20144306 Web foundation of cyber confrontation

1 experimental content

• Web front-end HTML: can be installed properly, start and stop Apache. Understand the HTML, understand the form, understand the get and post methods, and write an HTML containing the form.
• Web Front End Javascipt: Understand the basic JavaScript functionality and understand the DOM. Write JavaScript to verify the user name, password rules.
• Web backend: MySQL Foundation: normal installation, start MySQL, build library, create user, change password, build table.
• Web backend: Write a PHP Web page, connect to the database, and authenticate the user.
• The simplest SQL injection,XSS attack test.

2 Experimental Process Recording 2.1 Apache

• Apache Listening Port configuration

• Test Apache

Browser Open 127.0.0.1:8088, can normally open the last experiment of the 139 mailbox login interface, indicating that Apache can work properly:

Test Apache to read files under working directory:

New text File

Browser can open

2.2 Front-end programming

• Writing a front-end Web page

Edit 4306.html

Edit 4306.css

Show the effect.

It looks like you can, but you can't log in because the back-end PHP file is not yet written.

2.3 JavaScript Dynamic Features

      Source code

(function () {//4306 if (Window.changyan!== undefined | | Window.cyan!== undefined) {return;        } var createns = function () {if (Window.changyan!== undefined) {return;            } else {Window.changyan = {};            Window.changyan.api = {};            Window.changyan.api.config = function (conf) {window.changyan.api.tmpIsvPageConfig = conf;            };  Window.changyan.api.ready = function (fn) {window.changyan.api.tmpHandles = Window.changyan.api.tmpHandles ||                [];            Window.changyan.api.tmpHandles.push (FN);            };              Window.changyan.ready = function (fn) {if (window.changyan.rendered) {fn && fn (); } else {window.changyan.tmpHandles = Window.changyan.tmpHandles | |                [];              Window.changyan.tmpHandles.push (FN);    }            }        }    }; var createmobilens = function (){if (Window.cyan) {return;        } Window.cyan = {};        Window.cyan.api = {}; Window.cyan.api.ready = function (fn) {window.cyan.api.tmpHandles = Window.cyan.api.tmpHandles | |            [];        Window.cyan.api.tmpHandles.push (FN);    };    }; var loadversionjs = function () {var loadjs = function (src, fun) {var head = Document.getelementsbyta Gname (' head ') [0] | | Document.head | |            Document.documentelement;            var script = document.createelement (' script ');            Script.setattribute (' type ', ' text/javascript ');            Script.setattribute (' CharSet ', ' UTF-8 ');            Script.setattribute (' src ', src); if (typeof fun = = = ' function ') {if (window.attachevent) {script.onreadystatechange = f                        Unction () {var r = script.readystate; if (r = = = ' Loaded ' | | r = = = ' complete ') {Script.onreadystAtechange = null;                        Fun ();                }                    };                } else {script.onload = fun;        }} head.appendchild (script);        }; var ver = +new Date () + window.        Math.random (). toFixed (16); var protocol = ((' https: ' = = Window.document.location.protocol)?        "https://" ("http://");        var url = protocol + ' Changyan.itc.cn/upload/version-v3.js? ' + ver;    Loadjs (URL);    };    Createns ();    Createmobilens (); Loadversionjs ();} ());

JavaScript

If you click "Sign in" without entering your username, a prompt will appear:

If you do not enter the password, click "Login", will appear the prompt box:

2.4 Back-end programming PHP

• Test PHP

No problem

• Edit 4306.php

• Login Test

Click the login will jump

2.5 MYSQL

• MySQL Login

turn on MySQL

Log in to MySQL

• Create a database

You can add table entries

2.5 php+mysql Implement login Web page writing

• PHP Connection Database

Key statement

Users enter the user name and password in the login interface, the first will be compared with the database already has an item, if there is a successful login, no will fail.

Login Success Effect:

Logon Failure Effect:

2.6 SQL Injection

• About SQL injection

A SQL injection vulnerability is a security vulnerability in a Web application that handles background database query statements. That is, embedding SQL directives in the input string ignores checking of special strings that might constitute an attack in the design program. After the background database is considered as normal SQL instructions, it is possible to perform various operations on the background database and even cause serious consequences such as destroying the backend database.

• Universal Login

then try it with the website we just finished.

Constructs the SQL statement: enters in the user name input box ‘ or 恒等式 # , the password arbitrarily enters, at this time the synthesis SQL query statement isselect * from users where username=‘‘ or 恒等式#‘ and password=password(‘‘)。

Login successful

• Inject your favorite username and password in the rear database for easy login

enter '; INSERT into users (userid,username,password,enabled) VALUES (4, ' Hijack ', password ("hijack"), "TRUE" in User name ); #, lose the password at random.

The synthesized SQL query statement at this time isselect * from users where username=‘‘;insert into users(userid,username,password,enabled) values(4,‘hijack‘,password("hijack"),"TRUE");#‘ and password=password(‘‘)。

Click Login, the page is white, we use the injected username and password to login to try

Login successful

• Another universal login

Enter ' or userid=1 at the user's name; #, enter the password at random.

The synthesized SQL query statement at this time isselect * from users where username=‘ or userid=1 ;#‘ and password=password(‘‘)。

PS: This method needs to be tried, not necessarily the ID of the table key name is the UserID

2.7 XSS attack

• About XSS

XSS has been the top three vulnerability of owasp.

Simply put, enter JavaScript scripts in any site where normal text input is accepted, and let the script execute.

• XSS attempts

Enter 20144306/a>

Click Login

2.8 Post & Session Management

I will study again, do not want to steal the fruits of other people's work.

3 Experimental Questions answered

(1) What is a form?

A form is a region that contains form elements. Form elements allow users to enter content in the form, such as text fields (TEXTAREA), drop-down lists, radio boxes (radio-buttons), check boxes (checkboxes), and so on. The form is set using the form label <form>.

(2) What language does the browser have to parse and run?

Html,css,javascript

(3) What dynamic languages does webserver support?

Php,asp,. NET (I finally played it all over again.) )

4 Experimental Experience

When I was a freshman, I went to the basics of web design, when I edited a webpage with Adobe's DW:

Backend with the ASP, the database with access, this experiment reminds me of that course of bitterness, but at that time many do not understand the place, now but somehow all understand, also is a kind of progress. I think this course is not let me learn a lot of artifice, the important thing is really let me before very much understand, pretend content has a new understanding.

20144306 Web foundation of cyber confrontation