PHPsh: Simple web based shell access to your server
It can be very annoying when you are restricted to FTP access--how can you find out the full path to a directory, or perform a command line SQL dump when you're trapped in the limited, chrooted environment provided by an FTP server? PHPsh (PHP shell) allows you to have shell commands run on your behalf by any webserver which serves PHP pages. It solves these issues and more, allowing you to tap into the power of any Unix (Linux, BSD, etc.) server!
PHPsh was designed to allow developers, webmasters and sysadmins a quick and easy remedy to those situations in which it would be so easy to solve a problem or answer a question with shell access but a pointy-haired hosting company thinks shell access is only useful for crackers... while simultaneously allowing anyone with FTP access the right to run arbitrary commands through CGI or PHP (doh!).
ContentsWhat PHPsh is and is not
How to install and use PHPsh
Important security considerations
License and conditions (read before using)
Tips & tricks
What is PHPsh?
- A simplified version of sh or the bash shell, that allows you to execute arbitrary commands, remotely, through PHP
- A handy way to run simple commands and maintain a history of executed commands
- A helpful environment that allows you to browse the filesystem and fetch or upload files
- PHPsh is freely available for personal or professional use.
What PHPsh is not:
- PHPsh is
notan interactive shell. It accepts commands, executes them and returns the output. It can not maintain interactive sessions, so you can't run vior any program that expects command line input.
- PHPsh does little to enforce security. It provides an I.P. based access control, and leaves privacy protection up to you (i.e. you'd better run it through an SSL encrypted link). Read the security notes and use it wisely.
- PHPsh is
notGPLed. The source is available and you can play with it as much as you like, but there are a few conditions that apply if you want to use it. Read the license.
Using PHPsh is straightforward. Download a local copy and untar it (it is tarred and bz2 compressed -- even winzip should know how to deal with these), and enter the phpsh-X.Y.Z directory.
Upload the phpsh.php file to your webserver, using FTP or whatever means is provided, and access the corresponding URL, e.g https://www.example.com/phpsh.php.
If you haven't correctly set your IP address within the file's configuration, you will get a message to that effect along with your current I.P. address. Edit your local copy of phpsh.php and change:
$MyIPAddress = '127.0.0.1';
to reflect your actual I.P. address, e.g.
$MyIPAddress = '192.168.89.230';and upload the newly configured version of the script.
When you access the web interface, you interact with one of (up to) six zones. These are:
- The output of the last executed command appears here.
- Enter your shell commands in this text field.
- Your command history appears here. Hit the "TAB" button to move the focus to this field, and use the up and down arrows to navigate your history. Selecting a line and hitting <Enter> will run that command.
- This area displays the contents of the current directory. The program begins in
the install directory, but using the "cd" command to change directory will move you to the
new location for the duration of the session (or until you enter another "cd").
Files and directories which are accessible by the webserver user will have links. Clicking on a directory has the same effect and "cd"ing (moving) into the directory, while clicking on a file will load that file in another window.
- If the user has
write accessto the directory (i.e. the webserver can create files in the current directory), then this upload field will allow you to put files onto the server.
- By default, command output is HTML-escaped (HTML characters, like <, are encoded so they don't interfere with your browser output). You can turn this off to view the output of commands or the contents of files raw -- though this may break the display in certain instances.
This program can be very usefull on hosts that do not allow regular (SSH) shell access. However, it does provide potentially easy access to sensitive information -- there are a few things to keep in mind when using it.
- It is web-based and potentially provides anyone with access with a
great dealof information and access to the system internals. In order to keep your servers safe, you MUST correctly set and maintain the 'allowedIPs' configuration directive. You should consider uploading the program (e.g. through FTP) to your server before each use, and removing it when you are done, each time in order to prevent a stale configuration from giving an unauthorized user access.
- If you can, install and access the script through an SSL encrypted channel (https://www.example.com/phpsh.php)
- Commands are run by the webserver and execute with its priveleges This means you won't have all your regular rights (e.g. you can't write files to certain directories, etc.) but you will have read permissions to all files the webserver can serve up. Use this access responsibly and protect it carefully.
- A number of configuration settings are available within the $PHPshConfig associative array, in the source code. Read the comments.
License and Conditions of use
This program is freely available but may only be used if you accept the following terms and conditions.
You may use and modify this Program for personal or professional activities under the following four (4) conditions: 1) You do not modify the licensing terms or copyright notices, including those visible on the program's output (page footer, etc.). 2) You do not redistribute this Program but instead refer any other users to the PHPsh homepage (http://www.psychogenic.com/en/products/PHPsh.php). 3) You only use this software to access data and perform activities for which you have legal rights (be nice). 4) You read and accept the following "NO WARRANTY" clause: BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Any attempt otherwise to use, modify or distribute the Program is void, and will automatically terminate your rights under this License.
Tips & Tricks
There are a few ways you can make using PHPsh more enjoyable.
- Directory shortcuts. As with many shells, issuing a "cd ~" (cd and tilde, or
"squiggle") will return you
homedirectory (the PHP script's install dir). Entering "cd -" (cd and dash) will return you to your previous working directory.
- Command shortcuts. If you use certain strings of commands repeatedly, for instance you might
ls -F -lth | headto view details concerning the most recently modified files in a directory, then you can create an alias for this command within the
$PHPshConfigarray in the phpsh.php source code.
Choose a short name for the command and add it to the
$PHPshConfig['aliases']associative array, e.g.:
'lh' => 'ls -F -lth | head ',From this point on, you will be able to substitute the shortcut for the wordy command. In our example, you could enter:
lh -30to list the 30 most recent files (as it's equivalent to running "
ls -F -lth | head -30").
- Page styles. Some command outputs are automatically highlighted. This is controlled by the
$PHPshConfigenableformatting and formatcommandoutput entries. You can change the styles associated with these through the in-page CSS stylesheet (near the bottom of the source code, between the <style> tags).