in reply to Re^4: Getting values with help of curl
in thread Getting values with help of curl

system doesn't return the content, it returns the exit code. Therefore, your variable name is confusing.

map{substr$_->[0],$_->[1]||0,1}[\*||{},3],[[]],[ref qr-1,-,-1],[{}],[sub{}^*ARGV,3]

Replies are listed 'Best First'.
Re^6: Getting values with help of curl
by PerlMonkey22 (Novice) on Sep 07, 2022 at 09:50 UTC
    Yes, I´ve changed it abit, works also fine and looks a bit better: 
    my $content = `curl --silent -k -u admin:pass https://url/api/v2/GetDe
+viceInfo?$ARGV[0]`;

    [download]
[reply]
[d/l]
      my $content = `curl --silent -k -u admin:pass https://url/api/v2/GetDeviceInfo?$ARGV[0]`;

      Instant shell injection vulnerability:

      # have your validated backup ready
perl yourscript.pl ';rm -rf /'

      [download]

      And if someone can also gain control over the API server, a nice way to export data:

      perl yourscript.pl ' --data-binary @/etc/passwd'

      [download]

      In fact, no attack on the API server is needed, a simple DNS manipulation is sufficient. You wouldn't even notice that something is wrong when someone managed to manipulate the DNS and makes your script connect to the wrong server presenting a wrong certificate, because you explicitly switched off certificate verification (curl -k a.k.a. curl --insecure).

      And, as you were told in the first reply by Corion++, you don't need to shell out at all. Perl can do HTTPS just fine without external tools like curl.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom