20145326 Cai "Cyber Confrontation"--web Foundation 1. Answer questions after the experiment
(1) What is the form.
- A form is an area that contains form elements, which are elements that allow users to enter information into a form, which is primarily responsible for data collection in a Web page, and a form has three basic components: Form labels, form fields, form buttons.
(2) The browser can parse what language to run.
- HTML (Hyper-text markup Language)
- XML (Extensible Markup Language)
- ASP, Python, PHP, JavaScript and many other scripting languages.
(3) which dynamic languages are supported by webserver.
- JavaScript, ASP, PHP, Ruby and other scripting languages.
2. Experiment Summary and experience
Because I have learned the Java Web Course before, there is some foundation for this experiment. But the years are not, still have a lot of things to forget. Fortunately, the teacher gave the novice tutorial this site let us refer to learning, I still harvest quite a lot. The effect of this experiment can also meet all the requirements of the teacher. But I think my front-end is too simple, I should spend more time to study and study in class. The Novice tutorial has many examples, it is also very convenient to use, the left is the code, the right is the rendering effect.
Now look, really regret, have not chosen the database this course, feel very bad. It was because of the lack of knowledge of this part that I made many mistakes that I should not have in the course of the experiment, and therefore wasted a lot of time. But fortunately the experiment was successful, in the process of solving the problem, I really have the harvest, feeling quite deep.
3. Practice process Record (1). Web front-end HTML (1 points)
- By
service apache2 start
turning on the Apache2 service
- Use
netstat -aptn
view port occupancy, where apache2 occupies port 8080
- Test if Apache is working properly?
- In Kali's Firefox browser, enter
localhost:8080
- Open the Web page where the last experiment was disguised.
- The port number 8080 here is the
/etc/apache2/ports.conf
Apache listening port set below
- The Novice tutorial recommended by the teacher is very useful. Although I have learned Java Web This course before, but really a lot of knowledge has forgotten. Very awkward, you can follow the rookie tutorial to learn it again, very simple.
- Access the Apache working directory
cd /var/www/html
and create a new HTML file
- Write an HTML containing the form
- Enter the relevant information in the text box, then click the Submit button the data will be transferred to
html_form_action.php
the page, because this page is not written, so there is a 404 page.
(2). Web Front end Javascipt (1 points)
- JavaScript is a scripting language for client Web development, and is used by millions of of pages to improve design, validate forms, detect browsers, and create cookies.
- The Document Object model, or DOM, is the standard programming interface recommended by the Organization for the processing of extensible flag languages.
- We can use JavaScript to write a simple timing program.
Effect Display:
(3). Web backend: MySQL Foundation: normal installation, start MySQL, build library, create user, change password, build table (1 points)
To open the SQL service:/etc/init.d/mysql start
Input mysql -u root –p
, and follow the prompts to enter the password, the default password is [email protected]
, enter MySQL
.
- Input
show databases;
, you can view basic information
- If you feel that the password is too cumbersome, you can change it in the following ways:
- Input
use mysql;
, select mysql
Database
- Input
select user, password, host from user;
, the mysql
table in the library user
stores the user name, password, and permissions
- Input
UPDATE user SET password=PASSWORD("新密码") WHERE user=‘root‘;
- Input
flush privileges;
, update permissions
- Enter
quit
exit
- Build a table in MySQL and enter the following
- Then add the user to the table
(4). Web backend: Writing PHP Web pages, connecting databases, authenticating users (1 points)
- Create a new PHP test file.
- Open with
localhost:8080/20145326test.php
The browser, you can see the following interface, test success
- Enter in the/var/www/html folder
vim login.html
, write the login page
- In the same directory input
vim login.php
, through PHP to achieve the connection to the database.
localhost:8080/login.html
You can access your landing page by typing it in the Firefox browser.
Enter the user name and password stored in the database in the login page and click Login to log in successfully.
- Authentication fails if none is entered in the database.
(5). Simplest SQL injection, XSS attack test (1 points) SQL injection Many website programs are not judged on the legality of user input data when they are written, making the application a security risk. The user can submit a database query code, according to the results returned by the program, to obtain some of the data you want to know, this is called SQL injection, that is, SQL injection. SQL injection modifies the site database through a Web page. It can add users with administrator privileges directly to the database, resulting in system administrator privileges. Hackers can take advantage of the administrator's privileges to obtain any files on the Web site or on the Web page with a Trojan horse and a variety of malicious programs, the site and access to the site users have great harm.
Constructs the SQL statement: enters in the user name input box ‘ or 1=1#
, the password randomly loses, at this time the synthesis SQL query statement isselect * from users where username=‘‘ or 1=1#‘ and password=md5(‘‘)
Because 1=1 is always set up, that is, where the condition is always true, so you can log in successfully.
- You can also save the user name and password in the database by using SQL injection.
Input‘;insert into users(userid,username,password,enabled) values(666,‘aaa‘,password("aaa"),"TRUE");#
But after the page jumps, it is actually a blank page.
Baidu a bit to know, is the PHP code in the judgment statement of the problem, it does not allow multiple executions, we can use to $result = $mysqli->multi_query($query_str)
implement multiple SQL statements.
Now try again.
- Later, think about it, it should be
$result->num_rows>0
this line of code, query
when I changed to multi_query
the time there is a problem.
- So make improvements immediately. bingo~ Success!
The simplest XSS attack test XSS is a computer security vulnerability that often appears in web applications, allowing malicious Web users to embed code into pages that are available to other users. The XSS is also called the CSS (cross site script), which is an attack by the site. It refers to a malicious attacker inserting malicious HTML code into a Web page, and when the user browses to the page, the HTML code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.
- Enter
</a>
a simple test first.
- Clicking Sign in will cause a hyperlink to the image 5326.jpg.
20145326 Cai "Cyber Confrontation"--web Foundation