How to: From a Text Box on a HTML page. Using the user input as a variable to a Bash Script

jamiebbbb · 02-03-2018, 03:33 AM

I have Googled this extensively and I have come across answers that hints to what I wish to do but not quite on the mark.
I wonder if someone would be kind enough to help.

I wish to create a Menu of Linux commands that I regularly use. { Being lazy } utilizing Html.

I have a bash script that is a menu - work in progress. I wish to make it a little more attractive to the eye and interactive and thought HTML would be a nicer alternative. This is my attempt at a Bash MENU script. I tried CGI script - haven't a clue how to make it interactive or more attractive.

All I want is something that takes a user input from Html text box for example " name of a program" that I wish to install by apt-get. Then output that " program name " to a shell script that accepts that input and of course installs the application.
I am still learning ...

Code:

#/bin/bash
      E='echo -e';e='echo -en';trap "R;exit" 2
    ESC=$( $e "\e")
   TPUT(){ $e "\e[${1};${2}H";}
  CLEAR(){ $e "\ec";}
  CIVIS(){ $e "\e[?25l";}
   DRAW(){ $e "\e%@\e(0";}
  WRITE(){ $e "\e(B";}
   MARK(){ $e "\e[7m";}
 UNMARK(){ $e "\e[27m";}
      R(){ CLEAR ;stty sane;$e "\ec\e[37;44m\e[J";};
   HEAD(){ DRAW
           for each in $(seq 1 13);do
           $E "   x                                          x"
           done
           WRITE;MARK;TPUT 1 5
           $E "BASH SELECTION MENU                       ";UNMARK;}
           i=0; CLEAR; CIVIS;NULL=/dev/null
   FOOT(){ MARK;TPUT 13 5
           printf "ENTER - SELECT,NEXT                       ";UNMARK;}
  ARROW(){ read -s -n3 key 2>/dev/null >&2
           if [[ $key = $ESC[A ]];then echo up;fi
           if [[ $key = $ESC[B ]];then echo dn;fi;}
     M0(){ TPUT  4 20; $e "Netstat -nat";}
     M1(){ TPUT  5 20; $e "Internet Traffic monitor";}
     M2(){ TPUT  6 20; $e "wireless restart";}
     M3(){ TPUT  7 20; $e "kalimenu ";}
     M4(){ TPUT  8 20; $e "nethogs";}
     M5(){ TPUT  9 20; $e "Zenmap";}
     M6(){ TPUT  10 20; $e "ABOUT  ";}
     M7(){ TPUT 11 20; $e "EXIT   ";}
      LM=7 #When adding more menus increment this#
   MENU(){ for each in $(seq 0 $LM);do M${each};done;}
    POS(){ if [[ $cur == up ]];then ((i--));fi
           if [[ $cur == dn ]];then ((i++));fi
           if [[ $i -lt 0   ]];then i=$LM;fi
           if [[ $i -gt $LM ]];then i=0;fi;}
REFRESH(){ after=$((i+1)); before=$((i-1))
           if [[ $before -lt 0  ]];then before=$LM;fi
           if [[ $after -gt $LM ]];then after=0;fi
           if [[ $j -lt $i      ]];then UNMARK;M$before;else UNMARK;M$after;fi
           if [[ $after -eq 0 ]] || [ $before -eq $LM ];then
           UNMARK; M$before; M$after;fi;j=$i;UNMARK;M$before;M$after;}
   INIT(){ R;HEAD;FOOT;MENU;}
     SC(){ REFRESH;MARK;$S;$b;cur=`ARROW`;}
     ES(){ MARK;$e "ENTER = main menu ";$b;read;INIT;};INIT
  while [[ "$O" != " " ]]; do case $i in
        0) S=M0;SC;if [[ $cur == "" ]];then R;$e "\n$(netstat -nat      )\n";ES;fi;;
        1) S=M1;SC;if [[ $cur == "" ]];then R;$e "\n$(./iptraf.sh)\n";ES;fi;;
        2) S=M2;SC;if [[ $cur == "" ]];then R;$e "\n$(./restart-network.sh)\n";ES;fi;;
        3) S=M3;SC;if [[ $cur == "" ]];then R;$e "\n$(./kaliimenu.sh)\n";ES;fi;;
        4) S=M4;SC;if [[ $cur == "" ]];then R;$e "\n$(./netpigs.sh )\n";ES;fi;;
	5) S=M5;SC;if [[ $cur == "" ]];then R;$e "\n$(./zenmapp.sh   )\n";ES;fi;;	
        6) S=M6;SC;if [[ $cur == "" ]];then R;$e "\n$($e by oTo)\n";ES;fi;;
        7) S=M7;SC;if [[ $cur == "" ]];then R;exit 0;fi;;
 esac;POS;done

I tried CGI as well- here's my attempt.. But it is not interactive and has no user input.

Code:

#!/bin/sh
    echo "Content-type: text/html\n"
     
    # read in our parameters
    CMD=`echo "$QUERY_STRING" | sed -n 's/^.*cmd=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`
    FOLDER=`echo "$QUERY_STRING" | sed -n 's/^.*folder=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"| sed "s/%2F/\//g"`
     FOLDER1=`echo "$QUERY_STRING" | sed -n 's/^.*folder1=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"| sed "s/%2F/\//g"`
FOLDER2=`echo "$QUERY_STRING" | sed -n 's/^.*folder2=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"| sed "s/%2F/\//g"`

    # our html header
    echo "<html>"
    echo "<head><title>Bash CGI</title></head>"
    echo "<body>"
     
    # test if any parameters were passed
    if [ $CMD ]
    then
      case "$CMD" in
        ifconfig)
          echo "Output of ifconfig :<pre>"
          /sbin/ifconfig
          echo "</pre>"
          ;;
     
        uname)
          echo "Output of uname -a :<pre>"
          /bin/uname -a
          echo "</pre>"
          ;;
     
        dmesg)
          echo "Output of dmesg :<pre>"
          /bin/dmesg
          echo "</pre>"
          ;;
     
    df)
          echo "Output of df -h :<pre>"
          /bin/df -h
          echo "</pre>"
          ;;
     
    free)
          echo "Output of free :<pre>"
          /usr/bin/free
          echo "</pre>"
          ;;
     
     hw)
              echo "Hardware listing :<pre>"
              /usr/bin/lshw
              echo "</pre>"
              ;;


     lsusb)
              echo "lsusb :<pre>"
              /usr/bin/lsusb
              echo "</pre>"
              ;;

    lsuser)
              echo "List of users :<pre>"
              /usr/bin/lsuser
              echo "</pre>"
              ;;

        ls)
          echo "Output of ls $FOLDER :<pre>"
          /bin/ls "$FOLDER"
          echo "</pre>"
          ;;
     
            lsal)
              echo "Output of ls $FOLDER1 :<pre>"
              /bin/ls -al "$FOLDER1"
              echo "</pre>"
              ;;

          wol)
              echo "System to wake: $FOLDER2 :<pre>"
              /usr/bin/wakeonlan "$FOLDER2"
              echo "</pre>"
              ;;


        lsb_release)
          echo "Ubuntu version :<pre>"
          /usr/bin/lsb_release -a
          echo "</pre>"
          ;;
     
           cpuinfo)
              echo "Cpu information :<pre>"
              cat /proc/cpuinfo
              echo "</pre>"
              ;;
      
         *)
          echo "Unknown command $CMD<br>"
          ;;
      esac
    fi
     
    # print out the form
     
    # page header
    echo "<p>"
    echo "<center>"
    echo "<h2>Bash commands</h2>"
    echo "</center>"
    echo "<p>"
    echo "<p>"
     
    echo "Choose which command you want to run"
    echo "<form method=get>"
    echo "<input type=radio name=cmd value=ifconfig checked> ifconfig (Network configuration) <br>"
    echo "<input type=radio name=cmd value=uname> uname -a (Kernel version)<br>"
    echo "<input type=radio name=cmd value=dmesg> dmesg (System messages) <br>"
    echo "<input type=radio name=cmd value=lsb_release> lsb_release (Ubuntu version) <br>"
    echo "<input type=radio name=cmd value=df> df -h (Free disk space) <br>"
    echo "<input type=radio name=cmd value=free> free (Memory info)<br>"
        echo "<input type=radio name=cmd value=cpuinfo> Cpu information <br>"
        echo "<input type=radio name=cmd value=hw> Hardware listing <br>"
    echo "<input type=radio name=cmd value=lsuser> User listing <br>"
    echo "<input type=radio name=cmd value=lsusb> lsusb (Usb ports info)<br>"
    echo "<input type=radio name=cmd value=ls> ls  -- folder <input type=text name=folder value=/mnt/flash><br>"
    echo "<input type=radio name=cmd value=lsal> ls -al -- folder <input type=text name=folder1 value=/mnt/flash><br>"
echo "<input type=radio name=cmd value=wol> wakeonlan (enter mac address) <input type=text name=folder2 value=00:00:00:00:00:00><br>"
    echo "<input type=submit>"
    echo "</form>"
    echo "</body>"
    echo "</html>"

michaelk · 02-03-2018, 07:36 AM

Its been awhile since I've played with bash CGI. I remember reading at one time that you need a blank line after the content type but do not know if is still true.

Quote:

echo "Content-type: text/html"
echo ""

A quick scan of your CGI script shows that you left out action="some script" in your form statement which should be the CGI script itself. In addition a better check would be to test for $QUERY_METHOD=GET before processing input. The following guide should help with debugging your script.

http://www.yolinux.com/TUTORIALS/BashShellCgi.html

By the way in my opinion it would be bad practice to allow apache to install applications.

sevendogsbsd · 02-03-2018, 07:49 AM

FYI - this has serious security implications, namely command injection https://www.owasp.org/index.php/Command_Injection because you are actually making that a function of the application.

keefaz · 02-03-2018, 11:15 AM

A CGI script with admin privileges is super risky...
Is it a proof of concept or you intend to realy make it work?

jamiebbbb · 02-03-2018, 04:42 PM

I guess its a proof of concept - a challenge that I have set myself. With regards to the issues of injection and the nasty rm -rf \*.

There must be security solutions as there are a number of web based Linux terminal training sites on the wide web. I found one solution.

Solutions that counter these and other vulnerabilities include:

Write CGI scripts such that they test for allowable characters before your Web server uses any environment variable(s).
For example, if users are to enter a phone number in a Web page, the following string in the CGI script that receives this input will weed out illegal characters:

$number=~/^[\d-]+{1,12}$/ || die "Non-allowed characters in input [0] ";

The start of this string basically means that phone numbers that are entered must conform to the specified rules. \d means to accept numerals; the "-" designates that hyphens in the phone number will also be accepted. The ^[\d-]+ means to allow any set of permitted characters (in this case, numerals), starting at the beginning of the line. The {1,12} means that to be accepted, the input must be between 1 and 12 characters in length. This length restriction is extremely important; it prevents buffer overflows 5 caused by excessively long input (e.g., 77777777777777777777777777777777777777777777777777777777`rm -rf *`). The $ means that when the string comparison is finished, you are now at the end of the line. These restrictions help preclude the possibility of an attacker inserting commands or metacharacters at the end of the input.

credit to the following Site and Authors.

https://commons.lbl.gov/display/cpp/...he+Web+Servers

keefaz · 02-03-2018, 06:53 PM

Some security hints
https://www.w3.org/Security/Faq/wwwsf4.html

To make script more interactive, maybe add javascript with ajax request on client side

If it's for proof of concept and simulate commands it's fine as you don't have to deal with the major issue: give administrative privileges to the script to let it perform administrative tasks

jamiebbbb · 02-03-2018, 07:17 PM

Quote:

Originally Posted by keefaz

Some security hints
https://www.w3.org/Security/Faq/wwwsf4.html

To make script more interactive, maybe add javascript with ajax request on client side

If it's for proof of concept and simulate commands it's fine as you don't have to deal with the major issue: give administrative privileges to the script to let it perform administrative tasks

That's the whole crux of the situation. So much knowledge is required in so many disciplines - javascript - bash - ajax - html - that what appears to be a simple task has evolved into a monumental feat.
How can this be simplified?

This is a slapped together Bash script. How would you? achieve this with a HTML - CGI script ?

Code:

#!/bin/bash

echo What program do you want to install?

read varname

apt-get install $varname

keefaz · 02-03-2018, 08:45 PM

It's up to you to build the application interface as you wish
With scripts executed from terminal it's easy, interface is provided by the terminal. You enter characters, press enter then cursor goes to next line after maybe displayed output from previous command... All you need to write is one program / script (ok maybe slight text formating)

With web applications, you have to write the html code that will hold the interface (=document) structure, then write css to stylize (colors, font styles etc) the interface. Once visual is done, you can add interraction

There are frameworks to help you, eg bootstrap (easy and interface will work on mobiles)

scasey · 02-03-2018, 09:06 PM

Quote:

Originally Posted by jamiebbbb

That's the whole crux of the situation. So much knowledge is required in so many disciplines - javascript - bash - ajax - html - that what appears to be a simple task has evolved into a monumental feat.
How can this be simplified?

This is a slapped together Bash script. How would you? achieve this with a HTML - CGI script ?

Code:

#!/bin/bash

echo What program do you want to install?

read varname

apt-get install $varname

Personally, I wouldn’t even try to do that with html and cgi...I wouldn’t even write or use the bash script. I’d just do the apt-get install from the command line. (Well, I’m a CentOS guy, so yum install ...)

If you want a web interface to help you manage a server, look into webmin. It contain a the necessary security to prevent public access. No need to re-invent that wheel...

If you want to learn more about html and cgi, perhaps consider php, python, or Perl (my choice) for the server-side tool.
And find tasks that are not so risky.

Just MHO...

Habitual · 02-10-2018, 09:16 AM

+1 for Webmin.

Running bash scripts over an http interface is DANGEROUS.