#!/usr/local/bin/perl
# webshell.cgi  by David Efflandt  vuser@cgi-help.virtualave.net
# last updated 9/11/99
#
# Run sh commands from web browser.
# Not for interactive programs.

# Required module
use CGI qw/:standard :netscape/;

# Comma separated, quoted list of remote IP's allowed to use this script
# (run winipcfg in Win or /sbin/ifconfig in Linux to see your PPP IP).
# It will be ignored if commented out.  But then you should use a password
# protected directory.  See http://www.apache.org/ 'require' directive.
@remote = ('192.168.1.1');

# Modify dots in $remote for exact pattern search
$remote = $ENV{REMOTE_ADDR}; $remote =~ s/\./\\\./g;

# Error and exit unless remote matches IP list
if (defined(@remote)) {
    unless (grep(/^$remote$/,@remote)) {
        print header,start_html('Error'),h1(Error),hr,
        "You are not authorized to access this page\n",end_html;
        exit;
    }
}

# Page header and input field for sh command
print header, start_html('Web Shell'),center(h1('Web Shell')),
start_form,center(textfield('run'),' ',submit(undef,' Run ')),end_form;

if (param('run') && referer() eq url()) {
    $run = param('run');
    $out = `$run 2>&1`;	# include stderr from command
    $out =~ s/</&lt;/g;	# convert tags to non-tags
    $out =~ s/>/&gt;/g;
    $out =~ s/.\cH//g;	# filter backspace highlight/underline (manpages)
    print hr,pre($out);
    # Another input field at bottom if long.
    if (length($out) > 100) {
        hr,start_form,center(textfield('run'),' ',
        submit(undef,' Run ')),end_form;
    }
}
print end_html,"\n";