S
S
StormHub2021-12-25 23:26:29
linux
StormHub, 2021-12-25 23:26:29

Is it possible to execute a command through the web interface?

There is a site - OpenAFS is spinning on it, to which there is access via the web. Access to the root file system, though only on behalf of the user. Is there some way to run a command (eg via /bin/bash?) via a web or HTTP request?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
P
pfg21, 2021-12-25
@pfg21

there are php backdoors with an interface to bash.
but it's better to set up ssh access on the machine

S
Saboteur, 2021-12-26
@saboteur_kiev

well, if you can edit the website files, add some phpshell thread and see.
And so, not knowing how the web server is configured is unknown

A
AlexVWill, 2021-12-26
@AlexVWill

The web interface works through a web server. Commands are executed by the server whose commands they are. This happens all the time. If, for example, the web server tells PHP to execute a particular command, PHP does it and sends the results back to the web server. But, since the PHP code is executed on the server, and not on the client, only those who have the right to access the code files on the server can change the code.
You probably noticed that there is no PHP code in the page loaded from the server, because PHP code is for instructions to the PHP server, not the Web server. The situation is the same with Bash, the web server does not have access to the rights to execute these commands, therefore, the Web server cannot directly access these commands through the Web server, the web server functionality simply does not provide this for security purposes. It is possible to execute a bash script via php, but see above.
Although, if it is possible to put some kind of myfile.php file on the server, for example, at /var/web/html/website.com/php and then call the file via www.website.com/php/myfile.php, then if not appropriate security settings, theoretically this can work. Therefore, when uploading files, they either strictly prohibit uploading code files (php, JS, java, and so on, which can potentially be executed on the server), or a special sandbox is used to upload such files, where they cannot be executed...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question