HP System Management Homepage JustGetSNMPQueue Command Injection without Metasploit

Some days ago we tried to use the “exploit/multi/http/hp_sys_mgmt_exec” Metasploit module on one of our targets. The host was vulnerable but a Meterpreter session was not opened:

After some manual tests we saw that the execution was real and the Meterpreter stager was blocked by the antivirus. Using the command execution directly was not straightforward because of the restricted characters such as the space. We saw that Metasploit uses a php wrapper to upload the stager and execute it, so we thought to run commands in the same way. We have encoded all the commands into the “chr” php function and it worked smoothly.

Where XXXX is: