Geek Answers Handbook

CGI Programming with Shell Scripts

I need to pass the contents of a text field to a variable. that is, everything that is printed in the texbox of the html page must be passed to the variable. This is because I call HTML (CGI) inside linux shell programming. I need to manipulate this variable as I want. Do you have an idea to do this?

What I need to do, I want to get the MAC address as input from the user. that is, we must have an HTML page with a text field, this user will be able to enter the MAC address. therefore, any user entering the text field must be passed to the variable.

Once we get the variable, this script will automatically add this MAC address to the Linux firewall to deny access.

The code should look like the following:

!/bin/bash echo "Content-type: text/html" echo "" echo "" echo "enter the MAC address " iptables -A INPUT -m mac --mac-source $mac_address -j DROP service iptables save service iptables restart

I will save this file (test.cgi) in the directory / var / www / cgi -bin, and I ran this script from firefox.

So, the problem now I have the variable $mac_address . CGI does not pass text field input to the $ mac_address variable.

+4
source share
4 answers

The real answer to this question is: no .

Your web server seems to be running with root privileges. This is the first no no.

Do you really want the whole wide world to bother with your firewall configuration? You cannot control how your shell script is called, which is passed to it. You open the security holes Basic .

See WWW CGI Script Security Considerations and Writing CGI Secure Scripts and CGI Security: Better Than Sorry .

+4
source

Read the CGI primer first .

You will need an HTML page with code like this:

 <form method="get" action="/cgi-bin/my-fw-script.sh"> <p>Gimme an IP address: <input name="addr"></p> <input type="submit">Block IP</input> </form>

When the user clicks the "Submit Form" button, your Bash CGI program will be launched. (/path/to/cgi-bin/my-fw-script.sh in the above example.) The text input will be in the environment variable QUERY_STRING in the variable variable = value. For simple inputs, you can simply call the Bash eval function to turn it into a Bash variable:

 #!/bin/sh eval $QUERY_STRING echo You asked me to block $addr.

This will only work for one input field and will break if there are spaces or other special characters. I believe that the idea of ​​bash_cgi, which someone else recommended, will take care of these details for you. Do this, as in the example above, only if this program remains very simple.

By the way, you almost certainly do not want to add MAC addresses to the firewall. This only works for hosts that are on the same local network as the firewall. Packets coming from another LAN, Internet, etc., will have the MAC address of the LAN gateway. You should probably block hosts by IP address.

+3
source

Check out bashlib - CGI programming with the bash shell

bashlib is a shell script that makes CGI programming in a bash shell easier or at least more bearable. It contains several functions that receive calls automatically and place form elements (from POST and GET) and cookies in your environment. It also contains full documentation on how to use these variables and how to set cookies manually.

It is super easy to use and make passing URL strings as variables, etc. light wind. Do not let skeptics hate bash as a web scripting language. It can contain its own ... and it is simple, widespread and effective ... This is a little contrary to the grain, but if it is not easy for you to put pressure on it, I would say, go after it.

 #!/bin/bash # this sources bashlib into your current environment . /usr/local/lib/bashlib echo "Content-type: text/html" echo "" # OK, so we've sent the header... now send some content echo "<html><title>Crack This Server</title><body>"

Bound and cool: xmlsh and shellinabox .

+1
source

Sorry to keep doing this, I just think it's too much fun ...

So, for the final do-all CGI script, check this out ...

warning ... not for security vulnerabilities or for those who do not quite understand what the following entails:

 #!/usr/bin/python # /var/www/cgi-bin/doanything.cgi r-xr-x--- wwwuser group # what does this do? LITERALLY ANYTHING. Usage: # http://server.local/cgi/doanything.cgi?DO="if you can think of how to bash it"; THEN="bash it"; echo $THEN # result: bash it import cgitb; cgitb.enable() import os, urllib, subprocess as sub # Retrieve the command from the query string and unencode the escaped %xx chars str_command = urllib.unquote(os.environ['QUERY_STRING']) p = sub.Popen(['/bin/bash', '-c', str_command], stdout=sub.PIPE, stderr=sub.STDOUT) output = urllib.unquote(p.stdout.read()) print """\ Content-Type: text/html\n <html><body> <pre> <!-- UNCOMMENT THE FOLLOWING TO ECHO COMMAND --> <!-- $ %s --> %s </pre> </body></html> """ % (str_command, output)
0
source

More articles:


All Articles