Execute commands on your server using a telnet-like PHP shell interface
Search AskApache
Updated: Oct 13, 07 | Execute commands on your server using a telnet-like PHP shell interface
« Compete Search Analytics officially opened to the public! It rocks!Abbr and Acronym examples »
Ever wanted to execute commands on your server through php? Now you can.
I’m calling this file (see below) shell.php and it allows you to run commands on your web server with the same permissions that your php executable has.
The php code for shell.php
Substitue 1.1.1.1 for your IP address.. or see below for password authentication methods.
<?php
if ($_SERVER['REMOTE_ADDR'] !== '1.1.1.1') die();
ob_start();
if (!empty($_GET['cmd'])){
$ff=$_GET['cmd'];
#shell_exec($ff);
system($ff);
#exec($ff);
#passthru($ff);
}
else {
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>PHP AJAX Shell</title>
<script type="text/javascript" language="javascript">
var CommHis=new Array();
var HisP;
function doReq(_1,_2,_3){var HR=false;
if(window.XMLHttpRequest){HR=new XMLHttpRequest();
if(HR.overrideMimeType){HR.overrideMimeType("text/xml");}}
else{if(window.ActiveXObject){
try{HR=new ActiveXObject("Msxml2.XMLHTTP");}
catch(e){try{HR=new ActiveXObject("Microsoft.XMLHTTP");}
catch(e){}}}}
if(!HR){return false;}
HR.onreadystatechange=function(){if(HR.readyState==4){
if(HR.status==200){if(_3){eval(_2+"(HR.responseXML)");}
else{eval(_2+"(HR.responseText)");}}}};
HR.open("GET",_1,true);HR.send(null);}
function pR(rS){var _6=document.getElementById("outt");
var _7=rS.split("\n\n");
var _8=document.getElementById("cmd").value;
_6.appendChild(document.createTextNode(_8));
_6.appendChild(document.createElement("br"));
for(var _9 in _7){var _a=document.createElement("pre");
_a.style.display="inline";
line=document.createTextNode(_7[_9]);
_a.appendChild(line);_6.appendChild(_a);
_6.appendChild(document.createElement("br"));}
_6.appendChild(document.createTextNode(":-> "));
_6.scrollTop=_6.scrollHeight;
document.getElementById("cmd").value="";}
function keyE(_b){switch(_b.keyCode){
case 13:
var _c=document.getElementById("cmd").value;
if(_c){CommHis[CommHis.length]=_c;
HisP=CommHis.length;
var _d=document.location.href+"?cmd="+escape(_c);
doReq(_d,"pR");}
break;
case 38:
if(HisP>0){HisP--;
document.getElementById("cmd").value=CommHis[HisP];}
break;
case 40:
if(HisP<CommHis.length-1){HisP++;
document.getElementById("cmd").value=CommHis[HisP];}
break;
default:
break;}}
</script></head><body style="font-family:courier">
<form onsubmit="return false" style="color:#3F0;background:#000;position:relative;min-height:450px;max-height:490px">
<div id="outt" style="overflow:auto;padding:5px;height:90%;min-height:450px;max-height:490px">:-></div>
<input tabindex="1" onkeyup="keyE(event)" style="color:#FFF;background:#333;width:100%;" id="cmd" type="text" />
</form></body></html>
<?php } ?>
Read this
Note: The history feature works by remembering the last commands that you typed.. Access them by pressing the up or down arrows on your keyboard.
This is not an interactive session, so you cannot cd to a directory and then do stuff in that directory.. You may however be able to do stuff like /bin/bash -c "cd ../../;mv this there;ls -la;" or you could try exporting your current dir or something..
Writing shell scripts and serving them on your web server works by renaming the file.sh to file.cgi and chmodding it to 750 or +x. Also make sure you try dos2unix -dv file.cgi If you can’t get it to work..
Example shell script as cgi
#!/bin/sh
export MYBNAME=`date +%mx%dx%y-%Hx%M.tgz`
tar -czf ${HOME}/backups/${MYBNAME} ${HOME}/site1/
exit 0;
Locking Down Access to your shell.php
Thanks to the comment by Andrew Ramsden, Here are a couple ways to secure your shell.php file so that only you can run this script.
Secure your remote shell by adding this to your shell.php
Add this line to the very top of your shell.php file to make sure that only you can access this script. Everyone else sees a blank screen.
if ($_SERVER['REMOTE_ADDR'] !== '1.1.1.1') die();
Secure your remote shell with htaccess
This only allows access from IP 1.1.1.1 and redirects everyone else. See Using the Allow Directive in Apache htaccess for more info.
Order deny,allow Deny from all Allow from 1.1.1.1 ErrorDocument 403 http://redirecthere.com
Secure your remote shell with mod_rewrite and htaccess
Based on the code from htaccess article This only allows access from user with IP of 1.1.1.1 and redirects everyone else.
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^1\.1\.1\.1
RewriteRule .* http://redirecthere.com [R=302,L]
Similar Reads
Reader Comments
Skip to formComment on "Execute commands on your server using a telnet-like PHP shell interface"
« Compete Search Analytics officially opened to the public! It rocks!Abbr and Acronym examples »
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, which lets you use/modify/re-post this content provided you follow the attribution guidelines in the license.
Web Technology
Someone's Reading
- PHP and AJAX shell console
- Compete Search Analytics officially
- Random Bits, the podcast that gives
- Website SEO Score Tool
Related Articles
- 301 Redirect with mod_rewrite or Re
- SEO Redirects without mod_rewrite
- Boost SEO, Drive Traffic with the 4
I'm Reading
Most Popular
- .htaccess files - Ultimate .htacces
- htaccess rewrite, Mod_rewrite trick
- Custom Boot Menu in Windows XP
- htaccess rewrite, htaccess
- Hack WP-Cache for Maximum Speed
- Sending POST form data with php CUR
Newest Posts
- Removing Category Base from WordPress URLs
- Serve External Javascript Files locally for Increased Speed
- COMPUTER SECURITY TOOLBOX
- Mod_Rewrite Variables Cheatsheet
.htaccess Forum
AskApache.com News
Tutorials
- 12 Lessons for Those Afraid of CSS
- A better way to use PDF files online
- Speed up your site with Caching and cache-control
- Fight Blog Spam with Apache
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. ~Tim Berners-Lee
Apache Software WebRing
Prev | Ring Hub | Join | Next
DCMI | XFN | XOXO 1.0 | hAtom | XDMP | GRDDL | Valid XHTML 1.1 | Valid CSS 2.1
W3C | WAI | © AskApache | License and Disclaimer | Terms of Service
It's very simple -Contact Webmaster | Glossary | Indianapolis, Indiana, U.S.A
you read the protocol
and write the code.
~Bill Joy
nice work, really nice script! i use it nearly every day :O
btw, @Mgccl,
you can use cd c:\cool && dir instead.
chdir() choses the current working directory. I only used it on windows, don’t know what it’s like on linux. let’s suppose, in PHP, start with checking the current working directory getcwd(), and it returns c:\
I run this command in PHP
cd coolwhich suppose make me go into c:\cool
and then I run
dirin a interactive session, it should show all the files inside the c:\cool, but no, instead, it shows everything in c:\
I could insert some code that captures user’s command, like cd, then use chdir() to change the current working dir. for example
chdir('c:\cool');then, run
dirwill show everything in c:\cool.it’s possible to extend this script and fix the “can not cd and work in that directory bug” by using the PHP function chdir.
Works great! Too bad it’s not interactive, though…
that script works very good,but not always !
@ Jake Jones
If it doesn’t work than how do you suppose I got that video showing it working? :)
What kind of error or problem are you getting?
Too bad the script doesn’t work. Let me know when you finish debugging it.
If you browse through them you’ll notice that a lot is possible to protect on the server level instead of dynamically scripting your way out of problems. Which might help, because sometimes it is too much to rewrite thousands of pages.
Great idea. It would be a really good idea to put this file in a password protected directory ;)