Command2API: Exposing Command Execution Results via HTTP API with Python

Today I discovered an open‑source project called Command2API and wanted to share it. The tool was created to simplify the retrieval of command execution results—especially in internal security testing scenarios where DNSLog services are unavailable—by exposing those results through an HTTP API.

Origin : The original repository explains that during Log4j RCE testing, the author needed a quick way to fetch JNDI tool execution results without manually checking LDAP connections. Existing JNDI injection tools lacked an API, so a small script was written to capture command output and return it via an API for easier integration with BurpSuite plugins.

Principle : The implementation is straightforward: a Python thread runs the desired command while another thread starts a simple web server. The command’s output is stored in a global variable that the web server reads and returns as the HTTP response.

Running the tool :

First clone the repository:

git clone https://github.com/gh0stkey/Command2API.git

Then execute the script with the command to run and the port for the web service (the project uses Python 2 because it relies on BaseHTTPServer ):

python Command2Api.py "
"

For example, to run a ping test:

python Command2Api.py "ping www.baidu.com" 8888

The script prints a URL such as http://HOST:8888/c1IvlLF9 . Opening that URL in a browser shows the captured console output. Note that the page does not auto‑refresh; you must manually reload to see new results.

Use cases include:

Internal security testing to retrieve JNDI tool results via an API.

Real‑time monitoring of command‑line programs (e.g., Scrapy spiders, web servers) by exposing their output.

Quickly sharing execution results using tools like Ngrok.

Source code analysis : The core consists of a few dozen lines. It imports subprocess , BaseHTTPServer , SimpleHTTPServer , and threading modules. A random URI is generated, a custom thread executes the command with subprocess.Popen , captures stdout line‑by‑line, prints it, and appends it to a global list. The HTTP handler serves this list when the generated URI is requested.

Potential optimizations :

Port the project to Python 3 (replace BaseHTTPServer ).

Enable automatic page refresh or use WebSocket for live updates.

Format the HTTP response to match console output more closely.

Package the tool for installation via pip .

Improve the displayed host URL for easier access.

Integrate with Ngrok for public exposure.

Add a web interface to send commands interactively.

These enhancements could make the tool more versatile and user‑friendly. Thank you for reading!