Secure Shell2

Run command as the system administrator (root)
Change config file
- Display Error - php.ini

Running command as the system administrator (root)

cat /etc/shadow

codes/shell-exec-shadow.php:

<pre>
<?php
echo shell_exec('cat /etc/shadow');

http://localhost:8080/ssh2/codes/shell-exec-shadow.php:

$ curl -i http://localhost:8080/ssh2/codes/shell-exec-shadow.php
HTTP/1.1 200 OK
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.3.12
Content-Length: 0
Content-Type: text/html; charset=UTF-8

Change Permission:

chmod a+r /etc/shadow

http://localhost:8080/ssh2/codes/shell-exec-shadow.php:

$ curl -i http://localhost:8080/ssh2/codes/shell-exec-shadow.php
HTTP/1.1 200 OK
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.3.12
Content-Length: 0
Content-Type: text/html; charset=UTF-8


<pre>
root:*:18218:0:99999:7:::
daemon:*:18218:0:99999:7:::
bin:*:18218:0:99999:7:::
sys:*:18218:0:99999:7:::
sync:*:18218:0:99999:7:::
games:*:18218:0:99999:7:::
man:*:18218:0:99999:7:::
lp:*:18218:0:99999:7:::
mail:*:18218:0:99999:7:::
news:*:18218:0:99999:7:::
uucp:*:18218:0:99999:7:::
proxy:*:18218:0:99999:7:::
www-data:*:18218:0:99999:7:::
backup:*:18218:0:99999:7:::
list:*:18218:0:99999:7:::
irc:*:18218:0:99999:7:::
gnats:*:18218:0:99999:7:::
nobody:*:18218:0:99999:7:::
_apt:*:18218:0:99999:7:::
Debian-exim:!:18233:0:99999:7:::

Change Permission (sudoers):

/etc/sudoers
www-data    ALL=(ALL) NOPASSWD: ALL
www-data    ALL=(ALL) NOPASSWD: /path/to/program

cat /etc/shadow by ssh

codes/cat-shadow.php:

<?php
$connection = ssh2_connect('localhost', 22);
ssh2_auth_password($connection, 'root', 'root');

$stream = ssh2_exec($connection, 'cat /etc/shadow');
stream_set_blocking($stream, true);
$stream_out = ssh2_fetch_stream($stream, SSH2_STREAM_STDIO);
$output = stream_get_contents($stream_out);

echo "<pre>{$output}</pre>";

http://localhost:8080/ssh2/codes/cat-shadow.php:

$ curl -i http://localhost:8080/ssh2/codes/cat-shadow.php
HTTP/1.1 200 OK
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.3.12
Vary: Accept-Encoding
Content-Length: 820
Content-Type: text/html; charset=UTF-8

<pre>root:$6$b2Kb36.bTQsluuuG$MDwIuvXJW3zK/2KSR6z4WdBSTEMvKvRiSWq94LPvhrOZh3YV.hAgQa7kdjC3hLlAQ3L7EP3n4slYzXxa1ZUR0.:18233:0:99999:7:::
daemon:*:18218:0:99999:7:::
bin:*:18218:0:99999:7:::
sys:*:18218:0:99999:7:::
sync:*:18218:0:99999:7:::
games:*:18218:0:99999:7:::
man:*:18218:0:99999:7:::
lp:*:18218:0:99999:7:::
mail:*:18218:0:99999:7:::
news:*:18218:0:99999:7:::
uucp:*:18218:0:99999:7:::
proxy:*:18218:0:99999:7:::
www-data:*:18218:0:99999:7:::
backup:*:18218:0:99999:7:::
list:*:18218:0:99999:7:::
irc:*:18218:0:99999:7:::
gnats:*:18218:0:99999:7:::
nobody:*:18218:0:99999:7:::
_apt:*:18218:0:99999:7:::
systemd-timesync:*:18233:0:99999:7:::
systemd-network:*:18233:0:99999:7:::
systemd-resolve:*:18233:0:99999:7:::
messagebus:*:18233:0:99999:7:::
Debian-exim:!:18233:0:99999:7:::
sshd:*:18233:0:99999:7:::
</pre>

Active root ssh:

# sed -i 's/\#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# service ssh restart

Reference

Other Services - SSH2: ssh2_connect(), ssh2_auth_password(), ssh2_exec(), ssh2_fetch_stream()

service --status-all

codes/service-status-all.php:

<?php
$connection = ssh2_connect('localhost', 22);
ssh2_auth_password($connection, 'root', 'root');

$stream = ssh2_exec($connection, 'service --status-all');
stream_set_blocking($stream, true);
$stream_out = ssh2_fetch_stream($stream, SSH2_STREAM_STDIO);
$output = stream_get_contents($stream_out);

preg_match_all("/\[ ([\+-]) \]\s+(.+)/", $output, $matches);

$status = [];

foreach ($matches[2] as $index => $service) {
  $status[$service] = $matches[1][$index] == '+' ? 'up' : 'down';
}

$json = json_encode($status);

header('Content-type: application/json; charset=UTF-8');
header("Access-Control-Allow-Origin: *");
echo $json;

http://localhost:8080/ssh2/codes/service-status-all.php:

$ curl -i http://localhost:8080/ssh2/codes/service-status-all.php
HTTP/1.1 200 OK
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.3.12
Access-Control-Allow-Origin: *
Content-Length: 115
Content-Type: application/json; charset=UTF-8

{"apache-htcacheclean":"down","apache2":"up","cron":"down","dbus":"down","exim4":"down","procps":"down","ssh":"up"}

{
  "acpid": "up",
  "apache2": "up",
  "apparmor": "up",
  "atd": "up",
  "chef-client": "up",
  "cron": "up",
  "dbus": "down",
  "friendly-recovery": "up",
  "grub-common": "down",
  "landscape-client": "down",
  "procps": "down",
  "puppet": "up",
  "resolvconf": "up",
  "rpcbind": "up",
  "rsync": "down",
  "rsyslog": "up",
  "ssh": "up",
  "sudo": "down",
  "udev": "up",
  "unattended-upgrades": "down",
  "urandom": "down",
  "virtualbox-guest-utils": "down",
  "x11-common": "down"
}

Change config file

codes/active-root-ssh.php:

<?php
$activeRootSSH = "sed -i 's/\#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config";

$connection = ssh2_connect('localhost', 22);
ssh2_auth_password($connection, 'root', 'root');

ssh2_exec($connection, $activeRootSSH);
ssh2_exec($connection, 'service ssh restart');

echo 'ssh restart';

http://localhost:8080/ssh2/codes/active-root-ssh.php:

$ curl -i http://localhost:8080/ssh2/codes/active-root-ssh.php
HTTP/1.1 200 OK
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.3.12
Content-Length: 11
Content-Type: text/html; charset=UTF-8

ssh restart

Reference

Other Services - SSH2: ssh2_connect(), ssh2_auth_password(), ssh2_exec(), ssh2_fetch_stream()
Text Processing - PCRE: preg_match_all()
phpseclib/phpseclib

PHP Guide

Secure Shell2

Running command as the system administrator (root)

cat /etc/shadow

cat /etc/shadow by ssh

service --status-all

Change config file