RESTful interface to your operating system shell. Swiss knife for your OS shells over the Web.
(Yes, it's dangerous if you don't know what you're doing.)
- Single executable (thanks to Go!)
- Linux/Windows/Mac/BSD support
- Standalone HTTP Server or CGI mode
- (optional) JSON support (in requests and responses!)
- Standalone HTTP(S) server (just run the binary)
- CGI mode (just put it somewhere where your CGI-BIN is served)
- Reverse client mode (aka reverse shell - in development)
Here is quick example, just to get idea what you can do with it.
Start server:
$ ./httpexec -listen 127.0.0.1:8080 -verbose 5
2016/10/22 21:20:18 Starting to listen at 127.0.0.1:8080 with URI / with auth
Run whoami command on server:
$ curl http://127.0.0.1:8080/ -d 'whoami'
user
httpexec can be useful to different types of people. Just few ideas how it can be useful(and dangerous) for you.
You need easy way to send commands to your virtualization guests. You need to run many commands on multiple machines behind many firewalls. You can use it as rudimentary configuration management tool as well.
You can use it to keep access to machine. You need to run many commands on multiple machines you owned behind many firewalls.
httpexec can be quite useful, but it also can be quite dangerous if you don't know what you're doing. You should run httpexec inside safe network/environment. By default it listens on all interfaces as user who executed it.
In short, it is quite dangerous to run on the internet exposed server as any user (especially root). You have been warned!
You can find binary and source releases on Github under "Releases". Here's the link to the latest release
- HEAD request = launch command specified as query (everything behind ?) and don't care about output (blind)
- GET request = launch command specified as query (everything behind ?) and display output
- POST request = launch command specified as POST data and display output
- POST request with query = launch command specified as query (everything behind ?), treat POST data as stdin and display output
Here is large set of examples
$ ./httpexec -verbose 5
httpexec.exe -verbose 5
$ ./httpexec -listen 127.0.0.1 -tls -cert server.cert -key server.key -verbose 5
$ curl 'http://127.0.0.1:8080/' -d 'whoami'
user
$ curl 'http://127.0.0.1:8080/' -d 'id'
uid=1000(user) gid=1000(user) groups=1000(user)
$ curl 'http://127.0.0.1:8080/?id'
uid=1000(user) gid=1000(user) groups=1000(user)
$ curl 'http://127.0.0.1:8080/?ifconfig+-a'
[ifconfig output]
$ curl 'http://127.0.0.1:8080/' -d 'ifconfig -a'
[ifconfig output]
$ curl 'http://127.0.0.1:8080/?tr+a-z+A-Z' -d 'data'
DATA
$ curl http://127.0.0.1:8080/ -d '{"cmd":"tr [a-z] [A-Z]","Stdin":"data"}' -H 'Content-Type: application/json'
{"Cmd":"tr [a-z] [A-Z]","Stdout":"DATA","Stderr":"","Err":""}
Simple Example - POST JSON request: run tr [a-z] [A-Z] on Stdin as JSON field and do not return JSON:
$ curl "http://127.0.0.1:8080/test" -d '{"cmd":"tr a-z A-Z","NoJSON":true,"Stdin":"data"}' -H "Content-Type: application/json"
DATA
These are security options you have:
- custom URI/URL (security through obscurity, attacker have to guess URI) - low security
- basic authentication (username/password authentication) - low security if http (not https)
- SSL/TLS tunneling (attacker cannot MiTM) - moderate security
- SSL/TLS client/server verification (depends on security of the keys) - moderate security
You can combine options above for higher security. It is encouraged to combine SSL/TLS with different options above. For highest security - combine all with SSL/TLS (custom URI, basic authentication and client certs).
You need to generate CA/server/client certificates and specify verification in command line:
tools/gencerts.sh
./httpexec -tls -verify ca.pem
You can then issue curl request as following:
curl --cert client.crt --key client.key --cacert ca.pem https://127.0.0.1:8080/ -d 'whoami'
$ ./httpexec -h
Usage of ./httpexec:
-auth string
basic auth to require - in form user:pass
-cert string
SSL/TLS certificate file (default "server.crt")
-cgi
CGI mode
-key string
SSL/TLS certificate key file (default "server.key")
-listen string
listen address and port (default ":8080")
-realm string
Basic authentication realm (default "httpexec")
-silentout
Silent Output (do not display errors)
-ssl
use TLS/SSL
-tls
use TLS/SSL
-uri string
URI to serve (default "/")
-verbose int
verbose level
-verify string
Client cert verification using SSL/TLS (CA) certificate file
Just type:
go build httpexec.go
Static compiling:
CGO_ENABLED=0 go build -ldflags "-extldflags -static"
Just type:
go build httpexec.go
- prefer builtin go packages over 3rd party packages
- small as possible
- self-contained static executable
- Implement http client
- Implement logging of failed basic auth
- Switch to CGI mode automatically if REQUEST_METHOD env is found
- Implement TLS client auth
Vlatko Kosturjak