v0.1 upload of statping tool

Added web ui with management functions + scripts for: - Linux x86_64 - Linux on ARM - MacOS x86_64 - MacOS on ARM - Windows x86_64 - Windows on ARM
truejp · Sep 13, 2024 · 85740e6 · 85740e6
1 parent 7964dc3
commit 85740e6
Show file tree

Hide file tree

Showing 9 changed files with 1,126 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.DS_Store
diff --git a/readme.md b/readme.md
@@ -0,0 +1,36 @@
+# Simple Statping NAT Gateway Adapter
+
+This repository contains a simple PHP Web Application that allows you to generate and deploy status scripts for the major OS plattforms. This will allow you to keep an eye on the basic online status of your hosts, even if they are located behind a private NAT gateway, don't have their own public IP address or if they are not running any web service.
+
+## Deployment
+Just copy the contents of the folder "statping-api-adapter" to a directory on a webserver or shared webhosting of your choice. As long as PHP is enabled and the scripts are allowed to access your local files, you should be good to go.
+
+## How to use
+1. Modify the tokens in the config.php file (VERY IMPORTANT)
+2. Copy the contents to your webserver
+3. Open the folder / the file index.php on your webserver.
+4. Press the button to generate all deployment scripts
+5. Copy the instructions for your OS and execut them in your shell
+
+## Live Demo
+
+You can see the tool in action over here: https://pixel-shift.de/statping-service/
+The status-export is used in this website: https://pixel-shift.de/status.html
+
+## Statping Setup 
+
+Now that you have deployed your server to statping, you can add a new target in statping to make use of the newly created link. Copy the URL from the statping section of your index.php and add the device name to it, that you configured during deployment. You can also get the statping URL by opening accessing the manager script on your host. It will show you the correct URL on your shell output.
+
+## Security concerns
+
+The WebApp does not implement any sophisticated security mechanisms due to the (possibly) low severity of data leaks. This web app makes use of three different tokens:
+
+- api token (to authenticate deployments)
+- download token (to download deployment scripts)
+- statping token (optional)
+
+By default, the deployments folder and storage folders are autogenerated with permissions 0700, meaning that only the server itself has full privilges. Users requesting access to the files directly cannot get the deployment scripts or settings. This will not work on Windows Servers, in this case you would have to adjust the permissions manually after generation.
+
+To improve privacy, there are two settings. First of all, you can disable the debug mode. This will prevent the database export at the bottom of the index page. In addition to that, you can enable the privacy mode. While the privacy mode is active, you cannot change any of the settings until you enter the download token from the settings on the website. This also means that unauthenticated users cannot see any of the specifics.
+
+One final warning: this whole thing is based on security through obfuscation. If you are interested in establishing an actual production ready monitoring system for your private or public infrastructure, shoot us a message at info@pixel-shift.de or on www.pixel-shift.de.
diff --git a/statping-api-adapter/api/checker.php b/statping-api-adapter/api/checker.php
@@ -0,0 +1,42 @@
+<?php
+########################################
+#   (C) 2024 by Philipp Lehnet
+#   Statping Reverse Shell Tool 
+#   https://pixel-shift.de
+#################
+
+# checker.php will be used to check the status of a device based on the last time it was logged.
+# This plays a big part in checking devices behind private NAT gateways or that don't offer a web service that can be checked natively.
+
+if (!isset($_GET['device'])) {
+    http_response_code(400); # Bad Request
+    die();
+}
+
+include '../config.php';
+$device = $_GET['device'];
+$currentTime = time();
+$file = '../storage/' . $storage_file;
+
+# Read the existing data from the file if it exists
+$logData = [];
+if (file_exists($file)) {
+    $logData = json_decode(file_get_contents($file), true);
+    if ($logData === null) {
+        $logData = [];
+    }
+}
+
+if (array_key_exists($device, $logData) && $currentTime - $logData[$device] <= 180) {
+    $response = [
+        'timestamp' => $logData[$device],
+        'device' => $device,
+        'online' => true,
+    ];
+    header('Content-Type: application/json');
+    echo json_encode($response);
+} else {
+    http_response_code(404); # Not Found - 404 will indicate inavailability of the device to statping
+    echo 'Device not found or offline.';
+}
+?>
diff --git a/statping-api-adapter/api/collector.php b/statping-api-adapter/api/collector.php
@@ -0,0 +1,49 @@
+<?php
+########################################
+#   (C) 2024 by Philipp Lehnet
+#   Statping Reverse Shell Tool 
+#   https://pixel-shift.de
+#################
+
+# This file will be used to log the devices that have been deployed. Everytime the endpoint is called by one of the devices, it will log the device and the timestamp.
+include '../config.php';
+
+if (!isset($_GET['api_token']) || $_GET['api_token'] !== $api_token) {
+    http_response_code(401); # Unauthorized
+    die();
+}
+
+if (!isset($_GET['device'])) {
+    http_response_code(400); # Bad Request
+    die();
+}
+
+$device = $_GET['device'];
+$timestamp = time();
+$file = '../storage/' . $storage_file;
+
+# Read the existing data from the file if it exists
+$logData = [];
+if (file_exists($file)) {
+    $logData = json_decode(file_get_contents($file), true);
+    if ($logData === null) {
+        $logData = [];
+    }
+}
+
+# Add or update the device entry
+$logData[$device] = $timestamp;
+
+# Remove entries older than 1 day
+$oneDayAgo = strtotime('-1 day');
+foreach ($logData as $key => $value) {
+    if ($value < $oneDayAgo) {
+        unset($logData[$key]);
+    }
+}
+
+# Write the updated data back to the file
+file_put_contents($file, json_encode($logData));
+
+echo 'Device logged successfully.';
+?>
diff --git a/statping-api-adapter/api/dl_proxy.php b/statping-api-adapter/api/dl_proxy.php
@@ -0,0 +1,35 @@
+<?php
+########################################
+#   (C) 2024 by Philipp Lehnet
+#   Statping Reverse Shell Tool 
+#   https://pixel-shift.de
+#################
+
+# This file is used to serve the matching script for each of the OSs that are supported by the deployment manager.
+
+include '../config.php';
+
+# Check if the request contains a valid token
+if (isset($_GET['token']) && $_GET['token'] === $downloadToken) {
+    # Provide the path to your .sh file
+    $filePath = 'deployment/' . $_GET['fn'];
+
+    # Check if the file exists
+    if (file_exists($filePath)) {
+        # Set headers for file download
+        header('Content-Type: application/octet-stream');
+        header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');
+        header('Content-Length: ' . filesize($filePath));
+
+        # Read and output the file contents
+        readfile($filePath);
+        exit;
+    } else {
+        # File not found
+        die('File not found.');
+    }
+} else {
+    # Invalid token
+    die('Invalid token.');
+}
+?>