I would like to run Lynis (audit tool preinstalled in Kali Linux) from a webpage using javascript technology but I don’t know how to execute local programs using bash commands from Javascript, can somebody help me? In short, the general idea is the following: The visitor (let’s assume the visitor is using Kali Linux on his computer with Lynis installed) enters to my webpage www.example.com/example.html The visitor downloads the content of the page and with a button or something similar we can execute shell commands and run Lynis software on the visitor's computer. (e.g. "# sudo lynis") When Lynis finishes its execution the generated results in some way interacts with the javascript code and we can show this information on the website. (The priority now is point 1 and 2) Thanks in advance. P.S. If this is not possible ... is there any way to do this without using javascript?

Reputation: 2082

Run Unix commands from Javascript and HTML

I would like to run Lynis (audit tool preinstalled in Kali Linux) from a webpage using javascript technology but I don’t know how to execute local programs using bash commands from Javascript, can somebody help me?

In short, the general idea is the following:

The visitor (let’s assume the visitor is using Kali Linux on his computer with Lynis installed) enters to my webpage www.example.com/example.html
The visitor downloads the content of the page and with a button or something similar we can execute shell commands and run Lynis software on the visitor's computer. (e.g. "# sudo lynis")
When Lynis finishes its execution the generated results in some way interacts with the javascript code and we can show this information on the website.

(The priority now is point 1 and 2)

Thanks in advance.

P.S. If this is not possible ... is there any way to do this without using javascript?

Upvotes: 0

Answers (2)

amihart

Reputation: 171

JavaScript code can easily be injected and altered by the user since it is a client side language. That means it is stored and executed on their browser, and it is neither encrypted nor compiled so it can be viewed and edited at their leisure. This means simply having JavaScript be able to execute server-side shell commands would a massive security hole.

That being said, you could create a PHP script that executes a shell command which you could call using JavaScript. Again, remember that this opens a huge security hole.

The JavaScript:

function exec(command) {

    var form = document.createElement("form");
    form.setAttribute("action","exec.php");
    form.setAttribute("method","post");
    form.setAttribute("display","none");

    var input = document.createElement("input");
    input.setAttribute("type","text");
    input.setAttribute("name","command");
    input.value = command;
    form.appendChild(input);

    var submit = document.createElement("input");
    submit.setAttribute("type","submit");
    form.appendChild(submit);

    document.body.appendChild(form);
    submit.click();
    document.body.removeChild(form);
}

The PHP:

if (isset($_POST["command"])) 
    shell_exec($_POST["command"]);  
print "<script>history.go(-1)</script>"

The PHP goes in a file called "exec.php" and the JavaScript can be put in any webpage you want it to work with.

You can then execute a shell command on your computer via JavaScript simply by using the "exec" function. Such as "exec('gedit')" will open gedit on my computer.

If you use this, any user who logs into your website can type that command and execute commands on your computer.

Upvotes: 1

ergonaut

Reputation: 7057

This is not possible or it would be the largest security hole ever.

Upvotes: 3

Run Unix commands from Javascript and HTML

Answers (2)

Related Questions