console.sh

module

v1.1.0 Latest Latest Go to latest Published: Sep 2, 2022 License: Unlicense

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ariary/console.sh

Links

Open Source Insights

README ¶

console.sh

Execute shell command from browser console (developer tools)

Usage

Launch websocket server:

console.sh

Open browser console (certainly with Shift + CTRL + K or Shift + ⌘ + K). Copy/paste within:

s=new WebSocket("wss://localhost:8080/sh"),s.onmessage=function(ev){console.log(ev.data)};function sh(cmd){s.send(cmd)};function promptsh(){cmd=prompt();s.send(cmd)};Object.defineProperty(window, 'psh', { get: promptsh });

Now you are able to execute shell command from browser console with:

> sh("[command]")
//OR (alternative)
> sh`[command]`
//OR (prompted version)
> psh

N.B:

It is also possible to connect to a remote shell (localhost is not enforced). To do so use --url flag.
Visit home page is like a light gotty. The home page automatically load the shell in your browser console.
If you want terminal in HTML page instead of the console -> browse /interactive endpoint

Why?

Why not! The need does not inspire the feature, it's the other way around (s/o Apple philosophy)

Otherwise, see remote use

Set-up

Install console.sh:

curl -lO -L https://github.com/ariary/console.sh/releases/latest/download/console.sh
chmod +x console.sh
# or with go
go install github.com/ariary/console.sh@latest

Then as you have to launch the websocket server with certificates (otherwise browsers won't accept connection). Create cert and key in the same directory:

mkcert -install
mkcert -key-file key.pem -cert-file cert.pem localhost 127.0.0.1 ::1 # Many way to do it, openssl etc => key: key.pem and cert: cert.pem

Remote Code execution

console.sh can also be launched on a remote device. The main advantage of this is to browse internet while having a quick access to a kind of remote shell.

To make it works, Install mkcert CA in your local trust store and build console.sh like this before transfer it on remote:

mkcert -install
./build-embed.sh [REMOTE_URL] #directly embed cert,key in binary

Notes

SOP and CORS don't apply to websocket, However CSP does. Many websites specify connect-src CSP directive which restricts loaded URL from WebSocket (⇒ can't use console.sh on these websites, empty new tabs will do the job)
Without wss (secure websocket) browser wouldn't authorize websocket communication ⇒ need certificate and key
⚠️ This project is not secure! Use it with parsimony and of course shut down the server when you are done using it. Otherwise an XSS can easily become a RCE

Directories ¶

Path	Synopsis
pkg
console

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL