47 lines
1.2 KiB
PHP
47 lines
1.2 KiB
PHP
<?php
|
|
// includes/shell_exec.php — Executes shell commands securely (admin only)
|
|
require_once __DIR__ . '/config.php';
|
|
session_start();
|
|
header('Content-Type: application/json');
|
|
|
|
if (empty($_SESSION['is_admin'])) {
|
|
http_response_code(403);
|
|
echo json_encode(['error' => 'Not authorized']);
|
|
exit;
|
|
}
|
|
|
|
$cmd = trim($_POST['command'] ?? '');
|
|
if ($cmd === '') {
|
|
echo json_encode(['output' => '']);
|
|
exit;
|
|
}
|
|
|
|
// Restrict dangerous commands for safety
|
|
$blacklist = $CONFIG['blacklist_commands'];
|
|
foreach ($blacklist as $bad) {
|
|
if (stripos($cmd, $bad) !== false) {
|
|
echo json_encode(['output' => "⚠️ Command '$bad' not allowed"]);
|
|
exit;
|
|
}
|
|
}
|
|
|
|
// Execute safely (captures both stdout and stderr)
|
|
$descriptor = [
|
|
1 => ['pipe', 'w'],
|
|
2 => ['pipe', 'w']
|
|
];
|
|
$process = proc_open($cmd, $descriptor, $pipes, $CONFIG['default_dir']);
|
|
if (is_resource($process)) {
|
|
$output = stream_get_contents($pipes[1]);
|
|
$error = stream_get_contents($pipes[2]);
|
|
fclose($pipes[1]);
|
|
fclose($pipes[2]);
|
|
$status = proc_close($process);
|
|
echo json_encode([
|
|
'output' => trim($output . "\n" . $error),
|
|
'status' => $status
|
|
]);
|
|
} else {
|
|
echo json_encode(['output' => 'Failed to execute command']);
|
|
}
|