Help with AJAX/PHP server "console"

[kayson]

I have a web server set up at home, and I wrote a little ajax/php console that lets me remotely execute code by feeding it via AJAX to a php page that just does eval($code) and then spits it into a results box. The idea is that if I need to do some quick code to figure something out I have access to this. It's password protected just in case. Here's the code:

console.php:

<?php
session_start();
$error = "";

if ( array_key_exists("log", $_REQUEST) && $_REQUEST["log"] == 1 )
{
  $_SESSION = array();

  if ( isset($_COOKIE[session_name()]) )
    setcookie(session_name(), '', time()-42000, '/');

  session_destroy();
  header('Location: console.php');
}
?>

<html>
<head>
<title>Server Console</title>
<script language="JavaScript" type="text/javascript">
function togglevis(obj_tog)
{
 if ( obj_tog.style.display == "none" )
   obj_tog.style.display = "block";
 else
   obj_tog.style.display = "none";
}

function php_eval(str_code,obj_result)
{
var xmlHttp;
try
  {
  // Firefox, Opera 8.0+, Safari
  xmlHttp=new XMLHttpRequest();
  }
catch (e)
  {
  // Internet Explorer
  try
    {
    xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
    }
  catch (e)
    {
    try
      {
      xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
      }
    catch (e)
      {
      alert("Your browser does not support AJAX!");
      return false;
      }
    }
  }
  xmlHttp.onreadystatechange=function()
    {
    if(xmlHttp.readyState==4)
      {
      obj_result.innerHTML=xmlHttp.responseText;
      }
    }
  var str_fcode = "code=" + str_code;
  xmlHttp.open("POST","console_processor.php",true);
  xmlHttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); 
  xmlHttp.setRequestHeader("Content-length", str_fcode.length);
  xmlHttp.setRequestHeader("Connection", "close");
  xmlHttp.send(str_fcode);
}
</script>

</head>

<body>

<div align="right"><a href="console.php?log=1">Logout</a></div>

<div align="center">
<strong style="font-size:24pt">Server Console</strong>
<br />
<br />

<?php
if ( array_key_exists("pw", $_REQUEST) )
{
  //Login
  if ( md5($_REQUEST["pw"]) == "dabadc5ab1a3394e3f10440d8afed0aa" )
    $_SESSION["pw"] = "dabadc5ab1a3394e3f10440d8afed0aa";

  else
    $error = "Incorrect Password<br />";

}


if ( !isset($_SESSION["pw"]) )
{

  echo $error;

?>

  <form method="post" action="console.php">
    <input type="password" name="pw">
    <input type="submit" value="Login">
  </form>

<?

}

else
{

  if ( $_SESSION["pw"] != "dabadc5ab1a3394e3f10440d8afed0aa" )
    die("Invalid Session");

?>
<a href="javascript:togglevis(document.getElementById('codebox'))">Show/Hide Code</a>
<table border=0 width=100% height=500>
  <tr align=center>
   <td align=left valign=top>
    <div id="codebox" style="display: block">
    <form onSubmit="php_eval(this.code.value,document.getElementById('result')); return false" action="console.php#" method="post">
    <strong>PHP:</strong>
    <br />	
    <textarea name="code" cols=50 rows=20></textarea>
    <input type="hidden" name="codetype" value="php">
    <br />
    <input type="Submit" value="Go!">
    </form>
    </div>
   </td>

   <td valign=top width=100%>
     <div id="result"></div>
     
    </td>
  </tr>
</table>

<?php
}
?>

</div>
</body>
</html>

console_processor.php:

<?php

if ( array_key_exists("code", $_REQUEST) )
  eval($_REQUEST["code"]);

?>

It works, for the most part. My problem is that if I try to send any code with loops (for loops, while loops, etc), it hangs. If I access it from the server, firefox crashes before anything happens. If I access it remotely, I get a fatal exceeded max execution time error.

I try code like this:

for ( $i = 0; $i < 3; $i++ )
{
  echo $i;
}

If I make a static page that has eval(<above code, escaped>), it works fine. Any ideas?

 

[jdf_warrior]

I would say, as a place to start, take the eval, and make it echo the code thats giving you problems. See if its barfing somewhere when passing the code or something..

Next step, if it still looks ok when you echo whats passed, take whats echo'd, and put it in an eval( ) on a static page and see what it does.

Lemme know what happens. I'll try to help ya if I can, but I'm kinda lazy and dont feel like picking through your code right this sec, maybe tomorrow

 

[kayson]

I actually just did that, and it turns out the problem is in passing "&" and "+". If anyone ever has this problem, the solution is to use the JS function escape() on the string to fix the "&", then

while ( str_somevar.indexOf("+") > -1 )
{
  str_somevar = str_somevar.replace("+', %2b")
}

All works well now

 

[jdf_warrior]

hehe, yeah figured it would be something like that.. before I could even finish reading your reply, was already saying, "gotta escape certain characters".. good catch though.

 

[jdf_warrior]

May be able to be done without JS though btw.. using.. oh I forget the php command.. str_replace() maybe? Before the eval..

php function htmlspecialchars could also be used.

 

[kayson]

The problem isn't the PHP actually. Its the passing it via AJAX. When I echo'd the code sent through AJAX, the +'s would all turn into spaces and the &'s would just cause errors

 

[petteyg359]

I use encodeuricomponent() on whatever variable I'm POSTing in the Javascript, then in PHP, stripslashes() on the POST data.

 

[kayson]

I use encodeuricomponent() on whatever variable I'm POSTing in the Javascript, then in PHP, stripslashes() on the POST data.

Thanks for that! I figured there would be a function but I couldn't find it.

 

[petteyg359]

If you want to display the input code in a textarea:

echo '<textarea>'.htmlspecialchars($inputcode).'</textarea>';