Revision as of 12:55, 21 September 2009

Programming: Perl with Webinterface and Database Injections

Introduction

As a final project in Perl, I decided to make a script that could be useful as a linux adminstrator. The script is very situational, however, since it makes use of a specific setup.

The idea of the script can be changed and used for many situation, especially when you just need to inject simple things into a table. It certainly beats having to do it manually through that cursed client or through other means like phpmyadmin etc.

What the script does, is add a new user to the database "pureftpd" in the table "ftpd". This is in a MySQL database. The only situation you'd need to do this, is when you have set your FTP daemon up for virtual users, i.e. the user accessing the FTP does not have access to the server itself through SSH, like it would normally if we create another user on most UNIX systems.

The Script

#!/usr/bin/perl
use strict;
use warnings;
use CGI;
use DBI;
use CGI::Carp qw(fatalsToBrowser);

print CGI::header();

my $username = dbquote(CGI::param('user'));
my $status = dbquote(CGI::param('status'));
my $password = dbquote(CGI::param('password'));
my $uid = dbquote(CGI::param('uid'));
my $gid = dbquote(CGI::param('gid'));
my $dir = dbquote(CGI::param('dir'));
my $upload = dbquote(CGI::param('upload'));
my $download = dbquote(CGI::param('download'));
my $comment = dbquote(CGI::param('comment'));
my $ipaccess = dbquote(CGI::param('ipaccess'));
my $quotasize = dbquote(CGI::param('quotasize'));
my $quotafiles = dbquote(CGI::param('quotafiles'));

unless($username) {
print <<PAGE;  
<h1>Add a FTP account</h1>  
<form action=testadddatabase.pl method=post>  
Username: <input type=text name=user><br>  
Status: <input type=text name=status><br>  
Password: <input type=text name=password><br>  
User ID: <input type=text name=uid><br>  
Group ID: <input type=text name=gid><br>  
Home Dir: <input type=text name=dir><br>  
Upload Limit: <input type=text name=upload><br>  
Download Limit: <input type=text name=download><br>  
Comment: <input type=text name=comment><br>  
IP Access: <input type=text name=ipaccess><br>  
Quota Size: <input type=text name=quotasize><br>  
Quota Files: <input type=text name=quotafiles><br>  
<input type=submit value="Add an FTP account">  
</form>  
PAGE

exit;
}

my $dbh = DBI->connect("dbi:mysql:pureftpd:localhost", "user", "password");

my $sth = $dbh->prepare("insert into ftpd(User, status, Password, Uid, Gid, Dir, ULBandwidth, DLBandwidth, comment, ipaccess, QuotaSize, Quotafiles) values('$username', '$status', '$password', '$uid', '$gid', '$dir', '$upload', '$download', '$comment', '$ipaccess', '$quotasize', '$quotafiles')");
ye
$sth->execute();

print <<PAGE;
<h1>Account added</h1>
The account $username was just added. want to <a href=testadddatabase.pl>add another</a>? 
PAGE

sub dbquote {
        my ($str) = @_;

$str =~ s/”/\\”/g;
$str =~ s/\\/\\\\/g;
$str =~ s/’/\\’/g;

 return $str;
}

Breaking it Down

I won't use comments (#) since I will not be able to explain enough in it. I will, hopefully, explain everything here so a newbie can look at it and understand it.

#!/usr/bin/perl
use strict;
use warnings;
use CGI;
use DBI;
use CGI::Carp qw(fatalsToBrowser);

Essentially this is the start of the script. It tells it what kind of "modules" to make use of. These modules can contain certain functions or be able to give you more information on errors etc.

#!/usr/bin/perl

What this does is explain that this is now a perl script and it needs to be compiled at /usr/bin/perl. This is, obviously, different on Windows machines and can differ from linux distro.

use strict;

Strict makes it a bit more "strict" and pretty much slaps you, if you are about to do something nasty in your script that could create a mess. It's good for starters.

use warnings;

Does pretty much what it says. It gives you detailed information if it sees an error in your script when you run it, and outputs it to you. In some situations, it will even tell you exactly what is wrong. Always a good idea to use this, at least for debugging purposes.

use CGI;

This loads a module for use in CGI, Common Gateway Interface. This is usually used when you want to make web development with perl. It's what making this script work.

Navigation menu

Difference between revisions of "Trillex - programming in perl with cgi and dbi"

Revision as of 12:55, 21 September 2009

Contents

Programming: Perl with Webinterface and Database Injections

Introduction

The Script

Breaking it Down

@@ Line 78: / Line 78: @@
 === Breaking it Down ===
+I won't use comments (#) since I will not be able to explain enough in it. I will, hopefully, explain everything here so a newbie can look at it and understand it.
+<source lang=perl>
+#!/usr/bin/perl
+use strict;
+use warnings;
+use CGI;
+use DBI;
+use CGI::Carp qw(fatalsToBrowser);
+</source>
+Essentially this is the start of the script. It tells it what kind of "modules" to make use of. These modules can contain certain functions or be able to give you more information on errors etc.
+<source lang=perl>
+#!/usr/bin/perl
+</source>
+What this does is explain that this is now a perl script and it needs to be compiled at /usr/bin/perl. This is, obviously, different on Windows machines and can differ from linux distro.
+<source lang=perl>
+use strict;
+</source>
+Strict makes it a bit more "strict" and pretty much slaps you, if you are about to do something nasty in your script that could create a mess. It's good for starters.
+<source lang=perl>
+use warnings;
+</source>
+Does pretty much what it says. It gives you detailed information if it sees an error in your script when you run it, and outputs it to you. In some situations, it will even tell you exactly what is wrong. Always a good idea to use this, at least for debugging purposes.
+<source lang=perl>
+use CGI;
+</source>
+This loads a module for use in CGI, Common Gateway Interface. This is usually used when you want to make web development with perl. It's what making this script work.