on the type of shell you want. On some servers, (although in kali we have access to nc and ncat) you won't have access to either nc, ncat, or netcat, so the shell should have multiple tests done to enable access. I personally, use a simple shell that takes commands via get or post. get will show all your commands in the server logs though. anyway, work on the above and test first. Then move on to making your own shells. look up various executions methods for php to use system commands too, as depending on php.ini settings, of of system may be disabled, as well as eval, exec, pasthough, and backtick `, etc. Any one of these needs to be enabled, and you have to specify in the payload. I think msf's payload checks through them, but I haven't looked through the output.

Edited by digip
Link to comment
Share on other sites


you are saying that i need to change lhost to (windows 7 ip) but thats wrong it its reverse_tcp i need to put my ip address in LHOST not victims

No. You'd only specify the windows machine if you ran an exploit against it that required the RHOST setting in the exploit or payload.


This php payload, is going to call back to on port 4444, which is listening for connections from the server. The web server is going to hand back an open socket to msfconsole(or fail trying if ssl isn't setup and working), and its going to try and exploit via meterpreter the target system, in this case, the web server "running the payload". 

I've gone ahead and ran your setup, and form another windows machine visited it, and it only spawned a shell to the kali box back to itself, as I suspected. You are running something different than what is in the video. In the video, they choose "use exploit/muti/handler" and then  set LHOST and LPORT, then exploit. They never choose a payload like you did. You chose, a php payload for a reverse_tcp connection from the target, which in this case, is the machine running the already created php shell file you uploaded.


I get the same results, a shell popped on the web server, as expected.

-- now --

I've tried reproducing what is in the video(which is DIFFERENT than what you have typed in. I did all commands exactly as they have done(aside form my IP and location for apache which is /var/www/htdocs) and this is what happens, on my end:

msf exploit(handler) > use exploit/multi/handler 
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 
[*] Starting the payload handler...
[*] Sending stage (957999 bytes) to
[-] OpenSSL::SSL::SSLError SSL_accept SYSCALL returned=5 errno=0 state=SSLv2/v3 read client hello A
[*] Sending stage (957999 bytes) to
[-] OpenSSL::SSL::SSLError SSL_accept SYSCALL returned=5 errno=0 state=SSLv2/v3 read client hello A


On the access and error logs: - - [04/Sep/2016:15:24:05 -0400] "GET /shell.php HTTP/1.1" 500 185 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2"


An http 500 error. 

If you had followed the same thing as the video like I did, I suspect you'll get the same error as well. The first code you posted, works(maybe not as you intended though), but the code in the video, does not work(at least for me on my kali setup which you can see above in the output). I'm not 100% sure how they got theirs to work with no windows payload chosen, although if you type "show options" after you run the exploit and then ctrl+c to stop it from running, you'll see this:


msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

There is no target exploit and target RHOST and RPORT, ie: nothing to exploit your(or my) windows machine. I'm not fluent with metasploit, but if I am misunderstanding this someone else chime in. Mubix would be a great person to ask, although not sure how often he visit the forums much, you can try and ping him on Twitter with a link to this thread and maybe he can shed some light on it(for both of us) as I don't see how this will do anything to visitors of the php reverse_tcp page.


Link to comment
Share on other sites

Yeah, I'm not 100% sure how he got access to the windows machine without a windows payload, although there is the automatic windows meterpreter, that I believe is just a listener that handles the ssl connection between the target and the attacker. He also ran the windows machine from what looked like inside kali using vbox on kali, so its hard to say what exactly that entails and if he showed us everything that was going on behind the scenes, but as of now, I call bunk. if there was a basic windows flaw before say patches or some other browser flaw in a default windows install, that would make more sense, but I still don't see a payload selected, which I feel still would need to be done, or some windows specific exploit for the OS or it's browser in use, such as Internet Explorer* or in his case FireFox.

Edited by digip
Link to comment
Share on other sites

php payloads, generally attack web servers running PHP, hence, "php payload". I'm assuming JSP is reference to Java EE, which in this case, not sure how that factors in unless it's a Java EE server hosting code that will exploit a windows or linux machine.

I think take a step back from this for a sec, and think what is it you want to do? You sound like you want to compromise a windows and linux machine. Ok, which verison of each OS? What vulnerabilities exist within the version you are targeting? Is there specific software, such as a known browser flaw in IE, Firefox or the like and can you get to a malicious link with these vulnerable programs? There are a whole host of questions and things you can answer for yourself, which I think will put you in a better position to figure this out, as I can't answer the question, when I don't know all the info myself, and sounds like neither do you, yet. Draw it on paper, so you can see it, what it is you are trying to do, and how all of these pieces connect, and then what has to take place to make it happen. From there I think you'll figure out what it is you want.

Link to comment
Share on other sites

It depends on what you are trying to do. if you want to test locally, use msfvenom to create an exe and upload to the kali web server. start your msfconsole exploit/multi/handler and then on YOUR windows machine, download and run the exe you created with msfvenom. You should get a session almost immediately. From there you need to figure out the rest, such as bypassing uac, mimikatz for hashes, etc. These are all things you're going to need to read up on. You're not going to learn anything or understand why, when, etc, to do things, if we paste command line arguments for you to copy and paste, without knowing why we're using specific commands and output.

This is why I said write it out. Look at it logically, what needs to be done, in steps. Ask yourself, what is your target, do I need a specific architecture exploit or payload, what exploit can the target run and can I get the target to execute it(in your case, run it manually to test for learning purposes), what are my options once I have a session, do I need anything special to escalate privs, what is the purpose of gaining access to this machine in the first place, and what will I do when I have access...

If you want practical walk through examples, go to offsec's metasploit wiki. It's free, and can help you with the majority of your questions. Need to have some patience and practice some of this. Also, youtube and security tube have tons of video examples. Some things are outdated on the web, like msfpayload and msfencode are deprecated to use msfvenom or just use msfconsole -x instead of msfcli, so some examples may not be 100% accurate (although they keep things pretty up to date on offsec, usually having old and new syntax up with notes about what has been removed)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...