IT Security Lab The Playground for IT Security Specialists and Pentesters

24Sep/1010

TinyWeb: Pocket-size Portable Web Server With CGI And PHP Support (!)

You know, each of us has some tools we really like to use. Tools which are not "just good". We simply love them. They are nice-looking, reliable, and (this is especially important) - simple and easy to use. One of such little toys I use quite often in exploitation practice (and obviously, in many other weird experiments): is a freeware TinyWeb web server created by Maxim Masiutin from RitLabs. The server is extremely small (actually it's a single file only, about 60 Kb). Despite of it, this little creature serves HTML, executes CGI, supports SSL, writes logs, etc., etc. Full list of features you may find [here].

It's a really nice tool, and recently I had an opportunity to improve TinyWeb server a little bit, so want to share it with you. Obviously this is still not such a full-featured server as Wamp, but it is tiny, handy and can be a significant part of your "pocket hacking toolset". How to use it for your own benefit - I would leave it to you. :-)

So what functionality I added

  • TinyWeb supports PHP (Yeeeeaa!). (Can you imagine a web server without PHP? I can't.) Surprisingly, original version of the server had some difficulties running PHP. Now source code is slightly changed, so everything works smoothly. Note: PHP is running as CGI.
  • The server is 100% portable now! No need for installation or configuration: just copy it to any folder, make a single click and voila! everything is configured and running immediately (yes, PHP is also configured automatically).
  • PHP files may be placed in any folder inside \wwwroot (note that in original TinyWeb server - CGI is handled only in \wwwroot\cgi-bin folder).

Looks good? Och, believe me, it is. Let's see what this little beast can do for us, but "first things first": see what you may download:

Download binaries:

Download source code:

Note that author (Maxim Masiutin) kindly published the source code of standard TinyWeb server only (without SSL support), so this is the only version which is modified by me now (hence supports PHP).

Running the little daemon

Ok, in our first example we will be using the version of the server with PHP support. Download it and unzip to any folder in you PC (you already did it, yea?). Now run the file "run_web_server.exe". Important: you must run it as Administrator. Same application may be used for both versions of TinyWeb: with and without SSL support. Once you have it running - everything should be self-explanatory (not much to configure really):

If you will be using the TinyWeb version with SSL - you would see the following info at the bottom:

Once we have the port chosen: press [RUN] button. Note that LPORT field is grayed now and button [RUN] is also disabled. Our server is running!

Now you can close this application completely, the TinyWeb server would be happily running in the background. How to stop the server? Oh I don't know, try to guess... ;-)

Is it really working?

Ok, the server is running, now let's browse the structure of our folders:

wwwroot
¦   index.htm
¦   index.php
¦   login.htm
¦
+---cgi-bin
        login.exe
        shell.php
        test.cmd
        test.php
        test.pl

Those files will be available "on-line" under following URLs:

http://localhost:81/index.htm

http://localhost:81/index.php


http://localhost:81/login.htm


http://localhost:81/cgi-bin/shell.php


http://localhost:81/cgi-bin/test.cmd


http://localhost:81/cgi-bin/test.php

http://localhost:81/cgi-bin/test.pl <-- to run this you must have Perl installed

Try to open it in your browser and see what would happen. :-) Actually any console program with stdIN and stdOUT may be easily handled by TinyWeb server (which is really handy).

Imagine that you have the following batch file:

When you navigate to the following URL: http://localhost:81/cgi-bin/test.cmd you can see in your browser something like this:

Nice, isn't it! :-)

Remember one important thing: PHP is supported in \wwwroot (also in any nested subfolder inside). CGI is handled only in \wwwroot\cgi-bin folder and any subfolders.

Couple of words about TinyWeb with SSL support

This is the original version of TinyWeb binary with SSL support, compiled by Maxim Masiutin. Source code unfortunately is not available, so I may not make necessary modifications, hence PHP is not supported. Sad but true.

Anyway you may download it from here along with sample SSL certificates (and of course with run_web_server.exe) and in fully portable form. So again -  nothing to configure. Just unzip, and run!

Comments (10) Trackbacks (0)
  1. very nice as always… now… if you can modify it to support mySql, that would be just dandy ;-)
    no seriosly… great post… wont be using apatche again :)

  2. Thanks a bunch for putting this together.

    I am baffled why php doesn’t work with the original source.

    I am not too familiar with delphi compiler but with reading the original source code got to the point where I got php-cgi.exe to run when I access a test.php file on tinyweb. I could tell this because if I didn’t have the timezone set the error message would print on my web browser.

    For some reason I cannot get php to output anything but the error message until I swap out the original executable and use your executable. I don’t even have to move php which I have installed in an entirely different place. This would lead me to believe that the problem isn’t with getting php to run.

    I noticed that along with forcing php files to always run as cgi you commented out some headers. The other changes I found seemed to be commented out. I don’t have a delphi compiler but I would really like to know if commenting out the headers has anything to do with getting php to work or if it was something else.

    • Yes you are absolutely right – original version of TinyWeb for some reason does not want to “cooperate” with PHP. I made several experiments and found out that the clue is to set up some environment variables. And what is important: some variables should NOT be set up. Check the source code, file “srvmain.pas”, lines 1028 – 1053 – this is the right combination for PHP. Honestly, the PHP efficiency in CGI mode is ekhm… “far from ideal” ;-), but still good enough for playing around, and experimenting. For this tiny thing to be really useful – it would be good to make it running with PHP in fastCGI mode, which is rather far different from classic CGI. But maybe next time. :-)

  3. Very cool, and nicely done! By the way, how can I run/configure your executable quietly? I’d prefer to start tiny.exe as a silent service, so I can distribute my code on a CD without instructing the end-user that he must first click run_web_server.exe before starting his browser.

    • Such functionality was not initially planned, but I can make it in the nearest release! You still would need to run something like “run_web_server.exe /autorun”. :-) I’ll let you know when this will be ready.

      Kind regards,
      A.

  4. Not sure it works 100%, which is a pity.
    I tried installing dokuwiki inside your PHP enhanced TinyWeb, but it did not work. They tell you to start with localhost:81/install.php, but pressing the Save button on that page does not do anything.
    Installing XAMPP/Apache and doing the same works just fine.
    Regards,
    Mark

    • Unfortunately the PHP is not fully supported in TinyWeb, so this will not be working with larger projects I afraid (as dokuwiki). Definitely I might recommend WAMP server or something similar (it is also possible to make a kind of “portable version” of it).

  5. great work.
    But continuing in the spirit of TinyWeb, you should have kep your modified version also command line (instead of having a new exe with UI).


Leave a comment


*

No trackbacks yet.