wsh-simple – when wsh doesn’t work…

Sometimes none wsh version works… It can happens with older Weblogic versions, strange Tomcat cutomization, exotic Application Servers. This simple webshell (wsh-simple.war) has less functions but will work quite always. Among missing functions, be aware you could lose some output/error messages (thread sync is needed in Java to read stderr/stdout and this one does not implements it to be extremely lightweight).  Once uploaded, manually point one of the following links:

http://uploadedserver:8080/wsh-simple/cmd4unix.jsp
http://uploadedserver:8080/wsh-simple/cmd4win.jsp

 

 

Why sometimes WSH doesn’t works? As you may imagine, thje webshell is indeed a simple line of code:

Process p = Runtime.getRuntime().exec(request.getParameter("cmd"))

but this simple line lacks many functionality you usually appreciate in testing as:

  • where is my output??
  • can i add spaces/arguments? Will they be expanded in a shell environment (like bash)?
  • will this work both on Linux and Windows?
  • will this capture stderr?

This is why the full wsh project is quite big. The most important requirement is probably the output capture: in Java the thread running the Runtime.exec instruction is different from threads holding output and error. This means the best way to read stderr and stdout is to create 2 threads, to run them before the Runtime.exec, so that they are synchronized and they start capturing the flow when the first bit is produced. This increases complexity and, more important, introduces instructions that could raise unexpected errors (again: we are dealing with exotic environments, like JRockit running on HP-UX).

For the argument/shell requirement, the best approach is to use an existing shell (cmd.exe /C and bash -c) – this covers 90% of the cases, but still many places use ksh.

Adding these functionalities introduces coupling and weird behaviours in some architectures; wsh-simple, while extremely basic, is a workaround (still, if you lose part of the output or you feel a command should give you an output but it does not, execute it 5-10 times to be sure ;))

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s