PHP and AJAX shell console

« Student under Criminal Investigation for Allegedly Sending EmailMake Windows XP Blazingly Fast »

June 13th, 2009

PHP for shell.php
Read this
1. Example shell script as cgi
Locking Down Access to your shell.php
1. Secure your remote shell by adding this to your shell.php
2. Secure your remote shell with htaccess
Secure your remote shell with mod_rewrite and htaccess

Ever wanted to execute commands on your server through php to mimick a shell login? Now you can. I'm calling this file (see below) shell.php and it allows you to run commands on your web server with the same permissions that your php executable has.

Loading Video

PHP for `shell.php`

Substitue 1.1.1.1 for your IP address.. or see below for password authentication methods.

<?php
 if ($_SERVER['REMOTE_ADDR'] !== '1.1.1.1') die();
 ob_start();
 if (!empty($_GET['cmd'])){
 $ff=$_GET['cmd'];
 #shell_exec($ff);
 system($ff);
 #exec($ff);
 #passthru($ff);
 }
 else {
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>PHP AJAX Shell</title>
<script type="text/javascript" language="javascript">var CommHis=new Array();var HisP;
function doReq(_1,_2,_3){var HR=false;if(window.XMLHttpRequest){HR=new XMLHttpRequest();if(HR.overrideMimeType){HR.overrideMimeType("text/xml");}}
else{if(window.ActiveXObject){try{HR=new ActiveXObject("Msxml2.XMLHTTP");}catch(e){try{HR=new ActiveXObject("Microsoft.XMLHTTP");}
catch(e){}}}}if(!HR){return false;}HR.onreadystatechange=function(){if(HR.readyState==4){
if(HR.status==200){if(_3){eval(_2+"(HR.responseXML)");}else{eval(_2+"(HR.responseText)");}}}};HR.open("GET",_1,true);HR.send(null);}
function pR(rS){var _6=document.getElementById("outt");var _7=rS.split("\n\n");
var _8=document.getElementById("cmd").value;_6.appendChild(document.createTextNode(_8));
_6.appendChild(document.createElement("br"));for(var _9 in _7){var _a=document.createElement("pre");
_a.style.display="inline";line=document.createTextNode(_7[_9]);_a.appendChild(line);_6.appendChild(_a);
_6.appendChild(document.createElement("br"));}_6.appendChild(document.createTextNode(":-> "));_6.scrollTop=_6.scrollHeight;
document.getElementById("cmd").value="";}function keyE(_b){switch(_b.keyCode){
case 13:var _c=document.getElementById("cmd").value;if(_c){CommHis[CommHis.length]=_c;HisP=CommHis.length;var _d=document.location.href+"?cmd="+escape(_c);
doReq(_d,"pR");}break;
case 38:if(HisP>0){HisP--;document.getElementById("cmd").value=CommHis[HisP];}break;
case 40:if(HisP<commHis.length-1){HisP++;document.getElementById("cmd").value=CommHis[HisP];}break;default:break;}}
</script></head><body style="font-family:courier">
<form onsubmit="return false" style="color:#3F0;background:#000;position:relative;min-height:450px;max-height:490px">
<div id="outt" style="overflow:auto;padding:5px;height:90%;min-height:450px;max-height:490px">:-></div>
<input tabindex="1" onkeyup="keyE(event)" style="color:#FFF;background:#333;width:100%;" id="cmd" type="text" />
</form>
</body>
</html>
<?php } ?>

Read this

Note: The history feature works by remembering the last commands that you typed.. Access them by pressing the up or down arrows on your keyboard.

This is not an interactive session, so you cannot cd to a directory and then do stuff in that directory.. You may however be able to do stuff like /bin/bash -c "cd ../../;mv this there;ls -la;" or you could try exporting your current dir or something..

Writing shell scripts and serving them on your web server works by renaming the file.sh to file.cgi and chmodding it to 750 or +x. Also make sure you try dos2unix -dv file.cgi If you can't get it to work..

Example shell script as cgi

#!/bin/sh
export MYBNAME=`date +%mx%dx%y-%Hx%M.tgz`
tar -czf ${HOME}/backups/${MYBNAME} ${HOME}/site1/
exit 0;

Locking Down Access to your shell.php

Thanks to the comment by Andrew Ramsden, Here are a couple ways to secure your shell.php file so that only you can run this script.

Secure your remote shell by adding this to your shell.php

Add this line to the very top of your shell.php file to make sure that only you can access this script. Everyone else sees a blank screen.

if ($_SERVER['REMOTE_ADDR'] !== '1.1.1.1') die();

Secure your remote shell with htaccess

This only allows access from IP 1.1.1.1 and redirects everyone else. See Using the Allow Directive in Apache htaccess for more info.

Order deny,allow
Deny from all
Allow from 1.1.1.1
ErrorDocument 403 http://www.askapache.com

Secure your remote shell with mod_rewrite and htaccess

Based on the code from htaccess article This only allows access from user with IP of 1.1.1.1 and redirects everyone else.

RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^1\.1\.1\.1
RewriteRule .* http://www.askapache.com [R=302,L]

Google+

Please Comment!

Cancel reply

Reader Comments

Jojo Maquiling ~March 17, 2011 @ 6:05 pm

Thanks, your script is working nicely..its been a great help especially that I dont have an ssh access to the website i'm using. More power to you!!

:)
Really Doesn’t Work! BUG IN THIS PAGE!!! ~March 9, 2010 @ 12:17 pm

I can't see the dates of the other comments, but this page, here, on this site, is messed up...it's including the php from shell.php, but everything after...

---Begin---

---End---

...is displaying literally, not escaped...so we can't see/download the full/real shell.php code...

Instead of including the code plz link to shell.php or shell.phps so we can see/download the code...also your "video" is not displaying either, probably cuz of the literal code making it not show up...

dupe comment override!
metatwada ~March 6, 2010 @ 3:28 pm

Где тут регистрация не пойму
xit ~May 22, 2009 @ 10:37 am

Thank you, good script!

Note: if you want to see errors in *nix systems:
```
 system($ff.' 2>&amp;1');
```
anibal ~May 13, 2009 @ 10:46 am

Does not work, any command outputs a blank line.
crich ~January 28, 2009 @ 1:43 pm

nice script :D thanks!!
would be cool too have a real interactive console probably with a XMLHttpRequest Server backend and such a client :D
fiouji ~October 15, 2008 @ 4:05 am

please tell me how this work!!!
I couldn't run this ajax console!
thank you
syh ~October 10, 2008 @ 7:22 am

Script doesn't work, getting white screen without any error. What's the problem ?
zTriker360° ~August 6, 2008 @ 10:11 pm

nice work, really nice script! i use it nearly every day :O

btw, @Mgccl,

you can use cd c:\cool && dir instead.
Mgccl ~December 7, 2007 @ 12:54 am

chdir() choses the current working directory. I only used it on windows, don't know what it's like on linux. let's suppose, in PHP, start with checking the current working directory getcwd(), and it returns c:
I run this command in PHP
cd cool
which suppose make me go into c:cool
and then I run
dir
in a interactive session, it should show all the files inside the c:cool, but no, instead, it shows everything in c:
I could insert some code that captures user's command, like cd, then use chdir() to change the current working dir. for example
chdir('c:cool');
then, run dir will show everything in c:cool.
Mgccl ~December 2, 2007 @ 10:10 pm

it's possible to extend this script and fix the "can not cd and work in that directory bug" by using the PHP function chdir.
Andrew ~November 28, 2007 @ 9:05 pm

Works great! Too bad it's not interactive, though...
Fugitif ~November 24, 2007 @ 4:49 pm

that script works very good,but not always !
AskApache ~November 1, 2007 @ 11:19 pm

@ Jake Jones

If it doesn't work than how do you suppose I got that video showing it working? :)

What kind of error or problem are you getting?
Jake Jones ~October 27, 2007 @ 10:34 am

Too bad the script doesn't work. Let me know when you finish debugging it.
Andrew Ramsden ~March 14, 2007 @ 12:01 am

Great idea. It would be a really good idea to put this file in a password protected directory ;)