This isn't a question. I came up with this and thought it was rather handy.

The majority of webmasters that have websites hosted on shared servers probably don't have shell access to their servers. Meaning, unless you have your own dedicated server, you don't have the ability to log in to execute commands at a prompt, console-style.

Here's a solution that'll allow you to execute commands as if you were logged-in to the server's shell (although your permissions will still be that of a shared user). It consists of 2 pages of code: One for the visual interface, which is an HTML page, and one for the command execution script, which is a PHP page. The HTML page calls the PHP page via Ajax.

The interface is fairly "bare-bones". Feel free to pretty it up.

I made and tested this with a Linux server, but I don't see any reason it wouldn't work on a Windows server to execute DOS commands. If anyone tests that out please let me know what happened. Thanks.

shell.html:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Linux Command Shell</title>
<script>
function ajax(){
var returnval = '';
try{
// Firefox, Opera 8.0+, Safari
returnval=new XMLHttpRequest();
}
catch (e){
// Internet Explorer
try{
returnval=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e){
try{
returnval=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e){
alert("Your browser does not support Javascript/Ajax. Please contact support.");
}
}
}
return returnval;
}
xmlHttp = new Array();
step = 0;
dir = '';
function execute(){
var thisstep = step;
xmlHttp[thisstep] = ajax();
var command = document.getElementById('command');
var out = document.getElementById('out');
xmlHttp[thisstep].open("GET","shellexec.php" + '?command=' + command.value + '&dir=' + dir, true);
xmlHttp[thisstep].send(null);
out.innerHTML = out.innerHTML + command.value;
command.value = '';
command.focus();
xmlHttp[thisstep].onreadystatechange=function(){
if(xmlHttp[thisstep].readyState==4){
var res = new Array();
res = xmlHttp[thisstep].responseText.split('@#@#');
dir = res[1];
out.innerHTML = out.innerHTML + res[0];
if (out.innerHTML.length > 5000){out.innerHTML = out.innerHTML.substr(-5000,5000);}
out.scrollTop = out.scrollHeight;
command.focus();
}
}
step++;
}
function enter(event){
if (event.keyCode == 13){
execute();
}
}
</script>

</head>

<body>
<textarea cols="100" rows="40" id="out"></textarea><br />
<input type="text" id="command" onKeyDown="enter(event);" size="100" />
<input type="button" onClick="execute();" value="Go" />
<script>
execute();
</script>
</body>
</html>

shellexec.php:<?
$dir = $_GET['dir'];
if (strlen($dir) > 1){
chdir($dir);
}
$command = $_GET['command'];
echo "\n";
if (substr($command,0,2) == 'cd'){
$command = substr($command,3);
if (!chdir($command)){
echo 'Directory does not exist.';
}
} else {
passthru($command);
}
echo "\n".getcwd().">";
echo "@#@#";
echo getcwd();
?>

Good ideas, but very very insecure, Im sure that alot of server manager will not be happy with you

No argument there. It is up to the webmaster to limit access to this from the public.

Good point though. Whoever decides to use this should at least put it in a password-protected folder on their server.

The script doesnt allow pico, but any one with any nix no how can easitly get in and do some damage.

The script actually doesn't support running any interactive programs. It only works for simple single-command / show output tasks. I don't think supporting interactive programs would be possible using PHP/Javascript.

You're right that someone who gained access to this could cause damage. You can use it to move, rename, and delete files, change permissions, or any other single-line command.

The security issue is easily remedied simply by placing these two pages in a password-protected folder on the server.