CODEWITHSUNDEEP
securitybashshellcgi
Sri
Sri

Reputation:

CGI programming with shell scripts

I need to pass the content of the textbox into a variable. i.e. whatever typed in the texbox of the html page needs to be pass to a variable. This is because I am calling HTML (CGI as well) inside linux shell programming. I need to manipulate that variable as I want. Do you have any idea to do it?

What I need to do is, I want to get the MAC address as an input from the user. i.e. we should have a HTML page with a text box, that user will be able to input the MAC address. therefore whatever user enters into the text box need to be passed to a variable.

Once we have the variable, this script will automatically add this MAC address into linux firewall to deny the access.

The code should be similar to the following:

!/bin/bash

echo "Content-type: text/html"

echo ""

echo ""

echo "enter the MAC address "

iptables -A INPUT -m mac --mac-source $mac_address -j DROP

service iptables save

service iptables restart

I will save this file (test.cgi) under /var/www/cgi-bin directory and I will run this script from firefox.

So the problem now I have the variable $mac_address. The CGI does not pass the textbox input into variable $mac_address.

Upvotes: 4

Views: 6667

Answers (4)

Alex Gray
Alex Gray

Reputation: 16463

Sorry to keep harping on this point, I just think it's too fun...

So for the ultimate do-all CGI script, check this out...

warning... not for security freaks or anyone that isn't perfectly aware of what the below entails...

#!/usr/bin/python
# /var/www/cgi-bin/doanything.cgi   r-xr-x---  wwwuser group
# what does this do?  LITERALLY ANYTHING.   Usage: 
# http://server.local/cgi/doanything.cgi?DO="if you can think of how to bash it"; THEN="bash it"; echo $THEN 
# result: bash it


import cgitb; cgitb.enable()
import os, urllib, subprocess as sub

# Retrieve the command from the query string and unencode the escaped %xx chars
str_command = urllib.unquote(os.environ['QUERY_STRING'])
p = sub.Popen(['/bin/bash', '-c', str_command], 
     stdout=sub.PIPE, stderr=sub.STDOUT)
output = urllib.unquote(p.stdout.read())

print """\
Content-Type: text/html\n
<html><body>
<pre>
<!-- UNCOMMENT THE FOLLOWING TO ECHO COMMAND --> 
<!-- $ %s  -->
%s
</pre>
</body></html>
""" % (str_command, output)

Upvotes: 0

Alex Gray
Alex Gray

Reputation: 16463

Check out bashlib - CGI programming with the bash shell

bashlib is a shell script that makes CGI programming in the bash shell easier, or at least more tolerable. It contains a few functions that get called automatically and place form elements (from POSTs and GETs) and cookies in your environment. It also contains complete documentation on how to use these variables and how to set cookies manually.

It is super easy to use and makes passing url strings as variables, etc a breeze. Don't let the naysayers hate on bash as a web scripting language. It can hold its own... and it's simple, pervasive, and effective... This goes slightly against the grain, but if you're not easily peer pressured, I'd say go for it.

#!/bin/bash
# this sources bashlib into your current environment
. /usr/local/lib/bashlib
echo "Content-type: text/html"
echo ""
# OK, so we've sent the header... now send some content
echo "<html><title>Crack This Server</title><body>"

Related and cool: xmlsh and shellinabox.

Upvotes: 1

Sinan &#220;n&#252;r
Sinan &#220;n&#252;r

Reputation: 118128

The real answer to this question is don't.

Your web server seems to be running with root privileges. That is the first no-no.

Do you really want to allow the whole wide world to be able to tinker with your firewall configuration? You have no control over how your shell script gets invoked, what gets passed to it. You are opening major security holes.

See the WWW Security FAQ on CGI scripts and Writing secure CGI scripts as well as CGI Security : Better Safe than Sorry.

Upvotes: 4

Warren Young
Warren Young

Reputation: 42343

First, read the CGI primer.

You will need an HTML page with code like this:

<form method="get" action="/cgi-bin/my-fw-script.sh">
    <p>Gimme an IP address: <input name="addr"></p>
    <input type="submit">Block IP</input>
</form>

When the user clicks the form's Submit button, your Bash CGI program will be run. (/path/to/cgi-bin/my-fw-script.sh in the above example.) The text input will be in the QUERY_STRING environment variable, in the form variable=value. For simple inputs, you could just call the Bash function eval to turn this into a Bash variable:

#!/bin/sh
eval $QUERY_STRING
echo You asked me to block $addr.

This will only work for a single input field, and will break if there are spaces or other special characters. I imagine the bash_cgi thing someone else recommended will take care of these details for you. Do it like the above example only if this program will stay very simple.

By the way, you almost certainly don't want to be adding MAC addresses to the firewall. That only works for hosts that are on the same LAN as the firewalled box. Packets coming from another LAN, the Internet, etc. will have the MAC address of the LAN's gateway. You should probably be blocking hosts by IP address instead.

Upvotes: 3

Related Questions