20145326 Cai "Cyber Confrontation"--web Foundation

20145326 Cai "Cyber Confrontation"--web Foundation 1. Answer questions after the experiment

(1) What is the form.

• A form is an area that contains form elements, which are elements that allow users to enter information into a form, which is primarily responsible for data collection in a Web page, and a form has three basic components: Form labels, form fields, form buttons.

(2) The browser can parse what language to run.

• HTML (Hyper-text markup Language)
• XML (Extensible Markup Language)
• ASP, Python, PHP, JavaScript and many other scripting languages.

(3) which dynamic languages are supported by webserver.

• JavaScript, ASP, PHP, Ruby and other scripting languages.

2. Experiment Summary and experience

• Because I have learned the Java Web Course before, there is some foundation for this experiment. But the years are not, still have a lot of things to forget. Fortunately, the teacher gave the novice tutorial this site let us refer to learning, I still harvest quite a lot. The effect of this experiment can also meet all the requirements of the teacher. But I think my front-end is too simple, I should spend more time to study and study in class. The Novice tutorial has many examples, it is also very convenient to use, the left is the code, the right is the rendering effect.

• Now look, really regret, have not chosen the database this course, feel very bad. It was because of the lack of knowledge of this part that I made many mistakes that I should not have in the course of the experiment, and therefore wasted a lot of time. But fortunately the experiment was successful, in the process of solving the problem, I really have the harvest, feeling quite deep.

3. Practice process Record (1). Web front-end HTML (1 points)

• By service apache2 start turning on the Apache2 service
• Use netstat -aptn view port occupancy, where apache2 occupies port 8080

• Test if Apache is working properly?
• In Kali's Firefox browser, enterlocalhost:8080
• Open the Web page where the last experiment was disguised.
• The port number 8080 here is the /etc/apache2/ports.conf Apache listening port set below

• The Novice tutorial recommended by the teacher is very useful. Although I have learned Java Web This course before, but really a lot of knowledge has forgotten. Very awkward, you can follow the rookie tutorial to learn it again, very simple.

• Access the Apache working directory cd /var/www/html and create a new HTML file
• Write an HTML containing the form

• Enter the relevant information in the text box, then click the Submit button the data will be transferred to html_form_action.php the page, because this page is not written, so there is a 404 page.

(2). Web Front end Javascipt (1 points)

• JavaScript is a scripting language for client Web development, and is used by millions of of pages to improve design, validate forms, detect browsers, and create cookies.
• The Document Object model, or DOM, is the standard programming interface recommended by the Organization for the processing of extensible flag languages.
• We can use JavaScript to write a simple timing program.

Effect Display:

(3). Web backend: MySQL Foundation: normal installation, start MySQL, build library, create user, change password, build table (1 points)

• To open the SQL service:/etc/init.d/mysql start

• Input mysql -u root –p , and follow the prompts to enter the password, the default password is [email protected] , enter MySQL .

• Input show databases; , you can view basic information

• If you feel that the password is too cumbersome, you can change it in the following ways:
  • Input use mysql; , select mysql Database
  • Input select user, password, host from user; , the mysql table in the library user stores the user name, password, and permissions
  • InputUPDATE user SET password=PASSWORD("新密码") WHERE user=‘root‘;
  • Input flush privileges; , update permissions
  • Enter quit exit

• And then log back in

• Build a table in MySQL and enter the following

• Then add the user to the table

(4). Web backend: Writing PHP Web pages, connecting databases, authenticating users (1 points)

• Create a new PHP test file.

• Open with localhost:8080/20145326test.php The browser, you can see the following interface, test success

• Enter in the/var/www/html folder vim login.html , write the login page

• In the same directory input vim login.php , through PHP to achieve the connection to the database.

• localhost:8080/login.htmlYou can access your landing page by typing it in the Firefox browser.

• Enter the user name and password stored in the database in the login page and click Login to log in successfully.

• Authentication fails if none is entered in the database.

(5). Simplest SQL injection, XSS attack test (1 points) SQL injection Many website programs are not judged on the legality of user input data when they are written, making the application a security risk. The user can submit a database query code, according to the results returned by the program, to obtain some of the data you want to know, this is called SQL injection, that is, SQL injection. SQL injection modifies the site database through a Web page. It can add users with administrator privileges directly to the database, resulting in system administrator privileges. Hackers can take advantage of the administrator's privileges to obtain any files on the Web site or on the Web page with a Trojan horse and a variety of malicious programs, the site and access to the site users have great harm.

• Constructs the SQL statement: enters in the user name input box ‘ or 1=1# , the password randomly loses, at this time the synthesis SQL query statement isselect * from users where username=‘‘ or 1=1#‘ and password=md5(‘‘)

• Because 1=1 is always set up, that is, where the condition is always true, so you can log in successfully.

• You can also save the user name and password in the database by using SQL injection.

• Input‘;insert into users(userid,username,password,enabled) values(666,‘aaa‘,password("aaa"),"TRUE");#

• But after the page jumps, it is actually a blank page.

• Baidu a bit to know, is the PHP code in the judgment statement of the problem, it does not allow multiple executions, we can use to $result = $mysqli->multi_query($query_str) implement multiple SQL statements.

• Now try again.

• Why did you fail???

• In order to verify that the statement was successful, I went directly to the database to find it, and obviously the injection was no problem.

• Later, think about it, it should be $result->num_rows>0 this line of code, query when I changed to multi_query the time there is a problem.
• So make improvements immediately. bingo~ Success!

The simplest XSS attack test XSS is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code into pages that are available to other users. The XSS is also called the CSS (cross site script), which is an attack by the site. It refers to a malicious attacker inserting malicious HTML code into a Web page, and when the user browses to the page, the HTML code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.

• Enter </a> a simple test first.

• Clicking Sign in will cause a hyperlink to the image 5326.jpg.

20145326 Cai "Cyber Confrontation"--web Foundation