Syed Jahanzaib Personal Blog to Share Knowledge !

February 17, 2016

Hotspot self registration PHP form with captcha and SMS/Email function

Filed under: Linux Related, Radius Manager — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 4:22 PM

c


TASK:

It is required that user can connect to open WiFi network (probably running Mikrotik hotspot system) and upon browsing he will see the login page with REGISTER option as well. User can self register his account on radius billing system by using PHP FORM
[for example can be used in FREE WiFi environment, exhibition, conference rooms, resorts etc].

It is also useful if you want to provide trial/free internet access but want to log all the required info , like mobile numbers, contacts, and there usage with control.

Upon submissions, PHP form will execute Linux bash script with the supplied data, and then it should perform various checks , example.

  • User must enter no less or more  then 11 numeric digits in MOBILE field.
  • User must enter no less or more  then 13 numeric digits in CNIC field.
  • User must enter correct CAPTCHA image code in order to submit the form. It is required in order to prevent BRUTE force attack using automated scripting.
  • If the user is registering for the first time, his account will be registered with specific service (the service must be added by admin, and its name is configurable in reg.sh script file. The system will send SMS (and print screen , you can configure it as per the requirements) to user mobile number supplied in the form with the login , validity and other information.
  • The user should be allowed 3 hours for the current day (or as per the profile configured in reg.sh)
  • If the user consumed 3 hours within the same date and try to register again, he will be denied with the information message that he have already registered with the same mobile and account status will be provided like still ACTIVE or EXPIRED and that he should try again next day (date).
  • If the user still have balance and account is active, he should be informed accordingly.
  • If the user have expired (dueto DATE OR UPTIME hours limit) and next date arrived, he can register again, and INFO SMS message (and print screen , you can configure it as per the requirements) will be sent to use informing that his previously registered account got renewed with the login , validity and other information.

 

Components Used:

1- Ubuntu
2- Apache Web Server
3- Radius Manager as Billing system in working condition
4- GSM Modem used to send SMS to containing the information
5- KANNEL as SMS gateway
6- Captcha code software for prevention of BRUTE force attack, Make sure to install it in /var/www/reg/securimage, test it to make sure its showing images properly. you can install captcha by following from https://aacable.wordpress.com/2015/08/12/passing-php-variables-to-shell-script-example-renew-account-via-web/
7 – Radius manager service profile, like as showed in the image below …


 

SCRIPTS:

Following PHP page and scripts should be copied to /var/www/reg folder [for ubuntu]

  1. user.php [User Input Registration Form]
  2. reg-display.php [Displays the User Input Result and execute the Script which executes the action]
  3. reg.sh [main script that executes the action based on supplied information by reg-display.sh]

 


 

 

1- user.php [User Input Registration Form]


<!DOCTYPE html>
<html>
<head>
<link href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" rel="stylesheet" type="text/css"/>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js"></script>
<script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js"></script>
<script>
$(document).ready(function() {
$("#start_datepicker").datepicker({ dateFormat: 'yy-mm-dd' });
$("#end_datepicker").datepicker({ dateFormat: 'yy-mm-dd' }).bind("change",function(){
var minValue = $(this).val();
minValue = $.datepicker.parseDate("yy-mm-dd", minValue);
minValue.setDate(minValue.getDate()+1);
$("#to").datepicker( "option", "minDate", minValue );
})
});
</script>
</head>
<body style="font-size:62.5%;">
<form action="reg-display.php" method="post">
<h1><font color="blue">Register yourself to get one hour internet access for current day.<br></font> <br><br>

<pre>
MOBILE NUMBER    : <input pattern=".{11,11}" onkeypress='return event.charCode >= 48 && event.charCode <= 57' name="mobile" cnic="11 characters minimum" maxlength="11">  [11 Numeric Digits Only Without dash/space]

CNIC NO        : <input pattern=".{13,13}" onkeypress='return event.charCode >= 48 && event.charCode <= 57' name="cnic" cnic="13 characters minimum"maxlength="13">  [13 Numeric Digits Only Without dash/space]

FIRST NAME    : <input type="text" name="firstname">

LAST NAME    : <input type="text" name="lastname">

<br></h1>
</pre>
<input type="submit" value="Submit:">

<img id="captcha" src="/securimage/securimage_show.php" alt="CAPTCHA Image" />
<input type="text" name="captcha_code" size="10" maxlength="6" />
<a href="#" onclick="document.getElementById('captcha.).src = '/securimage/securimage_show.php?. + Math.random(); return false">[ Different Image ]</a>

</form>
</body>
<br>
<br>

<?php
$ip = "";
if (!empty($_SERVER["HTTP_CLIENT_IP"]))
{
//check for ip from share internet
$ip = $_SERVER["HTTP_CLIENT_IP"];
}
elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
{
// Check for the Proxy User
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
}
else
{
$ip = $_SERVER["REMOTE_ADDR"];
}
echo "<pre><h2>YOUR IP Address is        : $ip</h2></pre>";
?>

<h3><font color="red">This System is powered by Syed_Jahanzaib aacable@hotmail.com
</html>


 

 

2- reg-display.sh [Displays the User Input Result and execute the Script which executes the action]


<?php

include_once $_SERVER['DOCUMENT_ROOT'] . '/securimage/securimage.php';
$securimage = new Securimage();
if ($securimage->check($_POST['captcha_code']) == false) {
echo "The CAPTCHA security code entered was incorrect. Make Sure You are HUMAN - zaib!<br /><br />";
echo "Please go <a href='javascript:history.go(-1)'>back</a> and try again.";
exit;
}

$MOBILE = $_POST['mobile'];
$CNIC = $_POST['cnic'];
$FIRSTNAME = $_POST['firstname'];
$LASTNAME = $_POST['lastname'];

$ip = "";

if (!empty($_SERVER["HTTP_CLIENT_IP"]))
{
//check for ip from share internet
$ip = $_SERVER["HTTP_CLIENT_IP"];
}
elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
{
// Check for the Proxy User
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
}
else
{
$ip = $_SERVER["REMOTE_ADDR"];
}

echo "<h2><u>You have entered the following information:</u></h2>";
echo "<pre>Mobile        : $MOBILE</pre>";
echo "<pre>CNIC No        : $CNIC</pre>";
echo "<pre>Firstname    : $FIRSTNAME</pre>";
echo "<pre>Lastname    : $LASTNAME</pre>";
echo "<pre>IP Address is    : $ip</pre>";


echo "<h2><u>BILLING RESPONSE</u></h2>";
$var = shell_exec("TERM=xterm /var/www/reg/reg.sh $MOBILE $CNIC $ip $FIRSTNAME $LASTNAME");
echo "<pre>$var</pre>";

?>


 

3- reg.sh [main script that executes the action based on supplied information by reg-display.sh]


#!/bin/sh
# CREATE NEW USER VIA PHP/HTML INPUT FORMS AND ADD IN MYSQL DB, MADE FOR RADIUS MANAGER
# LOTS OF VAROIUS CHECKS added
# CREATED : 17-FEB-2016
# LAST MODIFIED =
# set -x

# ========================================================================================================================
# Service name (exact) you want to provide to temporary hotspot users - CHANGE IT FOR SURE - valid for RADIUS MANAGER only
SRVNAME="hotspot1mb"
# ========================================================================================================================


SQLUSER="root"
SQLPASS="MYSQL_PASSWORD"
COMPANY="JAHANZAIB-PVT-LTD"
NEXTEXPIRYADD=$(date +"%Y-%m-%d" -d "+1 days")
CURDATE=$(date +"%Y-%m-%d")
CURDATEWOD=`date +%Y%m%d`
TIME=`date | awk {'print $4'}`

# KANNEL RELATED INFORMATION
KID="kannel"
KPASS="KANNEL_PASSWORD"
KHOST="127.0.0.1"

#################################
###### DONOT EDIT BELOW  ########
#################################

# Create temporary holder if not already there, for the user data and empty it as well
touch /tmp/$1.txt
> /tmp/$1.txt
echo $1 $2 $3 $4 $5  >> /tmp/$1.txt

MOBILE=`cat /tmp/$1.txt |awk '{print $1}'`
CNIC=`cat /tmp/$1.txt |awk '{print $2}'`
IP=`cat /tmp/$1.txt |awk '{print $3}'`
FIRSTNAME=`cat /tmp/$1.txt |awk '{print $4}'`
LASTNAME=`cat /tmp/$1.txt |awk '{print $5}'`

# Look for user service ID - Example 1mbps service
SRVID=`mysql -u$SQLUSER -p$SQLPASS -e "use radius; SELECT srvid FROM radius.rm_services WHERE rm_services.srvname = '$SRVNAME';" |awk 'FNR == 2 {print $1}'`

# Look for user Registration date
REGDATE=`mysql -u$SQLUSER -p$SQLPASS -e "use radius; SELECT createdon FROM radius.rm_users WHERE rm_users.username = '$MOBILE';" |awk 'FNR == 2 {print $1}'`

# Look for registration date without digits for comparision
REGDATEWOD=`mysql -u$SQLUSER -p$SQLPASS -e "use radius; SELECT createdon FROM radius.rm_users WHERE rm_users.username = '$MOBILE';" |awk 'FNR == 2 {print $1}' | sed 's/-//g'`

#LOOK FOR VALID USER IN RADIUS
USRVALID=`mysql -uroot -p$SQLPASS -e "use radius; SELECT username FROM radius.rm_users WHERE rm_users.username = '$MOBILE';" |awk 'FNR == 2 {print $1}'`

# Look for EXPIRATION
CUREXPIRY=`mysql -uroot -p$SQLPASS --skip-column-names  -e "use radius; SELECT expiration FROM radius.rm_users WHERE rm_users.username = '$MOBILE';"`

# Look for UPTIME Limit - usually in hour unit format e.g : 1 , also it will be shown for user friendly format later
UPTIMELIMIT=`mysql -uroot -p$SQLPASS --skip-column-names  -e "use radius; SELECT timeunitonline FROM rm_services WHERE srvid = '$SRVID';"`

# Get UPTIME limit in seconds so that it can etner correctly in user propfile, seconds format also required for MYSQL TABLE for correct entry
FUPTIME=`echo "$UPTIMELIMIT*60*60" | bc`

# Welcome Message for NEW or returning User
if [ "$MOBILE" = "$USRVALID" ]; then
echo "Welcome back Mr. $FIRSTNAME $LASTNAME!"
else
echo "Welcome NEW User"
fi

# Check for registered Date, if no previous registeration date found, then treat user as NEW
if [ -z "$REGDATEWOD" ]; then
echo "No registration Date found previosly, treating it as a new user. proceed to new create new user"

# Add user in MYSQL TABLE now
mysql -u$SQLUSER -p$SQLPASS -e "use radius; INSERT INTO rm_users (
username, password, downlimit, uplimit, comblimit, firstname, lastname, company,
phone, mobile, email, address, city, zip, country, state, comment, mac, expiration,
enableuser, usemacauth, uptimelimit, srvid, staticipcm, staticipcpe, ipmodecm, ipmodecpe,
createdon, acctype, createdby, taxid, maccm, credits, owner, groupid, custattr, poolidcm, poolidcpe,
contractid, contractvalid, gpslong, gpslat, alertemail, alertsms, lang)
VALUES (
'$MOBILE', MD5('$MOBILE'), '0', '0', '0', '$FIRSTNAME', '$LASTNAME', '',
'', '', '', '', '', '', '', '', '', '', '$NEXTEXPIRYADD',
'1', '', '$FUPTIME', '$SRVID', '', '', '', '0', NOW(), '0',
'admin', '', '', '0.00', 'admin', '1', '', '', '',
'', '', '', '', 1, 1, 'English' );"

# Add user access in RADCHECK Table and SYSLOG as well
mysql -u$SQLUSER -p$SQLPASS -e "use radius; INSERT INTO radcheck (UserName, Attribute, op, Value) VALUES ('$MOBILE', 'Cleartext-Password', ':=', '$MOBILE');"
mysql -u$SQLUSER -p$SQLPASS -e "use radius; INSERT INTO radcheck (UserName, Attribute, op, Value) VALUES ('$MOBILE', 'Simultaneous-Use', ':=', '1');"
mysql -u$SQLUSER -p$SQLPASS -e "use radius; INSERT INTO rm_syslog (datetime, ip, name, eventid, data1) VALUES (NOW(), '$IP', 'ROBOT', '0', '$MOBILE');"
#mysql -uroot -p$SQLPASS -e "use radius; INSERT INTO tempuser (mobile, firstname, lastname, cnic, rendate) VALUES ('zaib888mobile', 'testfirst', 'testlast', '234567890', '$CURDATE $TIME');"

# Look for EXPIRATION for NEW User (account created above)
CUREXPIRY=`mysql -uroot -p$SQLPASS --skip-column-names  -e "use radius; SELECT expiration FROM radius.rm_users WHERE rm_users.username = '$MOBILE';"`

# OUTPUT RESULT FOR USER on SCREEN / OR BETTER TO SEND IT TO USER VIA SMS
echo "Dear $FIRSTNAME $LASTNAME,

Your NEW account have been successfuly registered on $COMPANY System.
You can use following login information to connect.
Your IP  = $IP
User ID  = $MOBILE
Password = $MOBILE
Validity = $CUREXPIRY
Uptime   = $UPTIMELIMIT Hours

Regard's
$COMPANY" > /tmp/$MOBILE.sms

cat /tmp/$MOBILE.sms

echo "Sending SMS to the registered Mobile number"

# Sending NEW ACCOUNT CREATION INFO  SMS to user mobile numbers
curl "http://$KHOST:13013/cgi-bin/sendsms?username=$KID&password=$KPASS&to=$MOBILE" -G --data-urlencode text@/tmp/$MOBILE.sms

else

#######################################
# Check for ACCOUNT status for ACTIVE OR EXPIRED
STATUS=""
ESTATUS=""
LTATUS=""

QSTATUS=`mysql -uroot -p$SQLPASS --skip-column-names  -e "use radius; SELECT SQL_CALC_FOUND_ROWS username, firstname, lastname, address, city, zip, country, state, phone, mobile,
email, company, taxid, srvid, downlimit, uplimit, comblimit, expiration, uptimelimit, credits, comment,
enableuser, staticipcpe, staticipcm, ipmodecpe, ipmodecm, srvname, limitdl, limitul, limitcomb, limitexpiration,
limituptime, createdon, verifycode, verified, selfreg, acctype, maccm, LEFT(lastlogoff, 10)
, IF (limitdl = 1, downlimit - COALESCE((SELECT SUM(acctoutputoctets) FROM radacct
WHERE radacct.username = tmp.username) -
(SELECT COALESCE(SUM(dlbytes), 0) FROM rm_radacct
WHERE rm_radacct.username = tmp.username), 0), 0),

IF (limitul = 1, uplimit - COALESCE((SELECT SUM(acctinputoctets) FROM radacct
WHERE radacct.username = tmp.username) -
(SELECT COALESCE(SUM(ulbytes), 0) FROM rm_radacct
WHERE rm_radacct.username = tmp.username), 0), 0),

IF (limitcomb =1, comblimit - COALESCE((SELECT SUM(acctinputoctets + acctoutputoctets) FROM radacct
WHERE radacct.username = tmp.username) -
(SELECT COALESCE(SUM(ulbytes + dlbytes), 0) FROM rm_radacct
WHERE rm_radacct.username = tmp.username), 0), 0),

IF (limituptime = 1, uptimelimit - COALESCE((SELECT SUM(acctsessiontime) FROM radacct
WHERE radacct.username = tmp.username) -
(SELECT COALESCE(SUM(acctsessiontime), 0) FROM rm_radacct
WHERE rm_radacct.username = tmp.username), 0), 0)

FROM
(
SELECT username, firstname, lastname, address, city, zip, country, state, phone, mobile, email, company,
taxid, rm_users.srvid, rm_users.downlimit, rm_users.uplimit, rm_users.comblimit, rm_users.expiration,
rm_users.uptimelimit, credits, comment, enableuser, staticipcpe, staticipcm, ipmodecpe, ipmodecm, srvname, limitdl,
limitul, limitcomb, limitexpiration, limituptime, createdon, verifycode, verified, selfreg, acctype, maccm,
mac, groupid, contractid, contractvalid, rm_users.owner, srvtype, lastlogoff
FROM rm_users
JOIN rm_services USING (srvid)

ORDER BY username ASC
) AS tmp
WHERE 1
AND username LIKE '$MOBILE%'
AND (tmp.acctype = '0'  OR tmp.acctype = '6' )
AND tmp.enableuser = 1 AND
(IF (limitdl = 1, downlimit - (SELECT COALESCE(SUM(acctoutputoctets), 0)
FROM radacct WHERE radacct.username = tmp.username) - (SELECT COALESCE(SUM(dlbytes), 0)
FROM rm_radacct WHERE rm_radacct.username = tmp.username) , 1) <= 0
OR
IF (limitul = 1, uplimit - (SELECT COALESCE(SUM(acctinputoctets), 0)
FROM radacct WHERE radacct.username = tmp.username) - (SELECT COALESCE(SUM(ulbytes), 0)
FROM rm_radacct WHERE rm_radacct.username = tmp.username) , 1) <= 0
OR
IF (limitcomb = 1, comblimit -
(SELECT COALESCE(SUM(acctinputoctets + acctoutputoctets), 0)
FROM radacct WHERE radacct.username = tmp.username) +
(SELECT COALESCE(SUM(ulbytes + dlbytes), 0)
FROM rm_radacct WHERE rm_radacct.username = tmp.username) , 1) <= 0
OR
IF (limituptime = 1, uptimelimit - (SELECT COALESCE(SUM(acctsessiontime), 0)
FROM radacct WHERE radacct.username = tmp.username) + (SELECT COALESCE(SUM(acctsessiontime), 0)
FROM rm_radacct WHERE rm_radacct.username = tmp.username) , 1) <= 0
OR
IF (limitexpiration=1, UNIX_TIMESTAMP(expiration) - UNIX_TIMESTAMP(NOW()), 1) <= 0)

LIMIT 0, 50;"`


# Store STATUS for ACTIVE OR EXPIRED in VARIABLE
if [ -z "$QSTATUS" ]; then
FSTATUS="ACTIVE"
else
FSTATUS="EXPIRED"
fi

# IF user registered today, then DONOT RE_REGISTER the USER and EXIT THE SCRIPT / zaib
if [ "$REGDATEWOD" -eq "$CURDATEWOD" ]; then
echo "Dear Mr. $FIRSTNAME $LASTNAME

INFO: This mobile number is already allowed to use intenret for today!

Account Details:
USER ID = $MOBILE
STATUS = $FSTATUS
Expiration    = $CUREXPIRY
Uptime Limit = $UPTIMELIMIT - Hours

For same day, you cannot register new account or Renew old account on same mobile number

$COMPANY
" > /tmp/$MOBILE.sms

cat /tmp/$MOBILE.sms

echo "Sending SMS to the registered Mobile number"

# Sending DENIAL (already registered and ACTIVE)  SMS to user mobile numbers
curl "http://$KHOST:13013/cgi-bin/sendsms?username=$KID&password=$KPASS&to=$MOBILE" -G --data-urlencode text@/tmp/$MOBILE.sms

exit 0
fi

# IF Account is ACTIVE AND VALID FOR TODAY, then INFORM USER AND EXIT THE SCRIPT

if [ "$FSTATUS" = "ACTIVE" ]; then
echo "Account Already ACTIVE
Validity = $CURDATE
Uptime   = $UPTIMELIMIT Hours"

exit 0
fi

# IF USER is ALREADY IN DB, AND STATUS IS EXPIRED, AND VALID FOR RENEWAL (24 HOURS PASSWED) THEN RENEW THE USER : ) / zaib
mysql -uroot -p$SQLPASS --skip-column-names  -e "use radius; UPDATE rm_users SET downlimit = '0', uplimit = '0', comblimit = '0', expiration = '$NEXTEXPIRYADD', uptimelimit = '$FUPTIME', warningsent = 0 WHERE username = '$MOBILE';"
# or IF uptime doesn't added properly, you can zero its accounting status so that no need to use uptime

# use this command update radacct set acctsessiontime=0 where username='$MOBILE';

# Add Renewal Info in SYSLOG
mysql -u$SQLUSER -p$SQLPASS -e "use radius; INSERT INTO rm_syslog (datetime, ip, name, eventid, data1) VALUES (NOW(), '$IP', 'ROBOT', '0', '$MOBILE');"

# OUTPUT RESULT FOR USER on SCREEN / OR BETTER TO SEND IT TO USER VIA SMS
echo "Dear $FIRSTNAME $LASTNAME,

INFO: Your account have been renewed successfully.
You can use following login information.

User ID  = $MOBILE
Password = $MOBILE
Validity = $CURDATE
Uptime   = $UPTIMELIMIT Hour

Regard's
$COMPANY"  > /tmp/$MOBILE.sms

# Output DATA on screen for user
cat /tmp/$MOBILE.sms

echo "Sending SMS to the registered Mobile number"
# Sending Renewal SMS to user mobile numbers
curl "http://$KHOST:13013/cgi-bin/sendsms?username=$KID&password=$KPASS&to=$MOBILE" -G --data-urlencode text@/tmp/$MOBILE.sms

fi

### THE END, SCRIPT ENDS HERE ###
### MADE BY SYED JAHANZAIB ###
### AACALBE AT HOTMAIL DOT COM ###
### https://aacable.wordpress.com ###


 

SCRIPTS OUTPUT :

 

1- User Registration Page

1- web login form

UPON SUBMISSION YOU MAY GET BELOW RESULTS (AS PER THE INPUT PROVIDED BY THE USER)

finger


 

2- Successful registration for the NEW user

2- new user registered successfully

and on SMS

m 1


 

3- Deny registration of same user for the same DATE

3- already registered account and still active

and on SMS

m 2


 

4- Allow renewal for the OLD users  if there account status is EXPIRED and registration date is not same.

4- old account got reneewedand on sms

m 3

 

DONE !


 

Regard’s
Syed Jahanzaib

Advertisements

August 12, 2015

Passing PHP variables to Shell Script with CAPTCHA code [Example renew account via web]

Filed under: Linux Related, Radius Manager — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 2:05 PM


For my personnel archive purpose only:

All of these tests were made in lab and later on tested on production network as well and worked perfectly. BUT before deploying it in production, one must ensure security , specially try to host it on https server, MUST add captcha in form to prevent BOTS attack, + one should consider BASH security and trimming + some functions to match with real live environment. all can be done easily if you have some knowledge on html/php/bash.


 

Scenario:

A simple portal page is required where user can input there user name and refill code in order to renew there internet account on billing system [in this example radius manager is being used]. then this html page will pass the user name and card number variable to php page which will execute an shell script to trigger renewal action based on the supplied variables. The shell script will check for following

  • Check for Valid Users name in Billing
  • Check for Valid Card number in billing refill card database
  • Check if card is used or not
  • Check the user current package and compare it with the card value
  • If all OK, renew the user account for next 30 days (or whatever actions is required)
  • Output the result to browser

 


 

Following file will present FORM where user can enter there user name and pin code/refill code.

input.html

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Refill your account ! </title>
</head>
<body>
<h1>Refill your account using scratch code:</h1>
<form method="post" action="function.php">
User Name: <br />
<input type="text" name="USERNAME" size="35" />
<br />
Card No: <br />
<input type="text" name="CARDNO" size="35" />
<br /> <br />
<input type="submit" value="Submit:" />
<br />
</form>
</body>
</html>

Following file will execute the SHELL script with the supplied username and pincode variable and echo there result in the browser.

function.php

<?php
$USERNAME = $_POST[‘USERNAME’];
$CARDNO = $_POST[‘CARDNO’];

if(empty($USERNAME ) || empty($CARDNO )) {
echo “<h2>You must fill in all fields</h2>\n” ;
die (“Click Back to start again.”);
}
echo “<h2>You have entered the following information:</h2>”;
echo “<pre>Customer name\t=\t$USERNAME <br></pre> “;
echo “<pre>Card No\t\t=\t$CARDNO</pre>”;

echo “<h2>BILLING RESPONSE</h2>”;
echo “======================”;
$var = shell_exec(“TERM=xterm /var/www/html/renew.sh $USERNAME $CARDNO”);
echo “<pre>$var</pre>”;
?>



BASH Shell script which will be executed by the function.php file

Contents of /var/www/html/renew.sh

{lab testing version, working ok, it may contain lot of junk or it can be trimmed, it’s upto you to make it look pro}

#!/bin/bash
#set -x
# SCRIPT TO RENEW USER ACCOUNT IN RADIUS MANAGER VIA WEB PORTAL
SQLUSER=”root”
SQLPASS=”zaib1234″
echo $1 $2 > /tmp/user-card
USR=`cat /tmp/user-card | awk {‘ print $1 ‘}`
CARD=`cat /tmp/user-card | awk {‘ print $2 ‘}`
NEXTEXPIRYADD=$(date +”%Y-%m-%d” -d “+31 days”)

#LOOK FOR EMPTY CARD NO IF ENTERED , EXIT
if [ “$1” == “” ]; then
echo -e “ERROR: ENTER USER NAME WITH CARD NUMBER PLEASE!”
exit 0
fi

#LOOK FOR VALID USER IN RADIUS
USRVALID=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT srvid FROM radius.rm_users WHERE rm_users.username = ‘$USR’;”`
if [ “$USRVALID” == “” ]; then
echo -e “ERROR: USER NOT FOUND IN BILLING SYSTEM!!”
exit 0
fi

#LOOK FOR EMPTY CARD NO IF ENTERED , EXIT
if [ “$2” == “” ]; then
echo -e “ERROR: PLEASE ENTER CARD NUMBER!!”
exit 0
fi

# LOOK FOR USED CARDS
CARDSTATUS=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT SQL_CALC_FOUND_ROWS cardnum, used, revoked, expiration, value, date, owner FROM rm_cards WHERE cardtype = ‘1’ AND cardnum = ‘$2’  ORDER BY cardnum ASC LIMIT 0, 50;” |  awk {‘print $8}’`
if [ -n “$CARDSTATUS” ]; then
echo -e “CARD IS ALREADY USED”
exit 0
fi

######################
# ACCOUNT EXPIRY CHECK
######################

TODAY=$(date +”%Y-%m-%d”)
TODAYDIGIT=`echo $TODAY  | sed -e ‘s/-//g’`
MONTH=$(date +”-%m”)
CMONTH=`echo $MONTH  | sed -e ‘s/-//g’`
MONTHYEAR=$(date +”%B-%Y”)
ALPHAMONTHYEAR=`echo $MONTHYEAR #| sed -e ‘s/-//g’`
SRVEXPIRYFULL=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT expiration FROM radius.rm_users WHERE username = ‘$USR’;” |awk ‘FNR == 2’`
SRVEXPIRYFULLD=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT expiration FROM radius.rm_users WHERE username = ‘$USR’;” |awk ‘{print $1}’ | sed ‘s/expiration//’`
SRVEXPIRY=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT expiration FROM radius.rm_users WHERE username = ‘$USR’;” |awk ‘FNR == 2’ | sed -e ‘s/-//g’ | sed ‘s/00:.*//’`
LOGOFFDATE=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT lastlogoff FROM radius.rm_users WHERE username = ‘$USR’;”  |awk ‘FNR == 2 {print $1,$2}’`
SRVID=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT srvid FROM radius.rm_users WHERE rm_users.username = ‘$USR’;” |awk ‘FNR == 2 {print $1}’`
SRVPRICE=`mysql -u$SQLUSER -p$SQLPASS -e “use radius;  SELECT unitprice FROM radius.rm_services WHERE rm_services.srvid = $SRVID;” |awk ‘FNR == 2 {print $1}’ | cut -f1 -d”.”`
CARDPRICE=`mysql -u$SQLUSER -p$SQLPASS -e “use radius;  SELECT value FROM rm_cards WHERE cardnum = $CARD;” |awk ‘FNR == 2 {print $1}’ | cut -f1 -d”.”`
#LOOK FOR USER ACTUAL SERVICE NAME
PKGNAME=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT srvname FROM radius.rm_services WHERE rm_services.srvid = ‘$SRVID’;” |awk ‘FNR == 2’`
# Look for Pakacge Quota trafficunitcomb
PKGQUOTA=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT trafficunitcomb FROM rm_services WHERE srvid= ‘$SRVID’;” |awk ‘FNR == 2’`
PKGQUOTAB=$(($PKGQUOTA / 1024))
# Acount Registration FIRST n LAST NAME
USERFLNAME=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT firstname,lastname FROM radius.rm_users WHERE rm_users.username = ‘$1’;” |awk ‘FNR == 2 {print $1,$2,$3}’;`

# LOOK FOR VALID REFILL CARD CODE IN RADIUS CARDS LIST
CARDVALIDATION=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; SELECT value, expiration FROM rm_cards WHERE cardnum = ‘$CARD’ AND used = ‘0000-00-00 00:00:00’;”`
if [ “$CARDVALIDATION” == “” ]; then
echo -e “ERROR: INVALID CARD NUMBER!”
exit 0
else

# IF CARD VALUE IS LESS THEN CURRENT PACKAGE PRICE THEN PRINT ERROR AND GOTO END
if [ $CARDPRICE -lt $SRVPRICE ]
then
echo -e “ERROR: CARD PRICE IS NOT SUFFICIENT TO REFRESH $PKGNAME SERVICE”
exit 0
else

# IF CARD VALUE IS EQUAL OR HIGHER  THEN CURRENT PACKAGE PRICE THEN OK
if [ $CARDPRICE -eq $SRVPRICE ]
then
echo
fi

########### ACCOUNT STATUS EXPIRED TODAY ACTION ############
if [ $SRVEXPIRY -eq $TODAYDIGIT ]
then
echo “Account have been EXPIRED TODAY! Last LOGOUT date was $LOGOFFDATE”
NEXTEXPIRYADD=$(date +”%Y-%m-%d” -d “+31 days”)

# PRINT FETCHED VALUES , JUST FOR INFO / ZAIB
echo User Account  = $USR
echo User Actual Package at Billing = $PKGNAME PKR
echo Service Price at Billing = $SRVPRICE PKR
echo This Card Value is    = $CARDPRICE PKR
echo -e “Next Expiry =  $NEXTEXPIRYADD”

# ADD 30 DAYS VALUE TO EXPIRED USER ACCOUNT
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_users SET expiration = ‘$NEXTEXPIRYADD’ WHERE username = ‘$USR’;”

# ADD COMMENTS
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_users SET comment = ‘This account was last refresh from scratch code by SMS’ WHERE username = ‘$USR’;”

# ADD SYSLOG ENTRY
mysql -u$SQLUSER -p$SQLPASS -e “use radius; INSERT INTO rm_syslog (datetime, ip, name, eventid, data1) VALUES (NOW(), ‘n/a’, ‘SMSUSER_$USR’, ‘$USR’, ‘$USR renewd service > $PKGNAME’);”

# ADD ENTRY FOR CURRENT DATE TIME IN REFIL CARD TO PREVENT RE-USAGE OF SAME CARD NUMBER
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_cards SET owner = ‘$USR’, used = NOW() WHERE cardnum = ‘$CARD’;”

########### ACCOUNT STATUS EXPIRED IN PAST ACTION ############

elif [ $SRVEXPIRY -lt $TODAYDIGIT ]
then
echo “ACCOUNT WAS EXPIRED on $SRVEXPIRYFULL !  Last LOGOUT date was $LOGOFFDATE”
NEXTEXPIRYADD=$(date +”%Y-%m-%d” -d “+31 days”)

# PRINT FETCHED VALUES , JUST FOR INFO / ZAIB
echo User Account  = $USR
echo User Actual Package at Billing = $PKGNAME PKR
echo Service Price at Billing = $SRVPRICE PKR
echo This Card Value is    = $CARDPRICE PKR
echo -e “Next Expiry =  $NEXTEXPIRYADD”

# ADD 30 DAYS VALUE TO EXPIRED USER ACCOUNT
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_users SET expiration = ‘$NEXTEXPIRYADD’ WHERE username = ‘$USR’;”

# ADD COMMENTS
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_users SET comment = ‘This account was last refresh from scratch code by SMS’;”

# ADD SYSLOG ENTRY
mysql -u$SQLUSER -p$SQLPASS -e “use radius; INSERT INTO rm_syslog (datetime, ip, name, eventid, data1) VALUES (NOW(), ‘n/a’, ‘SMSUSER_$USR’, ‘$USR’, ‘$USR renewd service > $PKGNAME’);”

# ADD ENTRY FOR CURRENT DATE TIME IN REFIL CARD TO PREVENT RE-USAGE OF SAME CARD NUMBER
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_cards SET owner = ‘$USR’, used = NOW() WHERE cardnum = ‘$CARD’;”

# Update QUOTA for the USER
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_users SET comblimit = ‘$PKGQUOTAB’ WHERE username = ‘$USR’;”

else
########### ACCOUNT STATUS OK! ACTION ############

echo -e “User Billing Info:”
echo “Account STATUS= OK!”

NEXTEXPIRYADD=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; select DATE_ADD(expiration, INTERVAL 31 DAY) as x from rm_users where username= ‘$USR’;” |awk ‘FNR == 2’`

# PRINT FETCHED VALUES , JUST FOR INFO / ZAIB
echo User Account  = $USR
echo Owner = $USERFLNAME
echo User Actual Package at Billing = $PKGNAME PKR
echo Service Price at Billing = $SRVPRICE PKR
echo This Card Value is    = $CARDPRICE PKR
echo -e “Next Expiry =  $NEXTEXPIRYADD”

NEXTEXPIRYADD=`mysql -u$SQLUSER -p$SQLPASS -e “use radius; select DATE_ADD(expiration, INTERVAL 31 DAY) as x from rm_users where username= ‘$USR’;” |awk ‘FNR == 2’`

# ADD 30 DAYS VALUE TO EXPIRED USER ACCOUNT
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_users SET expiration = ‘$NEXTEXPIRYADD’ WHERE username = ‘$USR’;”

# ADD COMMENTS
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_users SET comment = ‘This account was last refresh from scratch code by SMS’ WHERE username = ‘$USR’;”

# ADD SYSLOG ENTRY
mysql -u$SQLUSER -p$SQLPASS -e “use radius; INSERT INTO rm_syslog (datetime, ip, name, eventid, data1) VALUES (NOW(), ‘n/a’, ‘SMSUSER_$USR’, ‘$USR’, ‘$USR renewd service > $PKGNAME’);”

# ADD ENTRY FOR CURRENT DATE TIME IN REFIL CARD TO PREVENT RE-USAGE OF SAME CARD NUMBER
mysql -u$SQLUSER -p$SQLPASS -e “use radius; UPDATE rm_cards SET owner = ‘$USR’, used = NOW() WHERE cardnum = ‘$CARD’;”

fi
fi
fi

########### ACCOUNT STATUS EXPIRED TODAY ACTION ############
if [ $PKGQUOTA -eq 0 ]
then
echo -e “Total Quota Allowed = No Quota”
else
echo -e “Total Quota Allowed = $PKGQUOTAB GB”
fi
echo -e “Done/Note: Card Number $CARD is marked as used in DB to prevent re-usege”


 

RESULTS:

1- enter details


 

If the script found that the user name not valid in the billing , spit the error

0- user not found


 

If the script found that the card number is not available in the billing , spit the error

2- invalid number


 

If the script found that the card number entered is already used , spit the error

3- card already used


 

If the script found both fields blank, spit the error

4- you must fill in all fields


 

If the script found user name and card matches, then proceed to renew the account

5- if all ok renew the account

You can also take different actions like send Email / SMS to ADMIN, and user both or any other action.


 


 


 


 


 

re-captcha

ADDING CAPTCHA SECURITY IN FORM

To add captcha security in html form, (which should be must in my opinion for security reasons)

Download secureimage and unzip in your web folder like /var/www/html/secureimage

mkdir /temp

cd /temp

wget https://www.phpcaptcha.org/latest.tar.gz

tar zxvf latest.tar.gz

mv securimage/ /var/www/html/

Now edit the html form to add the captcha facility

TEST.HTML [Red highlighted are our code for captcha]

<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<title>Refill your account ! </title>
</head>
<body>
<h1>Refill your account using scratch code:</h1>
<form method=”post” action=”test.php”>
User Name: <br />
<input type=”text” name=”USERNAME” size=”35″ />
<br />
Card No: <br />
<input type=”text” name=”CARDNO” size=”35″ />
<br /> <br />
<input type=”submit” value=”Submit:” />
<br />
</body>
<img id=”captcha” src=”/securimage/securimage_show.php” alt=”CAPTCHA Image” />
<input type=”text” name=”captcha_code” size=”10″ maxlength=”6″ />
<a href=”#” onclick=”document.getElementById(‘captcha’).src = ‘/securimage/securimage_show.php?’ + Math.random(); return false”>[ Different Image ]</a>
</form>
</html>

TEST.PHP [Red highlighted are our code for captcha]

<?php
include_once $_SERVER[‘DOCUMENT_ROOT’] . ‘/securimage/securimage.php’;
$securimage = new Securimage();
if ($securimage->check($_POST[‘captcha_code’]) == false) {
  echo “The CAPTCHA security code entered was incorrect. Make Sure You are HUMAN  zaib!<br /><br />”;
  echo “Please go <a href=’javascript:history.go(-1)’>back</a> and try again.”;
  exit;
}
$USERNAME = $_POST[‘USERNAME’];
$CARDNO = $_POST[‘CARDNO’];
if(empty($USERNAME ) || empty($CARDNO )) {
echo “<h2>You must fill in all fields</h2>\n” ;
die (“Click Back to start again.”);
}
echo “<h2>You have entered the following information: zaib</h2>”;
echo “<pre>Customer name\t=\t$USERNAME <br></pre> “;
echo “<pre>Card No\t\t=\t$CARDNO</pre>”;
echo “<h2>BILLING RESPONSE</h2>”;
echo “======================”;
$var = shell_exec(“TERM=xterm /var/www/html/renew.sh $USERNAME $CARDNO”);
echo “<pre>$var</pre>”;
?>

Now result would be as follow

captcha

captcha-wrong


Regard’s
Syed JAHANZAIB

%d bloggers like this: