print results after each command

[Nucleus]

I am using this to send a command to multiple Linux computers via ssh. It prints the results after it has processed all computers. How can I see the results after each computer is finished, so I don't have to wait for all computers to finish?

<form action="commands.php" method="post" target="main">
    <input type="checkbox" name="clients[]" value="192.168.1.11">Client001<br>
    <input type="checkbox" name="clients[]" value="192.168.1.12">Client002<br>
    <br/>
     <select name="commands">
<option value="">Select Command</option>
<option value="uptime | sed 's/.*up \([^,]*\), .*/\1/'">Uptime</option>
<option value="printf $(free | grep -e-/+ | awk '{print $3/($3+$4) * 100.0 ''}' | cut -d '.' -f1)%%">Memory Usage</option>
     </select>
  <br>
  <br/>
  <input type="submit" value="Submit" />
  </form>

<?php
  include('Net/SSH2.php');
  $user = "user";
  $pass = "pass";
  $ip = $_POST['clients'];
  $ssh = new Net_SSH2($ip);
  $cmds = $_POST['commands'];
  
  if(!empty($_POST['clients'])) {
      foreach($_POST['clients'] as $ip) {
          $ssh = new Net_SSH2($ip);
          if (!$ssh->login($user, $pass)) {exit('Login Failed');}
          echo " " . $ssh->exec($cmds) . "<br>";
      }
  }
 ?>

 

[Jacques1]

Do you understand that your form allows arbitrary users to issue arbitrary shell commands? And do you understand how dangerous that is?

[NotionCommotion]

@Nucleus  I borrowed this code from someone years ago.  Purpose was not the same, but similar.  Used it for a while, but then changed tacks, and I can't really vouch for it.

 

@Jacques1  Why is it dangerous?  I know nothing about Net_SSH2, but assume it is an abstraction layer to allow PHP to logon via SSH and issue command line commands.  Presumably, the remote machine will not allow them to run should the agent not be authenticated, and will only allow commands for that users permissions.

function closeConnection($body, $responseCode=200, $timeout=0){
    // If zero, no timeout
    set_time_limit($timeout);

    // Client disconnect should NOT abort our script execution
    ignore_user_abort(true);

    // Clean (erase) the output buffer and turn off output buffering in case there was anything up in there to begin with.
    ob_end_clean();

    // Turn on output buffering, because ... we just turned it off ... if it was on.
    ob_start();

    echo $body;

    // Return the length of the output buffer
    $size = ob_get_length();

    // send headers to tell the browser to close the connection
    // remember, the headers must be called prior to any actual
    // input being sent via our flush(es) below.
    header("Connection: close\r\n");
    header("Content-Encoding: none\r\n");
    header("Content-Length: $size");

    // Set the HTTP response code
    // this is only available in PHP 5.4.0 or greater
    http_response_code($responseCode);

    // Flush (send) the output buffer and turn off output buffering
    ob_end_flush();

    // Flush (send) the output buffer
    // This looks like overkill, but trust me. I know, you really don't need this
    // unless you do need it, in which case, you will be glad you had it!
    @ob_flush();

    // Flush system output buffer
    // I know, more over kill looking stuff, but this
    // Flushes the system write buffers of PHP and whatever backend PHP is using
    // (CGI, a web server, etc). This attempts to push current output all the way
    // to the browser with a few caveats.
    flush();
}

[Jacques1]

Presumably, the remote machine will not allow them to run should the agent not be authenticated, and will only allow commands for that users permissions.

 

You must be kidding.

 

We're talking about unrestricted access to an account on the server. The SSH credentials are provided by the application, which means the client doesn't even have to worry about them. There could be some home-made authentication scheme within the application, but a) we both know it's garbage and b) it can easily be circumvented through a CSRF attack.

 

So the whole Internet has access to those two machines, and who knows what the accounts can do. I wouldn't be surprised if they're root or just one crappy password away from root. Even a standard account is enough to cause enormous damage.

 

Besides that, have you not read the code? He just wants to execute two specific commands, but he's handing out an unrestricted shell. Does that not seem kinda sorta wrong?

 

Guys, please, turn your brains back on. I know this is amateur hour, but let's at least not hurt anybody.

[NotionCommotion]

Is Net_SSH2, running cl commands on Nucleus's server where his/her PHP is running, or some remote server?  It was my understanding that some remote server.

 

If I have username/password of one of those remote servers, I can ssh and issue the commands via putty, etc.

 

Isn't using PHP to do so just automating the process?  What is the difference?

[Jacques1]

The form lets you run arbitary commands without knowing the SSH credentials. The credentials are provided by the application. You just have to send a command of your choice, and then the application makes sure the servers will execute it.

 

I haven't even seen any kind of session handling in any of the scripts posted by the OP in the last months. So chances are there's literally no authentication at all.

[NotionCommotion]

Ah...  I just assumed authentication was in place.  White listing would also be a good idea.  Remind me not to give a user account to the OP!

[Jacques1]

Like I said, even authentication doesn't help when the same form hands out a CSRF vulnerability for free.

 

The only way to make this halfway sane is to

• implement solid authentication within the application
• fix all current vulnerabilities, especially the ones which can be used to take actions on behalf of an authenticated user (CSRF, Clickjacking, ...)
• only accept references to predefined actions (e. g. “get_uptime” and “get_memory_usage”)
• create a separate unprivileged account, then create a public-key SSH access which can only execute a single command, namely run a shell script which maps the references to actual commands

[Nucleus]

@Jacques1

Thanks for pointing out all the things that are wrong with this code, but don't you think that you are making a lot of assumptions here? I mean, why even go into this discussion without even knowing how will this be used? How do you know that this is not in an isolated environment? Test lab? Student exercise? How do you even know that you have the full picture? 

 

I meet people trying to prove their knowledge all the time, in internet forums and real life, discussing all sorts of subjects. It seems these people are more focused on pointing out mistakes, proving their knowledge and eventually feeling better about themselves, instead of actually helping with the problem at hand. Did I ask about key authentication? Security? Unprivileged accounts? No. I just asked how to get the output of each computer. That's it! And instead of helping out with the actual question, you found something you're comfortable with to rant about.

 

So before ignoring this topic completely and never return to these forums again, I'll give you another chance to put all this know-how to usefulness. Read the original post and see if you can provide an answer to my question.

[Nucleus]

In fact, let me make this really easy for you.

ob_flush();flush();

This is from people that actually help with the problem at hand.

[Jacques1]

Then good luck with your new friends.

 

You're not a programmer and never will be, so this may be hard for you to understand, but programmers are looking for right answers, both in a technical and in an ethical sense.

 

If you share this basic value, you can learn a lot from this community. You're not exactly the brightest bulb judging from your progress in the last 12 years, but I'm sure we can at least help you get to amateur level. If you don't share our values, go away. I'm not interested in stories about “school projects” or “super-isolated lab environments”. I've heard this bullshit far too often.

[Nucleus]

So what you're telling me is that If the code in a question is not faultless, you are not dignifying it with an answer. I'm I understanding this correctly?

 

I see this behaviour all the time. If someone has a Guru/Expert/Master tag on their profile, they are more likely to reply the way you do. Arrogantly, instead of constructively. Unfortunately, its people like you preventing others from learning. So here's a lesson for you: Answering to someone offensively and arrogantly, disappoints and discourages them from learning PHP (or anything).

 

I suggest you take some time off PHP and work on your people skills. Sentences like "Guys, please, turn your brains back on. I know this is amateur hour" are a true indication of the way you put yourself on a pedestal. Saying things like these behind the anonymity of your computer is not mature, and surely something you would never say to someone's face.

 

The only logical conclusion if that you are somewhere between 21 to 26 years of age, trying to prove yourself in these forums. I'm sure in a few years, after you've worked for a few multinational corporations, you'll understand what humility is. But you can't go telling people to turn their brains back on, or someone will break your fingers or worst, fire you.

 

I hope I've helped. If I have a PHP question in another 12 years, I'll be sure to contact you directly.

[Jacques1]

If you actually want to learn, you need to stop begging for quick answers and start talking about solutions.

 

“I don't care what's wrong, plz just answer the question” is what little schoolkids say when they've been lazy and need the Internet to do their homework. But you're a grown-up, so I do expect more from you.

 

What matters is the underlying problem, not those few lines of code you've written. Code by itself isn't worth anything; when it's inadequate, you just throw it away and start over. Sure, this sometimes hurts, but it's the only way to make progress and not waste any more time on a mistake.

 

Running predefined shell commands on remote machines is a simple problem with simple solutions. We can have a reasonable discussion and find the one that best fits your needs, or you can go back to your homework forum. Your choice.