cgi web页面传入命令

目录

0 实现一个返回json格式应答的CGI

1 实现一个form来发送http请求

2 实现一个返回html页面,标题和内容都为Hello World

3 温故知新

(1) Introduction to CGI

(2) Basic Bash CGI Example

(3) Processing Bash CGI Input

(4) CGI Security


0 实现一个返回json格式应答的CGI

 

#!/bin/bash

echo "Content-type: text/html"

echo ""

# ok, we've sent the header, now send some content

echo "{\"ret\":0,\"msg\":\"ok\"}"

 

测试方法:

 

将上述的Bash脚本放在Websvr下,可以通过curl命令发送http请求,例如:curl "http://172.25.81.16/cgi-bin/ret_json_ok.sh",然后会返回:{"ret":0,"msg":"ok"}。

1 实现一个form来发送http请求

效果如下图所示:

 

实现方法分两步:
(1) 写一个简单的html页面,例如,form.html

<FORM ACTION="/cgi-bin/form_test.sh">

Enter Host: <INPUT name="host">

<INPUT TYPE=SUBMIT VALUE="Submit">

</FORM>

(2) 写一个接收请求的CGI,上面的ACTION已指定,即,form_test.sh

#!/bin/bash

echo 'Content-type: test/html'

echo ''

echo $QUERY_STRING

2 实现一个返回html页面,标题和内容都为Hello World

返回的页面效果如下图:

实现方法,同样实现一个CGI,只是返回的内容是一个html:

#!/bin/bash

echo 'Content-type: test/html'

echo ''

echo '<html>'

echo '<head>'

echo '<meta http-equiv="Content-Type" content="text/html; charst=UTF-8">'

echo '<title>Hello World</title>'

echo '</head>'

echo '<body>'

echo 'Hello World'

echo '</body>'

echo '</html>'

exit 0

3 温故知新

通过上面几个非常简单的例子,下面总结一些基本概念:
 

(1) Introduction to CGI

Web CGI programs can be written in any language which can process standard input (stdin),environment variables and write to standard output (stdout).The web server will interact with all CGI programs using the "Common Gateway Interface" (CGI) standard as set by RFC 3875. This capability is possessed by most modern computer programming and scripting languages, including the bash shell.

 

(2) Basic Bash CGI Example

CGI programs typically perform the following:

  • All CGI scripts must write out a header used by the browser to identify the content.
  • They typically process some input. (URL, form data or ISINDEX)
  • CGI can access environment variables set by the web server.
  • CGI scripts will write out HTML content to be viewed. This typically has the structure of the "head" which contains non-viewable content and "body" which provides the viewable content.

Script Location:

Various distributions of Linux locate the CGI directory in different directory paths. The path is set by the web server configuration file. For the Apache web server, the "ScriptAlias" directive defines the CGI path:

Linux DistributionPath
Red Hat Enterprise, 7.x-9, Fedora core, CentOS/var/www/cgi-bin/
Red Hat 6.x and older/home/httpd/cgi-bin/
SuSe/srv/www/cgi-bin/
Ubuntu/Debian/usr/lib/cgi-bin/

 

 

Script Permissions:

The script will require system executable permissions: chmod +x /var/www/cgi-bin/hello.sh

 

If using SELinux, the security context must also permit execution: chcon -t httpd_sys_content_t /var/www/cgi-bin/hello.sh

 

Executing Shell Commands:

 

Typically one will want to process shell or system commands:

Add the paths required to find the commands:

 

(3) Processing Bash CGI Input

 

Accessing Environment Variables:

The web server will pass environment variables to the CGI which it can access and use. This is very simple for bash.

#!/bin/bash

echo "Content-type: text/html"

echo ""

echo '<html>'

echo '<head>'

echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'

echo '<title>Environment Variables</title>'

echo '</head>'

echo '<body>'

echo 'Environment Variables:'

echo '<pre>'

/usr/bin/env

echo '</pre>'

echo '</body>'

echo '</html>'

exit 0

 

 

Typically one will want to process input from the URL "QUERY_STRING" such as "namex=valuex&namey=valuey&namez=valuez" extracted from the following URL:http://localhost/cgi-bin/env.sh?namex=valuex&namey=valuey&namez=valuez

Script Description:

  • Script will loop through all of the arguments in environment variable "QUERY_STRING" as separated by the delimiter "&". Thus the script loops three times with the following "Args":
    • namex=valuex
    • namey=valuey
    • namez=valuez
  • For each "Args" line, look for each token separated by the delimeter "=". Component 1 ($1) and component 2 ($2).
  • Use "sed" to parse and substitute characters. A blank space is substituted for all %20's.
#!/bin/bash

echo "Content-type: text/html"

echo ""

echo '<html>'

echo '<head>'

echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'

echo '<title>Environment Variables</title>'

echo '</head>'

echo '<body>'

echo 'Parse Variables:'

# Save the old internal field separator.

OIFS="$IFS"

# Set the field separator to & and parse the QUERY_STRING at the ampersand.

IFS="${IFS}&"

set $QUERY_STRING

Args="$*"

IFS="$OIFS"

# Next parse the individual "name=value" tokens.

ARGX=""

ARGY=""

ARGZ=""

for i in $Args ;do

# Set the field separator to =

IFS="${OIFS}="

set $i

IFS="${OIFS}"

case $1 in

# Don't allow "/" changed to " ". Prevent hacker problems.

namex) ARGX="`echo $2 | sed 's|[\]||g' | sed 's|%20| |g'`"

;;

# Filter for "/" not applied here

namey) ARGY="`echo $2 | sed 's|%20| |g'`"

;;

namez) ARGZ="${2/\// /}"

;;

*) echo "<hr>Warning:"\

"<br>Unrecognized variable \'$1\' passed by FORM in QUERY_STRING.<hr>"

;;

esac

done

echo 'Parsed Values:'

echo '<br>'

echo $ARGX

echo '<br>'

echo $ARGY

echo '<br>'

echo $ARGZ

echo '</body>'

echo '</html>'

exit 0

Output:

Parsed Values:
valuex
valuey
valuez

You will get the same results for: http://node1.megawww.com/cgi-bin/env.sh?namex=valuex&namez=valuez&namey=valuey

Typically one will also want to produce and process input from an HTML form:

URL: http://localhost/cgi-bin/exampleForm.sh

#!/bin/bash

echo "Content-type: text/html"

echo ""

echo '<html>'

echo '<head>'

echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'

echo '<title>Form Example</title>'

echo '</head>'

echo '<body>'

echo "<form method=GET action=\"${SCRIPT}\">"\

'<table nowrap>'\

'<tr><td>Input</TD><TD><input type="text" name="val_x" size=12></td></tr>'\

'<tr><td>Section</td><td><input type="text" name="val_y" size=12 value=""></td>'\

'</tr></table>'

echo '<input type="radio" name="val_z" value="1" checked> Option 1<br>'\

'<input type="radio" name="val_z" value="2"> Option 2<br>'\

'<input type="radio" name="val_z" value="3"> Option 3'

echo '<br><input type="submit" value="Process Form">'\

'<input type="reset" value="Reset"></form>'

# Make sure we have been invoked properly.

if [ "$REQUEST_METHOD" != "GET" ]; then

echo "<hr>Script Error:"\

"<br>Usage error, cannot complete request, REQUEST_METHOD!=GET."\

"<br>Check your FORM declaration and be sure to use METHOD=\"GET\".<hr>"

exit 1

fi

# If no search arguments, exit gracefully now.

if [ -z "$QUERY_STRING" ]; then

exit 0

else

# No looping this time, just extract the data you are looking for with sed:

XX=`echo "$QUERY_STRING" | sed -n 's/^.*val_x=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`

YY=`echo "$QUERY_STRING" | sed -n 's/^.*val_y=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`

ZZ=`echo "$QUERY_STRING" | sed -n 's/^.*val_z=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"`

echo "val_x: " $XX

echo '<br>'

echo "val_y: " $YY

echo '<br>'

echo "val_z: " $ZZ

fi

echo '</body>'

echo '</html>'

exit 0


Note that the environment variables $REQUEST_METHOD and $QUERY_STRING can be processed by the shell directly.

 

You can string together more "sed" translators as needed (depending on your content):| sed "s/%20/ /g" | sed "s/%3A/:/g" | sed "s/%2F/\//g"

(4) CGI Security

One must filter the input to avoid cross site scripting. Filter out "<>&*?./" to avoid trouble from hackers.

  • 0
    点赞
  • 2
    评论
  • 1
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 猿与汪的秘密 设计师:白松林 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值