shell

Martin Geisler Online » PHP Shell .recentcomments a{display:inline !important;padding: 0 !important;margin: 0 !important;} Martin Geisler Online Adventures with Computers Home Martin Geisler Regular Expressions PHP Tutorial PHP Shell Danish stuff Gospel of Tux PHP Shell PHP Shell is a shell wrapped in a PHP script. It’s a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote webserver. This replaces, to a degree, a normal telnet connection, and to a lesser degree a SSH connection. You use it for administration and maintenance of your website, which is often much easier to do if you can work directly on the server. For example, you could use PHP Shell to unpack and move big files around. All the normal command line programs like ps, free, du, df, etc… can be used. Limitations There are some limitations on what kind of programs you can run. It won’t do no good if you start a graphical program like Firefox or even a console based one like vi. All programs have to be strictly command line programs, and they will have no chance of getting user input after they have been launched. They probably also have to terminate within 30 seconds, as this is the default time-limit imposed unto all PHP scripts, to prevent them from running in an infinite loop. Your ISP may have set this time-limit to something else. But you can rely on all the normal shell-functionality, like pipes, output and input redirection, etc… (There is no -completion, though :-) Safe Mode Safe Mode is the nemisis of PHP Shell. If PHP is running in Safe Mode then PHP Shell will normally not work — sorry. Please read the detailed explaination in the SECURITY file. Installation PHP Shell is easy to install — download it and unpack it and configure the password. This is done in config.php. Please read the INSTALL file for detailed information. How to Use It When you point your browser at PHP Shell you will be asked to authenticate yourself. By default no username/password will work, so please go read INSTALL for information about adding a user. You’re back? Good. Enter your username and password and press “Login”. You will then be presented with a rather simple page containing nothing much except a big window with the cursor blinking at the bottom, signaling that it’s ready to obey your commands. Write a command and press RET — or alternatively, press the ‘Execute Command’ button if you really want. The command will be executed and the result will be shows in the terminal. You can now enter another command. To be more precise: the terminal is updated with the command line you have just executed, the output of the command to standard out (stdout), and following that any error output sent to stderr. The commands are executed relative to a current working directory, which is written at the top. You change this by the normal ‘cd’ command. Donations Please consider donating if you have found PHP Shell useful: Download The latest version of PHP Shell is 2.1 from December 27, 2005. Download it as phpshell-2.1.tar.bz2 phpshell-2.1.zip The tarball/zipfile contains these files: phpshell.php: This is the script you run when you use PHP Shell. config.php: Configuration file in the INI format. pwhash.php: Password hashing script. This is used to generate secure hashed passwords which you should use to prevent others from getting to know your password by reading the config.php file. ChangeLog: This file describe the changes I’ve made to PHP Shell. By reading it you’ll always know when I’ve added a new feature or made a bugfix, and the nature of the feature/bugfix. README: Approximately this page. INSTALL: Tells you how to install PHP Shell. Amoung other things, it explains how to change the password protection so that you can use PHP Shell. Remember that it’s very important to have PHP Shell password protected, or else everybody will be able so snoop into your files and perhaps also be able to delete them! Please take the time to protect your installation of PHP Shell. SECURITY: A separate guide about security with PHP in general and PHP Shell in particular. Be sure to read this too, especially if you are getting strange errors back from PHP Shell. COPYING: Standard GNU GPL. PHP Shell is kindly hosted by SourceForge: Comment (RSS) | Trackback 253 Comments Le blog » J’arr锚te mes tentatives de ssher !: [...] utilisateur www-data n’a pas tant de privil猫ges que 莽a. Bref, je vais utiliser un shell PHP qui devrait me permettre 脿 terme de r茅ussir 脿 d茅placer mon blog sur mon serveur perso. Au passage, u [...] 2 June 2005, 3:12 pm Martin Geisler: I have no idea what they say about PHP Shell — but look! You can now put comments on my pages too! :-) 2 June 2005, 11:16 pm Nicolas Delsaux: I’m just saying that, instead of trying to access my webserver through SSH over HTTP (what I’ve never succeed), I’ll instead use PHP-shell+WebDAV to access my webserver. Main drawbacks being security provided. 4 June 2005, 10:26 am Martin Geisler: Ah, thanks for the explaination! I’ve never learned any French, so I was wondering what your comment was about. You’re absolutely right about the lack of security: the only good way to use PHP Shell is over SSL. The builtin authentication is made with plain-text passwords, and afterwards the traffic is unencrypted, just for the record. So use SSL (HTTPS) is you have the option. 4 June 2005, 11:04 am James: While im sure your intentions are good you application is being used to create google account stealing shadow sites around the web. 21 June 2005, 3:32 am Martin Geisler: Hmm… I don’t know anything about how that would work, but as you say, then my intentions with PHP Shell are good. It always annoys me when I hear about people misusing it. 21 June 2005, 10:17 am paradise: but it same with remview - a trojan can remote host or not, and can using linux command to remote and control it ? how can setup online from this host to another host ? 18 July 2005, 9:00 pm Martin Geisler: I don’t know what you are asking here… PHP Shell just gives you a convenient interface to the normal PHP commands for executing programs. There’s no magic going on here… :-) This applies to everybody: go read the PHP documentation on proc_open() if you’re in doubt as to what PHP Shell gives you. 18 July 2005, 9:39 pm didier Belot: Thanks for this really great script ! There are so many things annoying to do without a ssh account on a web hosting, like ‘rm -rf’ a whole subtree with a ftp client ! It works like a charm, and it’s very easy to configure. Well done, sir! 20 July 2005, 9:06 pm Martin Geisler: Thanks for the feedback! I’m glad you like it! :-) 20 July 2005, 10:14 pm f00li5h (remove pants to email me): Sexy sexy commenting layout /me steals the css Love the shell, just right for sticking on a friends server while he’s not looking << >> i have to say it Props and a worrd up! very nice 26 July 2005, 1:18 am Martin Geisler: Oh, the theme of this site (including the CSS) is the default WordPress theme, so you cannot really steal it, it’s freely available ;-) 26 July 2005, 10:17 am iain: if you are a sysadmin use the following `php.ini` line to disable this type of program: disable_functions = exec,passthru,proc_open,shell_exec,system,posix_kill,popen 28 July 2005, 7:28 am sporkit: thanks iain. this is an incredibly dangerous script. a hacker got into my server threw a phpbb flaw and has been using this to hack shell account passwords and cause all other types of damage. im currently working on setting up a chroot jail on my freebsd server. hopefully this should keep thing under conrtol till i get that setup. 4 August 2005, 10:50 pm Martin Geisler: Good luck on securing your server! I’m always sad to hear when people misuse PHP Shell for that kind of things… 5 August 2005, 5:12 pm Ehsan: Hi guys, Who knows how could login with another user and pass into server from the phpshell screen? I’ve tried to use “login root” but it didn’t prompt me for desired password. How we can have several lines command? Thank you 5 August 2005, 5:48 pm Martin Geisler: You cannot use commands that require interaction with PHP Shell — that includes the login program. But, as described in the documentation above, it should be possible to execute commands as another user using the Sudo program. Not that this would be secure, of course… if somebody gets access to PHP Shell, or if some other PHP script gives the user access to executing PHP code, then they too can use Sudo to elevate their priviledges. Use with care! 5 August 2005, 10:48 pm Martin Geisler: As for commands spanning multiple lines: you can’t. Normally you don’t really need multiple lines in shell commands — multiple lines are just used to make things look readable. 5 August 2005, 10:49 pm Notizblog » Blog Archive » MGeisler Blog - PHP Shell: [...] http://mgeisler.net/php-shell/ [...] 11 August 2005, 10:42 am Kartik: Hey d00d, Your php shell tutorial wrected havoc on my website. Someone used that script and exploited my whole website and uploaded some fake ebay pages. I dont know if i shud complain the FBI to you or to shika_hackmaster@hotmail.com <== the person using your script to exploit. Shud i take any action ?? 27 August 2005, 11:04 am Phillip: Martin; Thanks. This script is exactly what I need. I’ve been writing simple cgi scripts for each command I need to run, which is a pain, and is even more insecure than your script. So this should improve my security somewhat. However, when I attempt to log in, it acts like I’m not getting my user name or password correct. I’ve verified that they’re set in my script, so I’m wondering if something is likely to be disabled by my ISP. Any guesses? Any way to verify? Thanks 27 August 2005, 8:56 pm Martin Geisler: I’m sorry to hear that your server was exploited. As for who to complain to, then I’m no expert — I’ve never tried something like that myself. But I would contact the authorities and discuss it with them. I guess that the FBI would be able to tell you who to talk to in case they’re not the right ones. Remember to get hold of the log files for your server, they will be important if/when someone tries to investigate this. Good luck! Feel free to write back (either here or by email) if you have any luck getting the bastards caught! 28 August 2005, 1:10 am Martin Geisler: I’m glad that you are finding my script useful! Or that you are optimistic about it :-) I don’t know why you cannot log in — I’ve received several emails about this too, but was never able to find a reason. Reading through the PHP documentation on HTTP Auth reveals that the crusial $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables wont get set if you’re running in safe mod or as CGI (as compared to running PHP as an Apache module). If your PHP is running as a CGI script and you have control over a .htaccess file, then try inserting the following into it: RewriteEngine on RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L] Then insert the following code at the top of phpshell.php: if((!$_SERVER['PHP_AUTH_USER'] || !$_SERVER['PHP_AUTH_USER']) && preg_match(’/Basics+(.*)$/i’, $_SERVER['REMOTE_USER'], $matches)) { list($name, $password) = explode(’:', base64_decode($matches[1])); $_SERVER['PHP_AUTH_USER'] = strip_tags($name); $_SERVER['PHP_AUTH_PW'] = strip_tags($password); } Let me know if it helps! 28 August 2005, 2:04 am Sim0ne: Hey Martin, Thanks for the effort. Can I use this script to unzip a file in ftp? If so can you please write a sample that would unzip “nel.zip” inside http://www.nelmaxima.com for example? Thank you very much. I really need this help. 7 September 2005, 10:39 am Martin Geisler: You normally cannot unzip files using FTP — you can only transfer the file. But to unzip nel.zip with PHP Shell you would execute unzip nel.zip after having navigated to the folder containing nel.zip. This only works if your host has installed the unzip program. 8 September 2005, 9:21 pm QuarkBlog » Blog Archive » PHP Shell: [...] Estuve buscando maneras de saltarme esta imposici贸n sin tener que cambiar de puerto al demonio SSHd ni cambiar mucho la configuraci贸n de los servidores y d铆 con PHPShell, un programita que simula una consola en una pagina que podemos acceder desde cualquier navegador, lo malo es que no puede manejar los programas que se “adue帽an” de la consola como vim o emacs as铆 que para editar ficheros (el 90% del trabajo de un administrador) est谩 un poco mal la cosa. [...] 23 September 2005, 12:07 am Pavel: how to change this $ cursor ex. root@diiid.com 12 October 2005, 8:22 am Martin Geisler: There’s not builltin way to change the $ infront of the promt to something else. But you could edit phpshell.php and change line 96 if you want to. And please don’t use PHP Shell as root, as the password will be written in plain text in phpshell.php. 12 October 2005, 9:22 am Syberon: This is fucking good :D i always wanted an shell with everything and now ? i have it everything ! i run ventrilo on it. it is damm handy :D Thank u very much guys ! have a little problem now but i hope i can fix it soon… i can’t open the file phpshell.php anymore :( because i used wget for getting a file and my pc crashed :S and since then i can’t open the phpshell.php file anymore :( can’t delete the file i was getting with the shell hatefull :( but if u guys know how to fix this please tell me :s 22 October 2005, 8:04 pm Richard: Anyway to automatically run commands using phpshell ie: http://user:password@example.com/phpshell.php+‘chmod a+x somescript’ http://user:password@example.com/phpshell.php+’somescript’ I am trying to automate some installs across an intranet. Thanks! 24 October 2005, 8:47 pm Martin Geisler: Cool idea, I hadn’t thought of that! 24 October 2005, 9:08 pm Richard: I have 6000+ sites that I do not have SSH access to without emailing someone to turn it on. PHPshell has been a lifesaver, but I have to run a script and add code to them on a regular basis and it is a bit overwhelming. Sure would be nice to throw the command into a curl string to force a download of a script. 24 October 2005, 9:24 pm sutart: Just found this tool - exactly what I’ve been looking for. Thanks!!! 26 October 2005, 2:37 am Martin Geisler: Wow, that’s an extreme number of sites! And now that I re-read your original comment I see that you actually asked a question! (But you forgot the question mark…) To run PHP Shell via an URL you simply have to pass a command via the command GET argument. Remember that you have to encode it yourself like the PHP urlencode() function would do: replace spaces with + and other non-alphanumeric characters with their hexadecimal representation. Then something like this should work: http://example.com/phpshell.php?command=chmod+a%2Bx+somescript where the spaces have been encoded as + and the + itself is encoded as %2B. 26 October 2005, 1:01 pm Martin Butt: I have been using this program for some time and it is excellent. To all the people that have had their sites hacked with it, stop complaining and tighten your security. When I now try to access my phpshell.php file, I get an internal server error with the message “The server encountered an internal error or misconfiguration and was unable to complete your request.” I am presuming that the web host I am using has stopped some kind of PHP functionality. Do you know what kind of things could cause this? If it could be something to do with the php.ini, I can use a custom one. Cheers Martin, Martin 6 November 2005, 12:59 am Martin Geisler: Hi Martin! Thanks for the comments about people complaining… I couldn’t have said it better :-) If someone has disabled a function (that would most probably be proc_open — the only security-related function used by PHP Shell) then you should receive an error like this: Warning: proc_open() has been disabled for security reasons in /some/path/phpshell.php on line 146. But maybe the error is redirected to an error log somewhere… but even in that case I don’t get a 500 error here on my machine, I just get a blank page. So I basically don’t know why you would get a 500 error from Apache… sorry. 6 November 2005, 1:44 am didier Belot: With my ISP (http://www.ovh.com/), we have a 500 error with, for example: a bad .htaccess bads perms on a script (rwxrwxrwx) hope this help 6 November 2005, 11:07 am kato: Hi Didier, Does phpshell work with your ISP (http://www.ovh.com/) ? I have a 60gp plan with the same ISP and phpshell doesn’t seems to work. :( 8 November 2005, 5:26 pm Martin Butt: I have found the cause of my error. My ISP uses an Apache module mod_security (http://www.modsecurity.org/) that blocks the filenames shell.php and phpshell.php (among others) because “it is an often used hacker script”. 9 November 2005, 10:33 pm Ed: Martin — this script rocks. Thanks. My web host ( Godaddy ) doesn’t have tar. I would dearly like to be able to do something like tar — is there some clever way to substitute other commands?? i don’t know much about linux… here is some info i collected that contrasts GoDaddy with iPowerweb: http://azbikelaw.org/computer/webhostphp.html#Fun 9 November 2005, 11:00 pm Martin Geisler: Hmm… Now, I don’t want you to get into trouble, but you can always rename phpshell.php into something else — the script doesn’t care. But please explain your host this: PHP Shell doesn’t use any “magic” function in PHP, just the plain, built-in proc_open() function. So they should disable that function instead of trying to keep hackers out by filtering on the filename. 10 November 2005, 12:20 am Martin Geisler: I know of no pure-PHP implementations of tar, but there’s several PHP implementations of the ZIP format, so maybe you could use one of those — I just found this one. 10 November 2005, 12:30 am didier Belot: Yes, with some modifications: 1) put it in a protected subdir, containing a .htaccess : AuthUserFile /home/your_login/.htpasswd AuthGroupFile /dev/null AuthName “Private zone” AuthType Basic require valid-user See OVH guides for creating the .htpasswd file with correctly encrypted passwords: http://guides.ovh.com/ToutSurHtaccess/ http://www.ovh.com/fr/espaceclient/outils/crypt_password.pl 2) then you can remove the phpShell part that deal with authentification… Mine looks like: if (0) { // not available at ovh… use .htaccess !!! header(’WWW-Authenticate: Basic realm=”PhpShell 2.0″‘); header(’HTTP/1.0 401 Unauthorized’); $authenticated = false; } else { $authenticated = true; hope this help! Good CLI sessions with phpShell ;-) didier 10 November 2005, 12:53 am Martin Butt: That is what I did. 10 November 2005, 12:10 pm Ed: Thanks for pointing that out. It hadn’t even occured to me that there would be a php implementation. By the way, that one you pointed out does do tar in addition to zip. I couldn’t quite get it to work — i can see the contents/structure of my tar file but I can’t figure out how to extract it….and it is stuck in french :-) but i’m sure it’s something i’m doing wrong on my end. Thanks again. 11 November 2005, 1:12 am Zach: Just a suggestion to folks, change the name of the file from phpshell.php to something else, then put it in a directory with a name that is really stupid, profanity works well also :) then use .htaccess to block access to that directory to the world then simply give your IP access. Course only works if you are on at least a semi-static IP (most cable connections will retain the same IP address for years, even non static connections - unless you disconnect it for 24 hours or so, or change MAC addresses) Use a stupid directory name so you wont screw up and open it up to the world, change the filename to prevent someone from IP spoofing your IP and accessing the file to run whatever. (You can always spoof your outgoing IP - so sending commands, if you know what to send, and where to send is trivial - you just can not get anything back - but someone that spoofs an IP, sends a command in to change the .htaccess file to give them access, now has direct access) Anyway - after all that, by doing the above - you make it so you can get in and use that script, and others, with no hassle, and is actually more secure than most any other method, since you just would redirect not from the correct IP to your 404 page - which tells them that nothing exists there, and they have to look elsewhere to try to break in. Nice script 13 November 2005, 4:42 am crake: i saw a tutorial using version 2.63 dev. where can i download that? 14 November 2005, 8:18 pm Martin Geisler: Where did you see that tutorial, could you please post a link? There’s no such version, so I’m curious :-) 14 November 2005, 10:17 pm a2z: google phpshell 2.6 15 November 2005, 3:05 pm crake: its is a file manager tool. by ‘macker’ it includes a tool called haxplorer. the tutorial is a tut showing how if you dont secure your server people can easily get in and find ur mysql pass and stuff 16 November 2005, 11:11 pm kato: Thanks, it works ! kato 18 November 2005, 7:45 am flo: hallo this piece of script is genious! im happy with it. i now tried it on a new webproject with an other server and every command i type in it says with always: “no such file or directory” at the end…: example if i try to get a tar file from source forge: sh: line 1: /wget: No such file or directory but i can change directories with phpshell, where is the problem? thanks and best regars, flo 20 November 2005, 6:59 pm a2z: all in all great tool ;) 20 November 2005, 7:05 pm flo: hi martin! is there something wrong with your email? i always receive an error. best regards, flo (from schaffhausen..) 21 November 2005, 6:57 pm Martin Geisler: You’re probably trying to send to the old gimpster@gimpster.com address, right? That domain name is dead — please use mgeisler@mgeisler.net from now on. 21 November 2005, 7:22 pm Aunt Jemima's Revenge: Martin…THANK YOU so very much for publishing this program. This is a lifetime accomplishment that most people never come close to executing. You have most cerainly helped hundreds of thousands of people through this program. Be sure to disregard these silly posts about people reporting you to the FBI. Now. I am also having the same difficulty as the orignal poster on this thread. I host with GoDaddy, who I verified does not have my PHP set to safe mode. It appears, then, that my script is recognized as a CGI file, BUT I don’t have control over a .htaccess file. Suggestions? 30 November 2005, 11:29 pm Aunt Jemima's Revenge: Again, this is the error message I get: [PhpShell 2.0 You failed to authenticate yourself to PhpShell. You can reload to try again. Try reading the INSTALL file if you're having problems with installing PhpShell.] 1. I followed the directions to reset my password: $passwd = array(’username_1′ => ‘password_1′, ‘username_2′ => ‘password_2′, // … ‘username_n’ => ‘password_n’); */ $passwd = array(’fuck’ => ‘me’); /* Set your aliases here. Each key in the array will be substituted * with the corresponding value before the commands are executed. */ $aliases = array(’ls’ => ‘ls -CvhF’, ‘ll’ => ‘ls -lvhF’); if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($passwd[$_SERVER['PHP_AUTH_USER']]) || $passwd[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW']) { header(’WWW-Authenticate: Basic realm=”PhpShell 2.0″‘); header(’HTTP/1.0 401 Unauthorized’); $authenticated = false; } else { $authenticated = true; /* We now start the session. */ session_start(); /* Initialize the session variables. */ if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) { $_SESSION['cwd'] = getcwd(); $_SESSION['history'] = array(); $_SESSION['output'] = ”; } I renamed phpshell. I’m still fucked! Suggestions? 30 November 2005, 11:41 pm Martin Geisler: Thank you very much for your encouraging comment! About your problem: I have no real idea of the solution. Judging from the number of posts about failed authentification, I guess I need to make an internal solution for PHP Shell — what I once thought was the easy solution of just sending out a header, has turned into something not as easy for a lot of people. So I’ll rewrite that… someday. Right now I have an exam coming up next Tuesday which I need to focus on first :-) 1 December 2005, 8:27 am Ryan: Thanks for such a great script. I created my own shell.php script a few years back, but yours is MUCH better. Great job and thank you again. I am having the same passwd problem. I created a similar, but not as advanced shell.php script. It works fine, so my guess with the phpshell.php script is that there may be an issue with the way it authenticates. I tried your suggestions, but nothing worked. I finally commented out the authentication and now use a .htaccess file to do that. My question: Is using a .htaccess file more or less secure than the built-in authentication phpshell.php uses? If it is equally secure, will you please add that option with instruction on how to do it to the INSTALL file. 5 December 2005, 5:59 pm master: hi martin and thx for ur perfect script. I’ve been using phpshell for some weeks but suddenly it stoped working and the error is : sh line 1: /public/home/autice/auth//ls: No such file or directorys : what can I do?! thx 5 December 2005, 9:21 pm Argyll: My Whole site was wiped out.. all that was left was this proggy, guess someone managed to get it into a folder and run it, 5 years of work, over a dial-up all wiped out……….. 6 December 2005, 9:55 pm Martin Geisler: Oh boy… I’m sorry to hear that — I hope you have a backup of your work. I always have a copy of my site on my own computer, which I then upload to the Internet when I’ve changed something. Then it’s only stuff like the database which isn’t on my machine, but for that I’ve arranged a nightly backup too. Everybody: please understand that enabling PHP on your webserver is a risk — you turn something which would normally just server static pages (an idempotent operation) into something which can potentially make a whole lot of problems. I’ve said it before and I’ll say it again: PHP Shell has no “magic” commands in it, just a simple call to the builtin proc_open() PHP function. So the problem lies with PHP — PHP Shell just makes it more convenient to exploit insecure PHP installations, but it does not fundamentally change the problem. 6 December 2005, 10:18 pm Argyll: NAh it was getting to big to manage over a dial up modem … used to do that but was taking to long even to update a few pages…… last year or so was updating Live…. 256 MB wiped out…… 7 December 2005, 7:00 pm Martin Geisler: But, but… the type of connection has nothing to do with how difficult it is to manage! It’s a matter of using an reasonable intelligent tool to mirror the stuff from your computer to the server. I use sitecopy myself, but any self-respecting FTP program should be able to copy just the changes. 7 December 2005, 9:53 pm Roy Schestowitz: How does one get notification about updates? Maybe it’s worth putting on Freshmeat/Sourceforge with download links that point to this site? Either way, the tool is very valuable. 8 December 2005, 6:37 am Roy Schestowitz: I suggest you urge people to also put the script under password-protected directories. It gives a double-layered protection: Apache(/equiv.)-PHP 8 December 2005, 6:42 am Martin Geisler: I’ve been using Freshmeat for years now, so it should be easy: PHP Shell on Freshmeat. I might put it on SF too one day, but so far it has just been a little script with no big needs (but maybe that’s changing — I’m getting a lot of comments about it now…) 8 December 2005, 9:52 am GoDaddy User: I have shared hosting on GoDaddy… when I upload the phpshell.php and change the user/password to my choice… I cannot login. GoDaddy serves the page, prompts me for the phpshell username/password… and then when I submit the form, it asks me to login again… I cannot authenticate. I’m sure I’m using the username/password I’ve set. What can I do? 18 December 2005, 5:06 am Syberon: Hi GoDaddy user, if u get the window to enter your username and password fill in the username and password u edited in phpshell file.. then u can login :D if u didn’t done that u can’t login … 21 December 2005, 2:21 pm ardhizer: I allready change password and the script ask me the password over and over again can you explain me? 25 December 2005, 1:59 pm Martin Geisler: New version released! I’ve made the authentication internal and hope that this will solve all the problems people have had with repeating login boxes. Please download it and give it a go! I’ll be offline the next couple of days, but when I get back some time in the new year I’ll look at your comments. 27 December 2005, 1:35 am Tobias: Hi, thank you for that great software. It spares me moving to an other provider!!! Tobias 29 December 2005, 12:02 pm Dmitriy: Hi! When i tried your script i cant recieve an output from progs such as "less, man etc...", so any progs waiting interaction from user cant be run… Can it be solved? 31 December 2005, 2:03 am Tobias: Hi Dmitriy, I am not Martin Geisler, but I think I can give you an answer, too. No! Because this works with an where you see the results of what you entered and an where you can enter new commands. So these are do different areas. And the thinks you type will not be sent to the server before you hit Enter or the botton under these fields. So using interactive software can not be possible on this way! Hope I could help you! Tobias 31 December 2005, 10:08 am ardhizer: Your new version work fine, many thanks for that Good job martin, I love it 1 January 2006, 12:23 pm ardhizer: Martin, can you add ‘Clear” button to clear phpshell main screen ? 1 January 2006, 2:09 pm Martin Geisler: Yes sure. I can add that to the next version — in the meantime just log out with exit or use the logout-button. 2 January 2006, 3:41 pm Martin Geisler: I guess Safe Mode has been enabled in your PHP installation. Please see the SECURITY file in the latest release where I write a bit about the problems with Safe Mode. 6 January 2006, 10:52 pm Martin Geisler: Could you please try the newly released version 2.1? I’ve changed the authentication logic and hope it helps with problems like yours. 6 January 2006, 10:53 pm Martin Geisler: Please try version 2.1 in which I totally rewrote the authentication logic. 6 January 2006, 10:55 pm Martin Geisler: Has the new version 2.1 helped with this situation so that such hacks aren’t necessary? 6 January 2006, 10:58 pm Martin Geisler: Please try out version 2.1 where I rewrote the authentication code. I hope that it works on your host too. 6 January 2006, 10:59 pm -CD-: AWESOME! As long as all persons use the internet responsibly, there will be never be a disincentive for the development for tools such as this. Thanks. -CD- 7 January 2006, 8:15 am Martin Geisler: Sorry about the late reply — both forms for authentication sends the password in cleartext over the wire, and are thus equally bad. 9 January 2006, 9:50 pm father: i thought sitecopy updated the “site” with changes made locally, not the reverse. so if you deleted or changed the file on your local machine, the file would be changed or delted on the server. this doesn’t sound like it would help to archive/restore a site if it was destroyed. then i could be reading the “description” the author provided incorrectly. 13 January 2006, 7:53 pm father: Fatal error: Call to undefined function: proc_open() in /home/httpd/vhosts/xyz.com/httpdocs/phpshell/phpshell.php on line 237 everything works great until i type in a command like “dir” 13 January 2006, 8:01 pm Martin Geisler: No, you have gotten it right: sitecopy will copy changed files from your computer to your website, without you having to remember what you have changed, added, or deleted. There are tons of such programs, and with any of them you automatically get a backup of your site on your own computer. So if someone manages to destroy the online copy, you still have your offline copy. That was the why I suggested sitecopy. 13 January 2006, 9:04 pm Martin Geisler: But you can succesfully execute other commands?! Then it is very strange since the proc_open() shouldn’t just become undefined from one moment to another… 13 January 2006, 9:05 pm Dave Matthews: Excellent script! I created a PHP Shell back in 2004 when I was with iPowerweb and discovered that my webhosting company was not secure. Later, I decided that I would run my own dedicated systems and not allow php access to users or shell access. This seems to be the most secure setup so far. This script is legal and it illustrates how vurnable secuiry can be. 23 January 2006, 11:30 am Eric: I can not seem to change directories under phpshell when the the destination contains a space. I have tried cd name\ with\ space and cd "name with space" but both seem to fail. I am able to ln - s name\ with\ space namewithnospace and then cd to this new name but that is not desired. How can I cd to a directory with a space? 23 January 2006, 8:26 pm Martin Geisler: Uh… you cannot, sorry :-( I’ll fix it for the next version. 24 January 2006, 12:39 am RibaNet: hello thanks for this software!! I hace installed in my private directory in my domain http://www.ribanet.com regards from spain! 26 January 2006, 9:18 pm Dan: As long as all persons use the internet responsibly Well, that’s certainly something we can count on! 30 January 2006, 12:27 am Seattle Web: This is a great script - thanks! 31 January 2006, 8:40 pm Stephane: is there a way to make this script work with windows xp because i can ask for dir command off the directory where the application have been lauch but i cant change it i am stall to this directory thanks! 3 February 2006, 3:15 pm Tobias Unger: Hi, I have published a patch containing an editor feature - you may download it at http://www.tobias-unger.de/download (GERMAN) or at http://sourceforge.net/projects/phpshell/ (in the patches categorie (ENGLISH) ! If you find errors or have problems with the patch please tell me (mail@tobias-unger.de). Tobias 4 February 2006, 5:51 pm Martin Geisler: Like I told you in a private mail, then I don’t know why this doesn’t work. My guess is that it is because of the use of \ in paths on Windows, as compared to / on Unix/Linux. But I haven’t really looked into this. 4 February 2006, 7:26 pm Martin Geisler: Great with addons! As you can tell from the SourceForge URL, I’ve begun moving the project there. Right now only the files are there along with a mailinglist, but I will move this page (or one like it) there at some point in the future. So please go to http://sf.net/projects/phpshell in the future with your feature requests, your bug reports, and all your other good ideas. Please use the tracker system there so that the reports are properly sorted. If you have found PHP Shell especially useful for you, you can now show your appreciation in a concrete way by donating money from SourceForge. Of course you can also continue to use it for free, if you so wish. In any case: PHP Shell is going to SourceForge, please follow along! :-) 4 February 2006, 7:45 pm Online Beesh head: I just found this tool . its freakain awsome and i hope you keep updating :] but im having some problems =\ .. im running this on http://www.ripway.com and when i try to unzip a ziped folder for example lol.zip i get ” ‘/unzip’ is not recognized as an internal or external command, operable program or batch file. ” and when i try to use the command “cd” to open a folder/file i get an error such as ” chdir(): SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access \ owned by uid 0 cd: could not change to: /ventrilo ” What does it mean by “uid 0″ how would i edit that so i can make it so i can open other folders and run files and such? 6 February 2006, 8:01 am Martin Geisler: Hi! Did you read the SECURITY file? It contains information about Safe Mode — it basically comes down to this: PHP Shell wont work on your server. If it is your own server, then you can disable Safe Mode in your php.ini file. Otherwise you’re probably out of luck :-( 6 February 2006, 10:34 pm Dawn A: Love the script, thanks Martin, worth a $10 Paypal donation after the first command I executed :). I’m using GoDaddy too. One question. I found you from the MediaWiki FAQ, http://meta.wikimedia.org/wiki/MediaWiki_FAQ where we are advised to run “php rebuildMessages.php –rebuild”. Every other typical shell command works for me in your script (cd, ls, and so on), but this command spends 4 minutes with Firefox saying “Waiting for [my host]” and then “Done”. But no command output, no new $ prompt in the window. At this point, even clicking Logout has the same result. Am I hitting a timeout, or is the php command generating output like “vi” or “less/more”, or … ?? I know the rebuild didn’t complete because my wiki doesn’t reflect the changes (even with shift+reload). Can I determine if it took errors, somehow? (I’m thinking output pipe or redirection won’t work if the command isn’t completing….) Grateful for any ideas. 24 February 2006, 10:32 pm Martin Geisler: Thank you very much for you donation, it is very much appreciated! I’m afraid that I have no good suggestions for your problems right now… and I’m in the middle of moving from Switzerland to Denmark, so it will be a little while before I have time to think of some :-( One small suggestion, though: since you’re trying to run a PHP script, maybe you could simply look at rebuildMessages.php and see what is executed when it is run? Then simply call that function from a little PHP script. I hope you see what I mean, if not then I’ll try and explain again when I get some time. Thanks again for your support! 25 February 2006, 12:59 am ardhizer: hey martin. im still waiting for “Clear button” I just wanna remind you. thanks 3 March 2006, 7:43 am Matthew: I think its a GoDaddy thing, as I’ve experienced it to (GoDaddy with PHP Shell and Phonsole). I think it has something to do with the PHP script trying to fork (but not being able too). So far haven’t found a workaround. 13 March 2006, 7:04 am Gregory L. Magnusson: Nice. Very nice. 17 March 2006, 11:28 pm shawty: Excelent bit of code, means i can access my site from work now!!! Here’s a little tip… if you add if(!isset($_SERVER['HTTPS'])) { print “ I refuse to run, unless i’m secure! \n”; die(); } right to the top of the index file, then your forcing it to only run if on a https connection.. 29 March 2006, 12:53 am chris: how can i clear the history? 29 March 2006, 4:09 am Martin Geisler: I’m afraid that you have to close your browser at the moment. This will make your browser delete the session cookie, thus clearing your history. I could make a button for this in the next version. Work on PHP Shell has been stalled by lots of exams in all of February, a move from Switzerland to Denmark, and now a move into my new appartment. But I will have my computer back online some time next week and hopefully start to settle in with my Ph.D work. So lots of stuff is going as you can see :-) 31 March 2006, 8:23 pm Martin Butt: Well done on the Ph.D! As ever, always looking forward to the next version! 1 April 2006, 5:06 am Martin Geisler: Thank you! You’re very welcome to add your suggestions for the next version to the SourceForge tracker system. That should make it harder for me to forget about them :-) 1 April 2006, 10:36 am MR: Perhaps it is a stupid question, but i did not find a solution for the problem. I always get the message: Fatal Error! proc_open() has been disabled for security reasons phpshell.php, line 240. I found it in the SECURITY file but didn’t find a solution for it. Can someone help me? 7 April 2006, 7:18 pm Martin: Well, it means what it says: the essential proc_open() function has been disabled on your webserver by the administrator. He or she has probably done so to prevent scripts like PHP Shell from working and there is nothing that you can do about it except asking for it to be enabled again. 7 April 2006, 7:42 pm Michel: Thanks for the script Martin. Just wanted to mention a few simple ideas. It could be useful to emulate the ‘clear/cls’ command to empty session output. Which lead me to think some *nix - WinNT translations might come in handy. I.e. accept command equivalents like ‘cp/copy’, ‘diff/comp’, ‘fgrep/find’. I experimented with this for a bit with a ‘which’ command for WinNT (for which you could use PEAR’s System::which()). 10 April 2006, 1:25 pm Sridhar: When I unzip a file that creates directories, I get permission denied. Is there any way other than creating a directory, CHMODing it to 777 and executing the unzip inside this directory? 20 April 2006, 12:18 pm Martin Geisler: No, that should work. And you can unzip files okay if they don’t create directories? 20 April 2006, 12:57 pm Sridhar: well, I am not able to place any files or unpack (whether or not it has directories) if while using the PHP shell, my present working directory doesn’t have CHMOD 777. Basically only if my present working directory is CHMODed to 777 am I able to do any ‘write’ activity i.e., downloading files in that directory or unpacking to create new files and directories. Check this screenshot: http://img88.imageshack.us/img88/6632/phpshell17rc.gif Now in the above screenshot example, if I CHMOD phpshell directory to 777, it works. Currently it’s at 755. 20 April 2006, 1:14 pm Martin Geisler: Your problem might be that your webserver (apache probably) is running as a different user than what you use when you FTP or otherwise upload files. Check the ownership of your files with ls -l, then try creating a file with touch test and see if test is owned by a user like nobody or www-data or similar. If so, then that is why you need to CHMOD 777 your directories first (using your FTP program I assume). Apache (or whatever webserver you are using) can be reconfigured to have PHP run as the proper user, but it is something your admin has to do. I believe one has to use something called suExec but I’ve never tried it myself… 20 April 2006, 1:44 pm Sri’s weblog » Blog Archive » links for 2006-04-20: [...] Martin Geisler Online 禄 PHP Shell a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote webserver. (tags: PHP script shell SSH) [...] 21 April 2006, 12:22 am hossam elkazaz: hello mr:// i upload the script in the site and i cann’t sign in what the master id and when i go the config fill it tell me that masseg ” Forbidden” and the sell php fill open easy what this can you tell me plz email me thanks 29 April 2006, 9:55 am Martin Geisler: I’m sorry, but I don’t know what would cause the “Forbidden” page you see. Those pages are normally something you configure your webserver to send back for URLs that are forbidden, but PHP Shell cannot do that. Please tell me if you have PHP working at all? I mean, do a simple test page work (one with just in it). It could be that your administrator have configured the webserver to send out those “403 Forbidden” errors for URLs that look like PHP Shell. Try contacting them and ask if you are allowed to run PHP Shell at all. 29 April 2006, 11:00 am Martin Geisler: Ahh, I just remembered: you cannot view config.php in your browser, it sends out the “403 Forbidden” header you saw. You should not load it anyway, you should edit it with a text editor and then go to phpshell.php as stated in the INSTALL file. 29 April 2006, 11:41 am Rex MIS Blog » Blog Archive »: [...] http://mgeisler.net/php-shell/ [...] 6 May 2006, 4:58 am etynos - noticias tecnologicas y contenido vario » Blog Archive » PHP Shell desde Web: [...] Descarga PHP Shell .ZIP Descarga PHP Shell tar.bz2 M谩s informaci贸n en PHP Shell [...] 11 May 2006, 12:06 pm Sleepy: Martin, this is a tremendous tool. Thanks a lot and keep up the good work. 11 May 2006, 9:38 pm irving: Hi, I wonder if anyone have tried to use this script in PHP 5.1. Because I did, and it doesn’t work. At first, login does not work. I tried to debug the script and have to remove the checking for the nounce Session variable. But then, after I managed to login, each time I typed a command, I was kicked back to the login page. I tought it was something to do with Session_start() command. But then, I tought, well, maybe I shoud use PHP 4 just like everyone else. Then, it works. So, what’s wrong? What has changed in PHP 5 that makes your script does not work? Thanks. irving 13 May 2006, 4:04 pm Martin Geisler: I’m using PHP version 5.1.2-1+b1 myself (Debian packages from testing) and it’s working fine with PHP Shell version 2.1 and the SVN trunk. 13 May 2006, 4:57 pm irving: Hmm, what’s the difference then? I hosted at phpwebhosting.com, and they’re using PHP in CGI mode. Any problem with this config? I saw several posts before about authentication problem with CGI-mode PHP, but I tought this is solved in 2.1. From phpinfo(), I get that the PHP version is 5.1.0RC1, CGI-mode, safe-mode OFF, session.use_cookies ON. Can I email you directly? So I can share the links and give you some access to test it. Thanks. irving 14 May 2006, 4:20 am Martin Butt: I’m on PHP webhosting and had the same problem. I’ve just disabled the login and intergrated it in to my administration area which has it’s own authentication. Let me know if you get to the bottom of this. 14 May 2006, 10:32 am irving: Martin, after you disabled the authentication codes, does the code works? Because mine keeps encountering 500 Internal Server Error. 15 May 2006, 4:46 am Martin Butt: You’ll need to rename the script t osomething obsqure. Security in Apache wont allow anything called shell.php or phpshell.php. 15 May 2006, 9:23 am irving: Oh, I did that already (renaming). Like I said, when using PHP5.1 setting, I can’t login. So, I used PHP4 (using .htaccess). I can pass login, issued a single “ls” command successfully, then when I tried to “cd” to a directory, get the 500 Internal Server Error. So, I just want to know whether everything run smoothly with PHP5.1 aside from the authentication problem. 15 May 2006, 10:36 am Martin Butt: The server I’m on is using PHP Version 5.1.0RC1. I’ve tested the script to ensure it is still working and it is. Set it back to use PHP5, remove the password protection, put a .htaccess password on it. If it works, then sort out some better security than a .htaccess password. If it doesn’t, then I have no idea. 15 May 2006, 6:57 pm Martin Geisler: I gather from this that we should make the authentication optional (with big warnings if you disable it). I’ve created a Feature Request for tracking this. 15 May 2006, 7:44 pm Martin Geisler: This is a good tip! I’ll include something about this in SECURITY or somewhere else… both because I feel that the administrators should know that this is a useless way of “protecting” a server, and because I want to make it easy to use PHP Shell. The feature request is here. 15 May 2006, 7:53 pm Makaveli: Hello, i have a question, could you tell me (or do it for me) what needs to be changed for the script to work on windows machines? And another question, could you make the editor work for version 2.0? I have made a skin for 2.0 and i like it better than 2.1 but the editor would be a much appreciated feature. Please let me know. 9 June 2006, 3:14 pm Martin Geisler: I have no idea about Windows machines, I don’t use any myself… I’m also uncertain as to what you mean 疣玟咫� lucent definity 铈桊屙桢牦脲� 754 狺痤镥疱忸澉桕綦桉鲥眚磬� 牮囫赅牮囫睇� 镫铢噤� 耦犷� 磬犷� 汨礤觐腩汨麇耜栝镥瘃铐嚯桤圉� 赅痱� 1000 躅腩滂朦龛� kiev apartaments service 牦镨螯 尻蝠铨眦弭嚯钽疣� 忤龛腩恹� 滂痂驵犭� 恹溴脲龛� 觇耠铕钿� 铟觇眍黜铋忤溴龛� 綦噫铌磬耱铍 戾滂赅戾眚铉睇� 镳屦囗桢徨疱戾眄铖螯沐塍耔� 豚� 觐眦屙蝠桊钼囗桢觇耠铕钿� 觐痫囵囹桠睇� 忮麇痂黻� 溻篚蜞痂繇 尻蝠铖麇蝼桕玎赅玎螯綦嚆钽礤玎蝽 镱牮桢恹珙� 忸滂蝈朦铛铗� 腓� 桧纛痨圉桀眄 忄豚囔牦镨螯 fifa 2006 囵蹊蝈牝箴睇� 忤珞嚯桤圉� 溴玷眙尻鲨� 徨朦� 镳铎脲睇� 嚯桧桤� 躅耨� 赅疱疣� 徼脲� 沭箜� 耱�骊� 觐耱痤爨骅朦� motorola v3i 牦镨螯蝈镫铍� 耱屣-帻痤徼赅箫疣怆屙桢桠囗钼� 牦腚屦 478 驵痤镳铟睇� 羿痿铕 revol 躅耨� 赅疱疣� 徼脲� 溻篚蜞痂繇 尻蝠铖麇蝼桕觐祉囹睇� 镥疱泐痤潢� 祗耱囗� 豚珏� 觌彖螯 88 膻犟痤� 漕耱噔赅耋朦睇� 爨磬 electrolux 忤蝠桧� 镱漕沭邂噱禧� 麒腚屦� shimadzu 玎蝽 牮囫赅羿牝箴睇� 牮囫赅忄玎 2111 镱溽铕觐眚疣鲥秭� 溴腩忸� 觐耱 徨轳犷腙� 玎赅� 镳桊钿� 铛铗� 珥圜铌戾溧朦沐铎帏-鲥眚� 龛麇耜栝锺桴铍钽� 皴腓� 滂铐徼脲� 蝠� 鲡弪�: 耔龛� 忄泐黻� 镱腩忸� 漕耜� 溴蝰觇� 汨礤觐腩� 觐眚嚓� 觐眚嚓蝾� 牦脲� 镳铞羼耦� 镥溧泐汨赅锺桴铍钽� 疋铋耱忸牮囫赅耱痼牝箴睇� 箨囹箴赅镳屦囗桢徨疱戾眄铖螯铗麇蝽铖螯镝铪� 镳屦囗桢徨疱戾眄铖螯 囫-934 噤屙铎� 镳邃耱.�-琨汔珙眍觐耔腙� stiga 皴轸钼 �麇殛� dvd-box 蝮徉爨磬 5440.16 (牮赅) 嚓痂腩恹� 怅豚潲� 镳钽疱耨桊簋� 犭桤铕箨铖螯耦玟囗桢腩泐豚觐牮囫赅镥疱忸� 栩嚯�眈觇� 牦镨螯觐礅屦蝈� 铕赍耱� 牮孱朦耜栝蜞磴� 狺沐朦睇� 珞犴铋镳铗彗忮漯� 祜囗耜栝 qtek 牦镨螯眍骖怅� 忮漯� 祜囗耜栝膻扈龛聆屙蝽� 牮囫赅镳铘羼耔铐嚯 锺桴铍钽戾腩忄眄 狍爨汔 sharp ar-m205 钺钽帙屙桢觇耠铕钿铎耱桁箅桊簋� 腩蝈疱� 嚯尻襦礓� 忮痱桧耜栝. 驽腧 蜞磴� 沭箜� 纛耵铕弼桊簋� 牮囫赅玎� 帻痤徼赅铛铗� 腓� 皴忮瘃觇� 漕腩扈� 痤� 漕耱噔赅牦镨螯滏铋耱桕镳铎赅桧驽牝铕玎耱彐赅 zip-lock 礤殪桧� 徉蹊豚躅腩滂朦龛� neff 铛铗� 腓� 尻蝠梓羼觇� 镳铟眍耱� 镱耱噔赅躅腩滂朦睇� 赅戾疣觐疴弪-蝈脲觐� 徨珙镥疣鲨铐眍� 镳屦囗桢徨疱戾眄铖螯桧潴耱痂嚯 祛龛蝾� 驵痤耱铋觇� 牮囫赅徼铨镨�鲨� 桧滂忤潴嚯 皴轸钼 �麇殛� 囵铎囹睇� 扈� neri karra 觐驺嚯囗蝈疱� 狃� 牦镨螯镪镟耨噫桊耜栝腓趄泐腩怅� 忤眚铕彗睇� 桤戾痂蝈朦铖忮眄铖螯蝠铖螯漕耱噔赅躅腩滂朦龛� 溴忸 i`m o.k./沐痤� 沭钺皲圜� ielts 龛麇耜栝锺桴铍钽� 铒屦囹铕耜栝鲥眚� 襻铕睇� 漕耱噔赅 shimadzu 觇耠铕钿镳钼邃屙桢囗赍蜩痤忄龛� 牦镨螯忤溴铌囵蝮聱屐睇� 珞犴铋镳铗彗 尻蝠铌囔桧 dimplex model magic (sp8) 焘� 鲥镯铋觐礅彘屦泐耧栩嚯� 忑� 鲨觌铐徉蜞疱轫 恹珙� 忸滂蝈朦襻铕睇� 漕耱噔赅桧屦蜞牮囫赅痼赅忤鲟镳钿噫� 觐翦徼脲� 犷朦� 牦镨螯筱铍桕疱麴桄屦囹铕鲥眚� 觐眈箅桊钼囗桢 囔镱怅� 沭箜� 皴疴桉躅腩滂朦龛� 汨漯囗� 尻蝠铒鬻� dimplex model amesbury 祛痤玷朦睇� 忤蝠桧� 忤眄 躅腩滂朦龛� 耔腓觐� 镳铘桦� salamander 栩嚯�眈觇� 忤磬帻痤徼赅 �黝� 嚓痂腩恹� 镳�驵耱咫噫镨犭铌耦玟囗桢囗桁圉桀眄 觌栾躅耨� 赅疱疣� 徼脲� 牮囫睇� 镫铢噤� 泱� 玎蝈礤龛� 忤蝠桧� 疣耧屙桢囵铎囹桤囹铕镳囔脲睇� 嚯桧桤� snr 噔蝾爨蜩麇耜栝铗镳噔赅镨皴� outlook 耠桁屙� 腓趄钿邂囗桢徉蹊豚襻铕 �/镱腩耜囗� 泐痣� 珞犴铋犷朦觌彖螯 88 膻犟赅蝮� 觐眚嚓蝾� 羿牦朦蝈� 锺桴铍钽� 羿痿铕 portofino 牦腚屦镥疱忸澉羼觇� 狺痤 尻蝠铊眈蝠箪屙� metabo 铘铕祀屙桢疋噤遽 man 汨朦玎皴眈铕睇� 疣� 赅痣汨� 桕弪桊钼铟睇� 爨磬耱屣-帻痤徼赅恹祜咫耠桁腓趄羿牝箴睇� 牮囫赅镳铘羼耔铐嚯 羿痿铕镳邃铛疣龛蝈朦镪� 镥骖 407 铛铗� 徉犷麝� shell