I'm making a Minecraft control panel, but are sort of confused on how to send a command to each screen. I understand how to execute a command to a screen, but I don't understand to read the output.
Ex. I have screen A and screen B. I want to execute something in screen A, and get the output, and then exit the screen.
Here's an easier solution:
Use Websend bukkit plugin (Download&info) in both servers. PHP can simply execute commands and receive outputs when plugin is installed and php classes setted up, also this can be more complex than bash screen, and much easier to setup and use.
Here's an example use of this:
<?php
include_once 'Websend.php';
//Replace with bukkit server IP. To use a different port, change the constructor to new Websend(ip, port)
$ws = new Websend($ServerIP, $ServerPort);
//Replace with password specified in Websend config file
$ws->connect("password");
$ws->doCommandAsConsole("give ".$PlayerName." 64 1");
$ws->disconnect();
?>
In this example the script item to a variable-definied player.
You can execute a custom variable command with replacing $ws->doCommandAsConsole("give ".$PlayerName." 64 1");' to$ws->doCommandAsConsole("$_REQUEST['customCMD']"); where customCMD is a field in a GET or POST form.`
Don't actually need a plugin, but keep in mind using shell_exec could open a massive world of pain for you when it comes to security.
However, I was having a similar issue with implementing a control panel in drupal, I managed to run commands to a screen using the following code.
shell_exec("screen -S ScreenName -X stuff \"echo hello world\"'\n'");
You're welcome.
Related
I have a web server running Apache 2 on Raspbian Stretch. It is going to be a programming contest website, where users can send code via a HTML form, that sends their source code to PHP via a POST request. PHP then runs (using exec()) a Python script with arguments such as the submitted code path. The script then executes the code (using subprocess.run()) with a custom input and compares it to an expected output. All of that works just fine.
However, I want to make sure no one is going to send malicious code to overwrite files such as index.php, or read the expected outputs, for example. I'd like to know if there is any way to prevent an application that is being executed by subprocess.run() from reading, creating and writing to files other than stdin, stdout and stderr.
I have tried using Docker but didn't have success, as when I build and run the Dockerfile using PHP's exec() it reaches step 2/4 and just stops. My Dockerfile should copy the script, the code and the expected outputs to an image, cd to the new location and execute the code, but that is not very relevant since I want to avoid Docker as it isn't working properly.
I am considering using a chroot jail, but I am still looking for other less-complicated ways of doing that.
This is the PHP code I'm using. It calls the Python 3 code verifier (variables are retrieved from a HTML form and from a SQL query, those are not relevant):
$cmd = "python3 verify.py $uploadedFile $questionID $uploadedFileExtension $questionTimeLimit 2>&1";
And this is the Python 3 code that executes the submitted code:
def runCmd(args, vStdin, timelimit = 10):
p = subprocess.run(args, stdout = subprocess.PIPE, stderr = subprocess.PIPE, input = vStdin, encoding = 'utf-8', timeout=timelimit)
vStdout = p.stdout
vStderr = p.stderr
if vStdout.endswith('\n'):
vStdout = vStdout[:-1]
if vStderr.endswith('\n'):
vStderr = vStderr[:-1]
return vStdout, vStderr
...
# Assuming it is a .py file
# Its path is given by PHP's exec.
runCmd(['python3', sys.argv[1], 'simulatedinput.in', int(sys.argv[4]))
The combination of both programs works just fine. It runs the code with a simulated input, compares the stdout with the expected output and returns a status string to the PHP code. However, if the code sent has a malicious bit of code, such as
open('/var/www/html/contest/index.php', 'w').write('oops!')
the index.php file will be overwritten.
All I need is a way of executing the user-sent code in a way that its attempts to read or write to files (other than stdin, stdout and stderr) are denied.
Any thoughts?
doing this securely, to put it simply, is difficult. it's relatively easy to escape even a chroot jail if you're not really careful about how you set it up. basically the Unix security model isn't built to make this sort of thing easy and it's assumed that things are mostly cooperative
docker would probably be my suggestion, but there are other lighter weight solutions like chroot (but they'd probably still have the ability to do naughty things with the web server's network connection) or maybe something like firejail
with docker you'd probably want to create a single minimal docker image/container containing Python and whatever libraries are appropriate. you'd then use volumes to make the user supplied code appear inside the VM at runtime. you don't want to be creating containers all the time, that would entail lots of cleanup work
see https://security.stackexchange.com/q/107850/36536 for some more info on using docker as a sandbox, basically there are still lots ways out of it unless you're careful
I having a simple problem, I guess.
I am working on an iPhone app which I can send ASIHTTPRequest to my php server (with go daddy). The php script then gets the command and run like:
$this->pdo->beginTransaction();
//do some other simple works
exec ('/usr/local/bin/php -f /path/to/my/script/test.php') ;
$this->pdo->commit();
which is suppose to run another php file within my own server (dedicated)!!! But it does NOT do anything. It does work with curl_exec() though, but I want to use another method which I can put it to work in the background server.
My planning was that I want to send too many APNS (notification) but instead of waiting for the whole list to be done, it is better to get back and let the work done in the background!! How can I do that.
When I got connected using SSH command line. I can easily call "test.php" and it works so fine. But I can not do the same thing from the above php code.
Any help is appreciated.
Use PHP Include? That will run the script.
Put something like this inside an IF Statement.
include 'YourPage.php';
My first thought is that GoDaddy might not allow exec() to be run for security purposes.
I would like to be able to either launch php in interactive mode via phing or via PHP (worst case scenario, phing can run an adhoc task with the desired code).
I've gotten this far:
<?php
$cmd = 'php -d auto_prepend_file=bootstrap.php -a';
passthru($cmd)
And the above almost gets me what I want. I enter a shell I can interact with, but the prompts are gone (the php > at the start of each line), all meta-commands (e.g., \>) totally fail, and typing exit; does nothing instead of exit the shell. So, as you can see, this isn't the ideal shell. Is this even possible without installing phpsh?
Thanks in advance.
I think PsySH will give you want you want. It's a PHP REPL that gives you the option to configure it to automatically include a bootstrap file.
I was wondering how I could execute a command through PHP into a screen running on my virtual private server.
i.e.
if(submit){
do "say This is a minecraft server." in screen.
}
Thanks in advance,
If you are running the script under screen, then just echo or print the data you want to display.
Otherwise you can:
make a system call to write or wall
write to a file that you are tail -fing in the screen (or some other system by which the screen polls something for new messages)
run a service in the screen that you can connect to over the network
Still unclear on exactly what you mean, but if this is what you're looking for, you can execute linux commands by using the backtick operator, such as
echo `ls`;
to print the contents of the directory where the script is located. So if you wanted to print commands to your server, you could do it that way.
I'm brand new to ruby and Watir, here's my issue...
I have a MySQL DB with test data that I need. I've done a lot in the past with this data and so I have a whole library of PHP tools for accessing this data, marking data as in use/used/bad/etc, and in general I have a lot of time invested in the PHP framework. So I'd really like to use the PHP framework as a wrapper around the Watir script - for example, use PHP to grab test user login data from the DB and pass it to the ruby script for processing.
I now have sites with javascript that need work/testing and PHP & cURL can't deal with this. So I'm working with Watir-WebDriver on Ubuntu 10.10 (Maverick, Desktop not Server) for these sites. The problem I'm having is with the use of PHP's shell_exec of the ruby script with all the Watir code.
The PHP shell_exec is executing the file - I can see it because I have some puts lines in the file which are being displayed. However, the code appears to be failing on the line
ff = Watir::Browser.new :firefox
I'm not getting an error from PHP.
The PHP line is:
echo shell_exec('ruby /var/www/watir_test.rb');
The ruby script works fine when I call it from a terminal window with the line:
ruby /var/www/watir_test.rb
I originally expected this was a permissions issue since it worked from the command line but not from a browser. However, since it can call the file well enough to return the hardcoded data I've provided for the test then ruby file permissions don't seem to be the issue. Could there be a permissions issue with opening a Firefox window from the www-data user?
When I run
ruby -d -v /var/www/watir_test.rb
I get:
{:extension=>:webdriver} {"app.update.enabled"=>"false"} {"browser.link.open_newwindow"=>"2"} {"browser.shell.checkDefaultBrowser"=>"false"} {"extensions.update.enabled"=>"false"} {"security.warn_entering_secure.show_once"=>"false"} {"webdriver_assume_untrusted_issuer"=>true} {"startup.homepage_welcome_url"=>"\"about:blank\""} {"browser.tabs.warnOnClose"=>"false"} {"extensions.update.notifyUser"=>"false"} {"toolkit.networkmanager.disable"=>"true"} {"security.warn_entering_weak.show_once"=>"false"} {"webdriver_firefox_port"=>"7055"} {"browser.download.manager.showWhenStarting"=>"false"} {"extensions.logging.enabled"=>"true"} {"network.manage-offline-status"=>"false"} {"network.http.max-connections-per-server"=>"10"} {"security.warn_submit_insecure"=>"false"} {"security.warn_entering_weak"=>"false"} {"security.warn_leaving_secure"=>"false"} {"prompts.tab_modal.enabled"=>"false"} {"security.warn_viewing_mixed.show_once"=>"false"} {"dom.max_script_run_time"=>"30"} {"webdriver_accept_untrusted_certs"=>true} {"browser.safebrowsing.enabled"=>"false"} {"security.warn_leaving_secure.show_once"=>"false"} {"signon.rememberSignons"=>"false"} {"javascript.options.showInConsole"=>"true"} {"app.update.auto"=>"false"} {"browser.EULA.3.accepted"=>"true"} {"browser.tabs.warnOnOpen"=>"false"} {"dom.disable_open_during_load"=>"false"} {"network.http.phishy-userpass-length"=>"255"} {"security.warn_entering_secure"=>"false"} {"browser.startup.homepage"=>"\"about:blank\""} {"browser.EULA.override"=>"true"} {"browser.dom.window.dump.enabled"=>"true"} {"browser.startup.page"=>"0"} {"browser.link.open_external"=>"2"} {"browser.search.update"=>"false"} {"browser.sessionstore.resume_from_crash"=>"false"} {"security.warn_viewing_mixed"=>"false"} {"dom.report_all_js_exceptions"=>"true"} {"webdriver_enable_native_events"=>false} {"devtools.errorconsole.enabled"=>"true"}
How do I get PHP to execute the shell_exec properly? The script works and my initial tests were run using firewatir (which shell_exec ran fine) but I am really wanting to use Watir-WebDriver instead of FireWatir - WatirWebDriver should be capable of running a Chrome browser (and IE on a Windows machine) while FireWatir can only run Firefox.
Thanks
Gabe
Here's my "Create Browser" code:
# Include the RubyGems file
require 'rubygems'
# Include the Watir-WebDriver file.
require 'watir-webdriver'
# Create the necessary objects
def create_browser(proxy)
# Setup the proper Firefox Profile
profile = Selenium::WebDriver::Firefox::Profile.new
profile.proxy = Selenium::WebDriver::Proxy.new :http => proxy
puts "<br>Using proxy " + proxy + "..."
#ff=FireWatir::Firefox.new :profile => profile
ff = Watir::Browser.new :firefox #, :profile => profile
puts "<br>Firefox ready..."
return ff
end
If the server is headless, you should install the headless gem so that Firefox can work.
require 'watir-webdriver'
require 'headless'
headless = Headless.new
headless.start
b = Watir::Browser.start 'www.google.com'
puts b.title
b.close
headless.destroy
See: http://watirwebdriver.com/headless/
It't a permission problem, the PHP script runs with the permissions of the server, normally apache.
You can do a sudo www and try to run the script then with rb to see if there is a problem when running ruby with the server user.
Put the two lines of code that is below at the very top of your PHP script. The result of this is that when you browse to your PHP page with your browser it will display exactly what the errors are, including any permission errors.
ini_set("display_errors",1);
error_reporting(E_ALL);
So a recent update to Firefox killed it's support for Watir (no JSSH update if I remember). As a result I rewrote what little code I had for Selenium::WebDriver. But I'm thinking that isn't particularly relevant (its included in case it is relevant I don't know it).
My ultimate solution was to use phpseclib. This allows me to SSH into the machine via their SSH2 PHP class. Once logged in as my typical username (with typical password) I was able to fire off a headless version of my script no problem. The only real issues this creates is that I now have to view everything that's going on through log files and screenshots but that was likely to be true no matter what solution I came up with.
phpseclib needs your username and password for the server (at least until you set some form of public private key pair). So I wouldn't want to do this on a publicly available machine without a couple of layers of security - like setting .htaccess to deny read access to the file with the login data, encrypting the password stored in the file, etc. However, for my purposes I'm logging into one machine on my LAN from another machine on my LAN. The password is only good on my LAN (not my web servers) and while my LAN can see out it should not be (easily) available to the rest of the world (to the best of my knowledge). So the security concerns are minimal.
I never did figure this out. Headless isn't the answer to getting PHP to exec the script. I'm pretty sure it is a permissions issue with Firefox's executable but I can't be positive until I find an actual fix.
Ultimately I've had to break up the tool where PHP manages the DB and task scheduling. Then PHP creates text files with all the data necessary for ruby to run the browser to right site, login, etc, etc... Then ruby moves the data file to one of a few different folders (success, failure, bad login, etc) and adds some text to the data file. Finally PHP parses all this info in the moved text files and updates the DB with that info.
It's less than ideal but it is getting the job done. Now I just need to figure out how to run all of this with mutliple threads...
Thanks for the help