Command line access from your browser using shell.php

shell_php

Sometimes you want shell access from the browser. It can be achieved using PHP if the security settings allow it. I implemented this functionality in shell.php (available on Github). In the above screenshot you see how shell access from a browser works. The script allows you to upload, download, view edit and remove a file, zip and unzip a directory and traverse the directories on the server using the mouse, but you can also type in custom commands using the keyboard.

Security warning and disclaimer

Please run this script only on machines you own (or during an authorized pentest). Also make sure the machine is properly firewalled (port 80 should not be reachable from the Internet). Do not use it for malicious purposes! Read more on abuse of shell scripts here.

Known issues

If the script does not work it may be because the PHP “passthru” function on which it relies is disabled. To list disabled PHP functions execute the following PHP code:

var_dump(ini_get('safe_mode'));
var_dump(explode(',',ini_get('disable_functions')));
var_dump(explode(',',ini_get('suhosin.executor.func.blacklist')));

On a out-of-the-box Ubuntu 14.04 that will output:

bool(false)
Array
(
    [0] => pcntl_alarm
    [1] => pcntl_fork
    [2] => pcntl_waitpid
    [3] => pcntl_wait
    [4] => pcntl_wifexited
    [5] => pcntl_wifstopped
    [6] => pcntl_wifsignaled
    [7] => pcntl_wexitstatus
    [8] => pcntl_wtermsig
    [9] => pcntl_wstopsig
    [10] => pcntl_signal
    [11] => pcntl_signal_dispatch
    [12] => pcntl_get_last_error
    [13] => pcntl_strerror
    [14] => pcntl_sigprocmask
    [15] => pcntl_sigwaitinfo
    [16] => pcntl_sigtimedwait
    [17] => pcntl_exec
    [18] => pcntl_getpriority
    [19] => pcntl_setpriority
    [20] =>
)
Array
(
    [0] =>
)

PHP shell execution commands

If the script does not run using passthru(), it will try a few other commands. The following commands are similar:

  • exec() Returns last line of commands output
  • passthru() Passes commands output directly to the browser
  • system() Passes commands output directly to the browser and returns last line
  • shell_exec() Returns commands output
  • popen() Opens read or write pipe to process of a command
  • proc_open() Similar to popen() but greater degree of control
  • pcntl_exec() Executes a program

Hardening your server with open_basedir

If the above script seems scary to you, then you may want to prevent it from executing on your server. You can do this by enabling safe mode (deprecated), using the “disable_functions” php.ini variable and/or the Suhosin function execution blacklist.

I have found a well written post on securing your PHP installation, check it out! Apart from limiting the executable functions they also recommend the “open_basedir” php.ini config variable. It limits the files that can be accessed by PHP to the specified directory-tree. I believe this is a powerful tool.

Also it could be a good idea to secure your “/tmp” directory with “nodev”, “nosuid” and “noexec” flag as described here.

Cannot find Suhosin?

Note that the “php5-suhosin” package (a PHP security extension) is no longer installed nor available on Debian based systems. Some of the security improvements have been incorporated into the latest PHP versions (5.4 and 5.5). If you want to install Suhosin (from Github) on Ubuntu 14.04 (PHP 5.5.9) you can follow this tutorial.

You can read more about the controversy around removing Suhosin on LWN.net.

Privilege separation

If there are multiple users on the system “privilege separation” is a MUST. This means running the PHP code in the user context  (e.g. as user “maurits”) and not as user “www-data”. I have found a great article explaining how this can be achieved. The easiest solution is to run:

sudo apt-get install libapache2-mpm-itk

And then adding the “AssignUserID” directive to every “VirtualHost” configuration. Note that this may not be the safest solution, but it performs well and is easy to install.

Conclusion

You should always update and patch PHP to the latest version to prevent exploitation of known security holes. Tools like “disable_functions”, “open_basedir”, Suhosin and filesystem flags reduce the attack surface and prevent exploitation of unknown security holes. You can use them to create implement a layered security strategy. Also do not forget about privilege separation.

Share

Leave a Reply

Your email address will not be published. Required fields are marked *