1. On the original login.html basis, you can add a piece of JavaScript code to complete the user whether to fill out the mailbox and password judgment. The modified logintest.html is as follows:
3.Web backend: MySQL Basics1. Enter the /etc/init.d/mysql start
MySQL service to start. Because the first login does not know the password so the internet found a way: first open/etc/mysql find the MySQL folder, select 50-server.cnf
the following line to join skip-grant-tables
and save the exit, and then restart the link to skip the password.
2. Enter, use mysql
Select MySQL database, enter update user set password=PASSWORD("新密码") where user=‘root‘;,修改密码;输入flush privileges;
, update permissions
3. Exit the database and log back in with the new password
4. Use the CREATE database name; set up a database using show databases; View the existing database:
5. Use use 库名
; Use the database that we created, use the create table 表名 (字段设定列表);
build data table, the data table is a very important object in the database, a database may contain several data tables, use show tables;
to view the existing data table
6. Use insert into 表名 values(‘值1‘,‘值2‘,‘值3‘...);
Insert data, use select * from 表名;
data from the query table:
7. Add a new user to MySQL, using the grant select,insert,update,delete on 数据库.* to 用户名@登录主机(可以是localhost,也可以是远程登录方式的IP) identified by "密码";
directive, which means that the Select,insert,update,delete permissions on all tables of a database are granted to a user of an IP login. , after adding a new user, exit, re-login with a new user name and password, login success Description to increase the success of the new user:
4.Web Backend: PHP BasicsPHP是一种通用开源脚本语言,语法吸收了C语言、Java和Perl的特点,主要适用于Web开发领域。它可以比CGI或者Perl更快速地执行动态网页。用PHP做出的动态页面与其他的编程语言相比,PHP是将程序嵌入到HTML文档中去执行,执行效率比完全生成HTML标记的CGI要高许多;PHP还可以执行编译后代码,编译可以达到加密和优化代码运行,使代码运行更快。
1. /var/www/html
Create a new PHP test file in the directory to get a quick look at some of its syntax:vi test.php
<?phpecho ($_GET["a"]);include($_GET["a"]);echo "This is rhl php page!<br>";?>
2. Enter in the browser URL field to localhost:80/test.php?a=/etc/passwd
see the contents of the/etc/passwd file:
3. Using PHP and MySQL in conjunction with the previous compiled login page for simple user authentication, here can refer to the code written by the teacher rhl.php
, code and configuration as follows:
<?php$uname=$_POST["username"];$pwd=$_POST["password"];echo $uname;$query_str="SELECT * FROM loginlist where username=‘$uname‘ and password=‘$pwd‘;";$mysqli = new mysqli("127.0.0.1", "rhl", "toor", "rhl");/* check connection */if ($mysqli->connect_errno) { printf("Connect failed: %s\n", $mysqli->connect_error); exit();}echo "connection ok!";/* Select queries return a resultset */if ($result = $mysqli->query($query_str)) { if ($result->num_rows > 0 ){ echo "<br> {$uname}:Welcome!!! <br> "; } else { echo "<br> login failed!!!! <br> " ; } /* free result set */ $result->close();}$mysqli->close();?>
4. Change the Action property of the form in the code of the previously compiled login Web page logintest.html
from # to rhl.php
, that is, jump to rhl.php after logging in, and then enter localhost:80/logintest.html
your login page in Firefox
Successful interface:
Failure interface:
5.SQL injection attacks, XSS attacks
- SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended.
1. Enter the username in the box, enter the ‘ or 1=1#
password casually, you can log in successfully.
/ Enter the user name and our code in the combination of the SELECT statement select * from users where username=‘‘ or 1=1#‘ and password=‘‘
to become, #相当于注释符, will be commented out after the content, and 1=1 is forever, so this condition is always set up /
- XSS attacks: Cross Site scripting attacks (Scripting), which are not confused with the abbreviations of cascading style sheets (cascading style Sheets, CSS). Therefore, the cross-site scripting attack is abbreviated as XSS. XSS is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code into pages that are available to other users. For example, the code includes HTML code and client script. An attacker could bypass access control by using an XSS vulnerability-such as the Origin policy (same). This type of vulnerability is widely known as being used by hackers to write more damaging phishing attacks. For cross-site scripting attacks, the hacker consensus is that cross-site scripting attacks are a new type of "buffer overflow attack", and JavaScript is the new "ShellCode".
1. Save a picture in the/var/www/html directory
2. In the User name input box, enter the
image to read the/var/www/html directory:
Third, practice summary and experienceAt the beginning of the experiment, the machine did not have the default PHP, found after the reload, and then there is a problem with MySQL! Finally changed a virtual machine successfully completed. This experiment applied to Java, Web page production and other knowledge, relive the previous knowledge. At the same time, the use of SQL injection, XSS attacks and other network attacks, Web page attacks, although the process is very difficult, but made to be particularly happy!
# 2017-2018-2 20155319 "network countermeasure technology" Exp8:web Foundation