Basic question Answer
(1) What is a form?
- Forms: Forms are primarily responsible for data collection functions in Web pages. There are three basic components of a form:
- Form Labels: Here The bread contains the URL of the CGI program used to process the form data and the method by which the data is submitted to the server.
- Form fields: Contains text boxes, password boxes, hidden fields, multiline text boxes, check boxes, radio boxes, drop-down selection boxes, file upload boxes, and so on.
- Form buttons: Includes the Submit button, reset button, and General button, which can be used to transfer data to CGI scripts on the server, or to cancel input, and to use form buttons to control other processing tasks that define the processing script
(2) browser can parse what language to run
- Hypertext Markup Language: HTML
- Extensible Markup Language: XML
- Scripting languages: ASP, PHP, script, JavaScript, VBScript, Perl, Python, ColdFusion, Java, JSP, etc.
(2) What dynamic languages are supported by webserver
- Currently, the three most commonly used dynamic web languages are ASP (Activeserverpages), JSP (javaserverpages), PHP (Hypertextpreprocessor).
Experimental process Web front-end HTML
kali:192.168.152.134
1. Environment configuration
Check if Port 80 is occupied: NETSTAT-APTN | grep 80
Kill the occupied process: Kill 2380
Open Apache2:service apache2 Start
Detects if Apache is working properly
For the sake of distinction, I changed my port number to 4327.
2. Writing Web pages
- Enter Apache2 's folder to store HTML files/var/www/html modify the appropriate HTML file to design your own form
The teacher mentioned QQ landing interface, I went online to find the next QQ landing interface HTML source code, the effect is as follows
After saving in browser access: localhost:4327/4327.html
In the text box above the arbitrary input, and then click on the authorization and login, but because the downloaded HTML does not have the code to write the action, after the click did not change.
3.Web Front Javascipt
- The following is the use of JavaScript to create some simple user name password validation rules (user name can not be empty and limit the length of the password)
Web back-end MySQL Basics1.mysql Database Base Usage
- Open SQL Service:/etc/init.d/mysql start
- Login using root: Mysql-u root-p
- Enter password, default to [email protected], then go to MySQL
Use: Show databases, can view basic information of library table in database
Use MySQL; Select MySQL Database
Select User, password, host from user; View the user table in the MySQL library with the username, password, and permissions stored in the table
UPDATE user SET Password=password ("4327") WHERE user= ' root '; Replacement password is 4327
- Input flush privileges; Update permissions
Quit quitting
3.Mysql built-in library table
- Create SCHEMA
4327_log
; build a library named 4327_log
- CREATE TABLE
4327_log
. users
(The table is named users
userid
INT not NULL COMMENT ",
username
VARCHAR (COMMENT) NULL ",
password
VARCHAR (COMMENT) NULL ",
enabled
VARCHAR (5) NULL COMMENT ",
- PRIMARY KEY (
userid
) COMMENT ");
4. Add Users
- Enter the Use 4327_log Open table
- Add users with a user name and password of 4327:
- Insert into users (userid,username,password,enabled) VALUES (2, ' 154327 ', password ("Lovezh"), "TRUE");
4.Web Back-End Database identity authentication
1. Write The Landing Basics
Login Successful Interface:
Php+mysql Implement login Web page writing
-
This step card for a long time, changed a lot of different PHP code, but also their own database to modify countless times, a variety of different code each has its own problems, finally will be a successful revision, here posted my solution, for the same problems of the classmate reference.
- write the 123.html login interface under the/var/www/html folder and write the Jump interface login.php
-
Here is the code for the final modification, and the way to fix the problem.
<?php$uname= ($_post["username"]), $pwd = ($_post["password"]); echo $uname; $query _str= "SELECT * FROM yzhtable where username= ' $uname ' and password= ' $pwd '; "; * echo "<br> {$query _str} <br>"; */$mysqli = new Mysqli ("127.0.0.1", "Yzh", "4327", "4327_log");/* Check Connec tion */if ($mysqli->connect_errno) {printf ("Connect failed:%s\n", $mysqli->connect_error); Exit ();} echo "Connection ok!"; * Select queries return a resultset */if ($result = $mysqli->query ($query _str)) {if ($result->num_rows > 0) { echo "<br> Welcome login mr/mrs:{$uname} <br>"; } else {echo ' <br> login failed!!!! <br> "; }/* Free result set */$result->close ();} $mysqli->close ();?
Login Successful Interface:
Login Failure Interface:
- When debugging encountered this problem, open the test page when the following error occurred: Forbidden
You don't have permission to access/123.html on this server.
At first I thought I configured the error, spent half a day did not fix, finally carefully all the English, feeling is insufficient authority.
Cause: Apache has insufficient permissions.
Workaround: Change file permissions, cd past change permissions, permission directives at the beginning of the experiment upstairs have learned, modified to 755,chmod 755 123.html
5. Simple SQL injection1. Yong-Real
- In the User name input box, enter ' or 1=1#, password to enter, you can log on successfully
2.sql Statement Injection
In the User name input box, enter: '; insert into yzhtable values (' Yzhyzh ', ' 00000 '); #SELECT * from yzhtable WHERE username= ' ' INSERT into Yqh666ta ble values (' Yzhyzh ', ' 00000 '), injecting a user named Yzhyzh, with a password of 00000, into the Yzhtable table, which was unsuccessful.
Later found that the landing did not succeed because
if ($result = $mysqli->query($query_str))
This statement does not allow multiple executions, that is, PHP precautions against SQL attacks, instead of
if ($result = $mysqli->multiy_query($query_str))
We query in the library table, there is a yzhyzh this user
6.XSS Attack test1.dom-based XSS
In the User name input box, enter:
once</a>
And then landed,
Login failed, but the image will be displayed:
- has been the image of the broken interface.
Here the other students also encountered the same problem, here put a solution:
- The same as the above Web page, I initially suspect that the permissions are insufficient, the CD in the past to change permissions, permission instructions in the beginning of the experiment upstairs, modified to 755,chmod 755 1.jpg
Successfully opened
2. Pop-up windows
In the User name input box, enter: After clicking Login, the box appears:
Then, of course, the login failed interface.
Experiment Summary and experience
- The biggest sentiment is to do the experiment can not lazy, in front of several points in the teacher just decorate down completed, but a look at the back to a comprehensive drag down, until now complete.
- The overall feeling of the experiment is more difficult than the previous several times, because involved in the need to find their own problems and solutions, and this experiment is really a variety of problems, only a little to solve, and because of this, this experiment I repeatedly do many times, but also deepened the impression.
20154327 EXP8 Web Foundation