20154327 EXP8 Web Foundation

Basic question Answer

(1) What is a form?

• Forms: Forms are primarily responsible for data collection functions in Web pages. There are three basic components of a form:
• Form Labels: Here The bread contains the URL of the CGI program used to process the form data and the method by which the data is submitted to the server.
• Form fields: Contains text boxes, password boxes, hidden fields, multiline text boxes, check boxes, radio boxes, drop-down selection boxes, file upload boxes, and so on.
• Form buttons: Includes the Submit button, reset button, and General button, which can be used to transfer data to CGI scripts on the server, or to cancel input, and to use form buttons to control other processing tasks that define the processing script

(2) browser can parse what language to run

• Hypertext Markup Language: HTML
• Extensible Markup Language: XML
• Scripting languages: ASP, PHP, script, JavaScript, VBScript, Perl, Python, ColdFusion, Java, JSP, etc.

(2) What dynamic languages are supported by webserver

• Currently, the three most commonly used dynamic web languages are ASP (Activeserverpages), JSP (javaserverpages), PHP (Hypertextpreprocessor).

Experimental process Web front-end HTML

kali:192.168.152.134

1. Environment configuration

• Check if Port 80 is occupied: NETSTAT-APTN | grep 80
  Kill the occupied process: Kill 2380
  Open Apache2:service apache2 Start
  

• Detects if Apache is working properly
  

• For the sake of distinction, I changed my port number to 4327.
  
  

2. Writing Web pages

• Enter Apache2 's folder to store HTML files/var/www/html modify the appropriate HTML file to design your own form

• The teacher mentioned QQ landing interface, I went online to find the next QQ landing interface HTML source code, the effect is as follows
  

• After saving in browser access: localhost:4327/4327.html
  

• In the text box above the arbitrary input, and then click on the authorization and login, but because the downloaded HTML does not have the code to write the action, after the click did not change.

3.Web Front Javascipt

• The following is the use of JavaScript to create some simple user name password validation rules (user name can not be empty and limit the length of the password)

Web back-end MySQL Basics

1.mysql Database Base Usage

• Open SQL Service:/etc/init.d/mysql start
  
• Login using root: Mysql-u root-p
• Enter password, default to [email protected], then go to MySQL
  

• Use: Show databases, can view basic information of library table in database
  

• Use MySQL; Select MySQL Database
  

• Select User, password, host from user; View the user table in the MySQL library with the username, password, and permissions stored in the table
  

• UPDATE user SET Password=password ("4327") WHERE user= ' root '; Replacement password is 4327
  

• Input flush privileges; Update permissions

• Quit quitting
  

3.Mysql built-in library table

• Create SCHEMA 4327_log ; build a library named 4327_log
• CREATE TABLE 4327_log . users (The table is named users
• useridINT not NULL COMMENT ",
• usernameVARCHAR (COMMENT) NULL ",
• passwordVARCHAR (COMMENT) NULL ",
• enabledVARCHAR (5) NULL COMMENT ",
• PRIMARY KEY ( userid ) COMMENT ");
  

4. Add Users

• Enter the Use 4327_log Open table
• Add users with a user name and password of 4327:
  
• Insert into users (userid,username,password,enabled) VALUES (2, ' 154327 ', password ("Lovezh"), "TRUE");
  

4.Web Back-End Database identity authentication
1. Write The Landing Basics

• Write the 4327_login.html login interface under the/var/www/html folder
  and write the Jump interface 4327_login.php

  <?phpecho ($_GET["A"]);include($_GET["A"]);echo "hello this is 20154327<br>";?>

Login Successful Interface:

Php+mysql Implement login Web page writing

• This step card for a long time, changed a lot of different PHP code, but also their own database to modify countless times, a variety of different code each has its own problems, finally will be a successful revision, here posted my solution, for the same problems of the classmate reference.

• write the 123.html login interface under the/var/www/html folder and write the Jump interface login.php

• Here is the code for the final modification, and the way to fix the problem.

  <?php$uname= ($_post["username"]), $pwd = ($_post["password"]); echo $uname; $query _str= "SELECT * FROM yzhtable where username= ' $uname ' and password= ' $pwd '; "; * echo "<br> {$query _str} <br>"; */$mysqli = new Mysqli ("127.0.0.1", "Yzh", "4327", "4327_log");/* Check Connec    tion */if ($mysqli->connect_errno) {printf ("Connect failed:%s\n", $mysqli->connect_error); Exit ();} echo "Connection ok!";         * Select queries return a resultset */if ($result = $mysqli->query ($query _str)) {if ($result->num_rows > 0) {    echo "<br> Welcome login mr/mrs:{$uname} <br>"; } else {echo ' <br> login failed!!!!    <br> "; }/* Free result set */$result->close ();} $mysqli->close ();?  

• Login Successful Interface:
  

• Login Failure Interface:
  

• When debugging encountered this problem, open the test page when the following error occurred: Forbidden
  You don't have permission to access/123.html on this server.
  

• At first I thought I configured the error, spent half a day did not fix, finally carefully all the English, feeling is insufficient authority.

• Cause: Apache has insufficient permissions.

• Workaround: Change file permissions, cd past change permissions, permission directives at the beginning of the experiment upstairs have learned, modified to 755,chmod 755 123.html
  

5. Simple SQL injection

1. Yong-Real

• In the User name input box, enter ' or 1=1#, password to enter, you can log on successfully
  

2.sql Statement Injection

• In the User name input box, enter: '; insert into yzhtable values (' Yzhyzh ', ' 00000 '); #SELECT * from yzhtable WHERE username= ' ' INSERT into Yqh666ta ble values (' Yzhyzh ', ' 00000 '), injecting a user named Yzhyzh, with a password of 00000, into the Yzhtable table, which was unsuccessful.

• Later found that the landing did not succeed because

  if ($result = $mysqli->query($query_str))  

• This statement does not allow multiple executions, that is, PHP precautions against SQL attacks, instead of

  if ($result = $mysqli->multiy_query($query_str))

• 
  

• We query in the library table, there is a yzhyzh this user
  

6.XSS Attack test

1.dom-based XSS

• In the User name input box, enter:

  once</a>

• And then landed,
  Login failed, but the image will be displayed:

• has been the image of the broken interface.
  

• Here the other students also encountered the same problem, here put a solution:

• The same as the above Web page, I initially suspect that the permissions are insufficient, the CD in the past to change permissions, permission instructions in the beginning of the experiment upstairs, modified to 755,chmod 755 1.jpg
  

• Successfully opened
  

2. Pop-up windows

• In the User name input box, enter: After clicking Login, the box appears:
  

• Then, of course, the login failed interface.
  

Experiment Summary and experience

• The biggest sentiment is to do the experiment can not lazy, in front of several points in the teacher just decorate down completed, but a look at the back to a comprehensive drag down, until now complete.
• The overall feeling of the experiment is more difficult than the previous several times, because involved in the need to find their own problems and solutions, and this experiment is really a variety of problems, only a little to solve, and because of this, this experiment I repeatedly do many times, but also deepened the impression.

20154327 EXP8 Web Foundation