webshell/php/phpkit-0.2a

 /$$$$$$$  /$$   /$$ /$$$$$$$  /$$       /$$   /$$    
| $$__  $$| $$  | $$| $$__  $$| $$      |__/  | $$    
| $$  \ $$| $$  | $$| $$  \ $$| $$   /$$ /$$ /$$$$$$  
| $$$$$$$/| $$$$$$$$| $$$$$$$/| $$  /$$/| $$|_  $$_/  
| $$____/ | $$__  $$| $$____/ | $$$$$$/ | $$  | $$    
| $$      | $$  | $$| $$      | $$_  $$ | $$  | $$ /$$
| $$      | $$  | $$| $$      | $$ \  $$| $$  |  $$$$/
|__/      |__/  |__/|__/      |__/  \__/|__/   \____/

phpkit-0.2a

Stealth PHP Backdooring Utility - Insecurety Research 2013

This is a simple kit to demonstrate a very effective way of
backdooring a webserver running PHP.
Essentially, it functions by parsing out any valid PHP code
from raw HTTP POST data sent to it, and executing said PHP.

No eval() or other suspect calls are in the serverside script,
the code is executed by the include() function. The php://input
data stream (which is basically "anything sent via raw POST) is
used to "capture" the raw POST data, and when parsed by include()
the code sent is executed.

This allows for many things to be done, i.e. executing any PHP 
code you happen to write. The example client, phpkit.py, simply
gives a "shell prompt" (non interactive, each command is executed
in a new "context") on the victim server. It is trivial to write
pretty much anything.

This release includes a massively overhauled backdoor client, it
tests various execution functions against the victim host before
using whatever one works first. It is massively ugly code, but
I intend to clean it up soonish.

This release also includes a basic file uploader :)

USAGE (backdoor part):
You upload "odd.php" to the target webserver by any means necessary.
You then run ./phpkit.py <url to php file on server> and enjoy!

Example Use:
[infodox@sahara:~/phpkit]$ ./phpkit.py http://localhost/odd.php

[+] URL in use: http://localhost/odd.php 

[+] Testing system function
[+] system() function works
shell:~$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

shell:~$ uname -a
Linux sahara 3.2.0-4-amd64 #1 SMP Debian 3.2.32-1 x86_64 GNU/Linux

USAGE (file uploader part):
This assumes "odd.php" is loaded onto the victim webserver, obviously.
You run ./upload.py <url to odd.php> <file to upload> <remote path>
Only works if remote path is writeable. /tmp/ is always good :)

Example Use:
[infodox@sahara:~/phpkit]$ python upload.py http://localhost/odd.php /etc/passwd /tmp/pass
[+] Uploading File
[+] Upload should be complete

So the file uploaded, now I compare MD5sums to check did it bloody well work!
[infodox@sahara:~/phpkit]$ md5sum /etc/passwd
2568416e280af88f82e982efd46525a8  /etc/passwd
[infodox@sahara:~/phpkit]$ md5sum /tmp/pass
2568416e280af88f82e982efd46525a8  /tmp/pass

Seems legit bro ;)

TODO:
MySQL client. 


Notes:
In two use-cases this was shown to not function.
Use Case A: Servers with the Suhosin PHP Hardening Patches.
In this case, php://input and other URL inclusion vectors are rendered
unuseable due to the protections the Suhosin patches offer. i.e. this 
tool don't work against Suhosin patched boxes.

Use Case B: Servers where php.ini is dictated by httpd.conf
In several cases where the php.ini is specific to the HTTP daemon, 
runtime ini directive modification is not permissable. I have 
personally observed this behaviour on Apache thus far, however
further testing/research is needed to find a workaround of some kind.

Please report if you have any issues getting this to work. Please
test it on a server with allow_url_include = On , then if it works,
set allow_url_include = Off , restart httpd, and check does it work.
If it does not work, please report using the issue tracker at
http://code.google.com/p/insecurety-research providing details of HTTPD
configuration so I can attempt to figure out new things :)

Questions, comments, bug reports and abuse? infodox () insecurety.net

Licence: The do whatever you want with it, just don't rip code without
giving credit licence.