I want use the PHP script for execution commands from address bar.
For example :
the-site.com/shell.php?exec=ls%20/
In browser I see this result :
bin
lib
etc
home
usr
Asked
Active
Viewed 845 times
-3
-
1What's your question? And please be more specific than "How do I do it?" – Oswald Jan 02 '14 at 08:49
-
It is my idea, but I can't write any code... I doesn't know PHP. This script I will use on my router. Only for me. – user3152970 Jan 02 '14 at 08:52
-
Why not use, erm, Shell? – Martin Bean Jan 02 '14 at 08:53
-
1Think you is a good idea? the-site.com/shell.php?exec=rm%20-rf%20// – m4t1t0 Jan 02 '14 at 08:54
-
SSH is good. But sometimes I must use browser because I haven't SSH client (on my WP-Phone or TV, for example). – user3152970 Jan 02 '14 at 08:56
-
You do NOT want commands to be executable by a publicly-accessible PHP script, no matter *how* secure you think it may be. Hackers will *always* beat it eventually. – Martin Bean Jan 02 '14 at 09:00
1 Answers
1
You can do this, but I'd advise against it - you're opening yourself up to all kinds of trouble.
Consider accidentally sending rm -rf /.
If you must do this, use a (white)list of tried and tested commands and only allow your script to execute these, then restrict access to the script's entry-point to your internal network only.
I'd post some code for you but, to be honest, I'd worry that you would just use it without testing it - or more importantly understanding it.
Essentially, you're looking at something like:-
$whitelist = array(/* list of allowed commands */);
if (/* command in whitelist */) {
execute();
}
You'll do doubt be needing to pass parameters to your scripts at some point, so make you sure you validate and escape them too. Here's an interesting post with some pointers and links for you to read:-
Best way to sanitize exec command with user inserted variables
Community
- 1
- 1
Anthony Sterling
- 2,451
- 16
- 10