OSX Persistence via PHP Webshell

As I learn more and more about OSX I find things that surprise me. For instance, in this post I will be showing you how to, with root or sudo privilege, enable the built-in apache server on OSX and it’s PHP module….

I am working with OSX Mavericks so your locations may vary based on the version of OSX your target it.

First things first is to enable the PHP module for the Apache server.

sudo nano -w /etc/apache2/httpd.conf

(vi or emacs to your heart’s content). But what we are looking for is to uncomment the following line:

#LoadModule php5_module libexec/apache2/libphp5.so

Once you do that, start up Apache. This can be done temporarily (won’t survive a reboot) with the apachectl command:

sudo apachectl start

Or you can make it more permanent with launchctl:

sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

And undoing the damage with:

sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

After that, just drop your favorite PHP shell into the /Library/WebServer/Documents/ directory and you’re done. (My favorites are b374k and PHP Meterpreter).