I wrote a little piece of code while I was working on DBGraphNav that I thought was somewhat useful.
php_exec_test.php gives you a semi-interactive command prompt to play with the functionality of php’s exec function. You can use it to figure out the apache or php user (so that you can arrange file permissions appropriately), practice writing commands in a single line (trying to exec a change of directory, and then exec something in that new directory doesn’t work in php), or generally experiment interactively. I suppose, in a pinch, it might be useful on a server which does not provide shell access. It prevents the bother of writing a test file, then repeatedly modifying it till you get the correct command. Additionally, it displays the last 5 commands and results for reference. To clear this history, reload the page.
One caveat is that the test environment is set to print error messages where regular exec does not. It’s horribly insecure by design, so don’t make it publicly available on your webserver. Here’s what the tool looks like after a few commands:
>
>whoami ------------------------------------ www-data ------------------------------------ >whereis php ------------------------------------ php: /usr/bin/php /usr/share/php /usr/share/man/man1/php.1.gz ------------------------------------ >pwd ------------------------------------ /home/paul/code/misc ------------------------------------ >ls -al ------------------------------------ total 24 drwxr-xr-x 2 paul paul 4096 Jul 31 17:31 . drwxr-xr-x 10 paul paul 4096 Jul 26 09:26 .. -rw-r--r-- 1 paul paul 1125 Jul 31 17:31 php_exec_test.php -rw-r--r-- 1 paul paul 747 Jul 31 16:50 php_exec_test.php~ -rw-r--r-- 1 paul paul 68 Jul 31 17:31 test.php -rw-r--r-- 1 paul paul 35 Jul 31 17:29 test.php~ ------------------------------------
One of the perks of having your own server is that you can configure Apache as you like. The link to the script above goes to code.gingerale.info, a subdomain I’ve setup which serves all php files as “source”, meaning you get to see a pretty printing of the source files, and I have the assurance that anything I put in that area is not going to be executed.
Post a Comment