[LA.pm] CGI shell access - was: calling gzip from within perl
Peter Benjamin
pete at peterbenjamin.com
Thu Jun 30 13:56:40 PDT 2005
At 01:00 PM 6/30/2005 wrote:
>Would you still have the source code to your faux shell cgi access, that you would be willing to share? I find this topic interesting and I'd like to know more about it.
I write it new each time. It's about a dozen lines long.
You can download freeware from many cgi libraries.
It is dangerous code, and should always be password protected.
Most ISPs will cancel your account if you use this.
Check your TOS with them.
Off the top of my head (not debugged nor tested):
my $com = param(com);
$| = 1;
print "Content-type: text/html\n\n";
my @lines = `$com`;
print "Return code=" . $!; # I think I recalled this right.
foreach my $l ( @lines) { print $l . "<br>\n"; }
print "<form action=https://domainname/com.cgi method=get><input type=text name=com></form>";
exit;
The ones you can download have other features, like time expiring
passwords, which is very good.
Using it with SSL is a good idea, I think.
Do notice that the command
rm -rf /
will work just fine, if the CGI is running with root access, or not.
It will delete all files it can with the userid the CGI is running as.
I like to add if ( $com =~ /rm/ ) { die"" }
You should not run interactive commands like fdisk.
Sometimes you will need to specify the full pathname to the executable.
CGI jail is good to limit actions to just the cgi folder.
Built in shell commands can be accessed via
csh -e set
or similar. Not that the profile or rc file will not be executed.
More information about the Losangeles-pm
mailing list