Comments (19)
Can you use CGI mode? That's what most people use for this particular use case.
I just
added a (very!) simple example on how to use it:
http://shellinabox.googlecode.com/svn/trunk/shellinabox/cgi-mode-example.sh
Original comment by [email protected]
on 17 Aug 2009 at 5:16
- Changed state: Done
from shellinabox.
the problem with that solution is that the program is still running even when i
close
the session.
In daemon mode only one instance is running.
the best solution is if i could pass parameters to the daemon as a part of the
opening session.
for example http://127.0.0.1:4200?cmd=ls will run ls command.
Original comment by [email protected]
on 19 Aug 2009 at 2:42
from shellinabox.
The daemon doesn't know whether you closed the session, or whether your browser
is
just really slow to send requests. So, it'll wait a little longer to see if new
requests arrive. If you check again after a minute or two, you'll see that the
daemon
has terminated.
In general, passing commands in the URL is a very bad idea. This would allow
anybody
to run arbitrary commands on your computer. Even worse than that, this allows
attacks
from outside your firewall, too. All an attacker needs to do is trick you into
viewing an HTML page that has a hidden link (e.g. in an image, style sheet, or
iframe) pointing to the service inside of your firewall.
They could do this by sending you e-mail with a suitable HTML document, or by
tricking you into visiting a web site that is under their control.
Having said all of that, and while I really don't think you should deploy
ShellInABox
in this fashion, I do think that there is some value in the session having
access to
the URL where the service is hosted. I added code that makes this URL available
as a
new "${url}" variable, which you can access from the service description.
Original comment by [email protected]
on 19 Aug 2009 at 7:12
- Changed state: Fixed
from shellinabox.
first i want to thank you for all your work.
If i can be more precise with my question, the thing that i want to do is that:
user will enter ip address in text form and then the shellinabox will telnet
the ip.
the ip will pass with a POST method.
right now i use a little script that ask for the ip from the user only when the
new
window open with a shellinabox .
TNX again
Guy
Original comment by [email protected]
on 20 Aug 2009 at 12:05
from shellinabox.
Does that "${url}" parameter allow you to do what you want, or do you still
need
changes. This was a little unclear from your last message.
Original comment by [email protected]
on 20 Aug 2009 at 10:07
from shellinabox.
The "${url}" parameter does not solve my problem.
If i need to telnet 100 server then i need to create 100 urls and if new server
is
create then i need to add new url.
Does i do something wrong ?
Original comment by [email protected]
on 23 Aug 2009 at 12:23
from shellinabox.
No wonder you are not happy. You only had half the changelist.
You could have made this work, if you had full control over your DNS server.
Create a
wild card A record for the machine that hosts ShellInABox. Then encode your
target
addresses in the hostname.
But of course, a much easier way is to encode the target address as
http://my.domain:4200/?target. You then want a service description of the form
"/:$(id -u):$(id -g):HOME:"'/bin/bash -c "u=${url}; exec telnet
\"\${u##*\\?}\""'
This should now work with the code that is in SVN.
Original comment by [email protected]
on 23 Aug 2009 at 3:32
from shellinabox.
sorry for my late answer.
The solution work great :-)
thanks.
I still have minor problem, when i try to add the parameter trough
/etc/default/shellinabox (ubuntu 9.04) its fail .
the problem is that the parameter pass as 2 commands, before the "-c" and
another after.
do you have any idea ?
Original comment by [email protected]
on 13 Sep 2009 at 7:47
from shellinabox.
Just make sure you add some shell escaping:
SHELLINABOX_ARGS="${SHELLINABOX_ARGS} -s /telnet:$(id -u):$(id
-g):HOME:/bin/bash\ -c\
u=\\\\\'\\\${url}\\\\\'\;'exec\ telnet\ \\\${u##*\\\?}'"
Alternatively, if this is too complicated, you could always write a wrapper
shell
script that just takes one argument. That would make escaping much easier -- or
even
unnecessary.
Original comment by [email protected]
on 13 Sep 2009 at 11:33
from shellinabox.
Issue 37 has been merged into this issue.
Original comment by [email protected]
on 25 Nov 2009 at 11:21
from shellinabox.
Just to get your opinion:
I'm using this service description:
shellinaboxd -s "/:$(id -u):$(id -g):HOME:"'/bin/bash -c "u=${url}; exec `cat
/home/myuser/myfolder/\${u##*\\?}.cmd`"'
And I access it like http://192.168.0.1:4200/?file and I have the SSH command
inside file.cmd, for instance.
My doubt is: is there any way a user could inject commands inside the URL,
without being explicitely inside
my cmd file? I don't see the way, so I'd like to know if you can see any.
Thanks.
Original comment by [email protected]
on 27 Nov 2009 at 7:22
from shellinabox.
I'd be a little worried about somebody putting things like ../ into the URL in
order
to make ShellInABox read arbitrary files in your file system -- or even worse,
if your
machine has user-writable directories mounted, it would allow an attacker to
run
arbitrary code as a privileged user.
Original comment by [email protected]
on 30 Nov 2009 at 9:13
from shellinabox.
Agreed.
I could put only the part after "ssh" in the command file or, even better,
create a wrapper file which calls the
command file only IF it is allowed (allowed = isin `ls /home/myuser/myfolder/`).
Original comment by [email protected]
on 30 Nov 2009 at 9:38
from shellinabox.
I need some help with the cgi script. I wouldn't call myself new, but I dont
get it.
First off the description is a cgi script, which instinctively make me think
PERL.
But this example is bash.
Secondly I dont understand what the expected user experience is. Do they,
browse to
my website whatever.com/cgi_mode.sh and it will execute shell in a box?
Original comment by [email protected]
on 23 Mar 2010 at 9:25
from shellinabox.
I feel dumb, i just got it working guys. But my next question is long winded.
Currently I am running shellinabox via an apache proxy. I did this to ensure
that it
was passing through my apache's manditory https connection. I think this is more
secure than running shellinabox on it's own, no? Ok so shellinabox is config
to
only allow local host, thus if I'm to connect to it remotely I must go through
apache
https proxy.
Now when using this cgi script, it sounds to me like it spawns on a different
port..
or does it pass through apache?
I want the cgi-script to I can tie it into my php's session authentication but
I dont
want it running on an unencrypted connection. I want both, user auth + ssl
Original comment by [email protected]
on 23 Mar 2010 at 9:45
from shellinabox.
how can I throw 2 parameter through the url ?
let say we have ?id=11&act=rename
it will detect 11%20rename
Original comment by [email protected]
on 1 Jun 2010 at 3:25
from shellinabox.
how can i pass username and password in url so tht i dont need to ask user for
username n password
Original comment by [email protected]
on 28 Jan 2014 at 9:05
from shellinabox.
> how can i pass username and password in url so tht i dont need to ask user
for username n password
+1. I also have this request. Is there any solution?
Original comment by [email protected]
on 4 Apr 2014 at 2:56
from shellinabox.
To: [email protected]
Could you please tell how we can use your script (for using shellinabox in CGI
mode)from a php file. In fact, I have a web application and I want every time
to specify which host to connect to every time a user wants to connect to his
machine, and then return the terminal to him in another window. In brief, I
don't know how to make the script and php to interact whith each other, to make
the app take the result rendered by the script.
Thank you in advance !!
Original comment by [email protected]
on 13 Aug 2014 at 4:05
from shellinabox.
Related Issues (20)
- Browser loops on connectivity problems
- How to run few commands before startup? HOT 1
- Delay after typing in shellinabox HOT 2
- How to pass credentials to SSH command
- "-" key does not work in firefox HOT 3
- Decouple vt100.js from main project
- shellinaboxd: unrecognized service HOT 3
- Copy paste not working as expected HOT 1
- how to open and interact with shellinabox in a custom html page HOT 2
- Prompt behind horizontal scroll bar
- migration to github or bitbucket ? HOT 1
- ShellInABox Can not clear the contents of the vim buffer HOT 3
- Wrong version being installed from repository HOT 3
- why any web browsers show shellinabox with others colors HOT 1
- <>^`$ยฃยจ!-_ keys dont work with Firefox and swiss german keyboard HOT 1
- Cannot log in with any user on shellinabox
- Shellinabox uses a quicktime plugin which will not be supported by Chrome in the near future
- Shellinabox via proxy
- ERR_SSL_VERSION_OR_CIPHER_MISMATCH HOT 1
- Stops after login
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shellinabox.