I. Objectives and content of practice
- Web front-end HTML
- Can install normally, start and stop Apache. Understand the HTML, understand the form, understand the get and post methods, and write an HTML containing the form.
- Web Front End Javascipt
- Understand the basic JavaScript functionality and understand the DOM. Write JavaScript to verify the user name, password rules.
- Web backend: MySQL Foundation: normal installation, start MySQL, build library, create user, change password, build table
- Web backend: Writing PHP Web pages, connecting databases, authenticating users (1 points)
- Simplest SQL injection, XSS attack test (1 points)
- Function Description: User can login, login user name password saved in the database, login successfully display welcome page.
Second, the practice process and step 1. The Web front-end HTML1.1 first modifies the port file of the Apache2 service, sets the port to 80 ports, and turns on the Apache2 service 1.2.
lsof -i:80See if there are processes that occupy port 80, and if a process consumes 80 ports, use the
kill+进程号Kill the port-occupied process 1.3 with
cd /var/www/html/Enter the folder, and then use
leafpad 20154324_2.htmlWrite an HTML file containing the form
1.4 First try to login
http://localhostAccess, but
- So, began to explore the journey, at first I thought it was an application occupied the local connection, but also to uninstall it, try again, or failed, query, in the Control Panel management tool to view, think that the computer does not have the IIS service can not access the address of the solution, and then installed the IIS service IIS installed, and finally succeeded.
1.5 After successful, open the HTML file that was written to access
http://localhost/4324_2.html/
- Checkered history, or garbled information, so began to try, it is the file encoding method of the problem, and then save the file as character encoding for UTF-8 mode
1.6 Visits again, finally succeeded
2.Web front-end javascipt2.1 use JavaScript to write a validation user name, password rules, added to the previous HTML file, added a piece of JavaScript code, set the number and password rules can not be empty, as follows:
2.2 Visit again
http://localhost/4324_2.html/, you can see that the rules are in effect.
3.Web backend: MySQL basic 3.1 first start MySQL service
/etc/init.d/mysql start, and enter
mysql -u root -pSet Login Password
- Here must be aware that the login password must be set to have characteristics, this password is unique
3.2 The password I set at the beginning is the default password, so I enter
update user set password=PASSWORD("新的密码") where user=‘root‘;Change the password and enter
flush privileges;Refresh Data 3.3 using
create20154324 '
创建数据库,输入show databases; ' View the existing database
3.4 With
use 20154324;Use the database, and enter
create table lkq (username VARCHAR(20), password VARCHAR(30));Create a table and enter
show table;View the existing table 3.5 with
insert into 表名 values(‘lkq4324‘,‘20154324‘);Insert data, and enter
select * from lkqView data in a table
3.6 with
insert into mysql.user(localhost,test2,Password)Add a user named Test2 and give the user permission and use the
flush privileges;Refresh data, related commands inside the connection MySQL user management
4.Web backend: Write PHP Web page, connect database, Authenticate User 4.1 Enter folder, then use
leafpad test.phpWrite a php file, write the relevant rules to connect the Test2 user's database
- Because this is get["password", and so on, so the method in the HTML is changed to get, and the HTML code in the Action property of the form is changed from # to test.php
4.2 After the visit, enter the relevant information, you can see the written php file
5. Simplest SQL injection, XSS attack Test 5.1 SQL injection, user name input box input ' or 1=1#, password random input, this time the SQL query statement is select * from info where usrname= ' or 1=1# ' and P Assword= "and Type=", #相当于注释符, will be the back of the contents are commented out, and 1=1 is the eternal truth, the condition is sure to set up, so the successful landing
5.2 or SQL injection, enter in the user input box
‘;insert into lkq values(‘admin‘,‘123‘);#It is possible to add a piece of data to the table because the # after the delimiter has commented out the contents of the following, so the implementation is actually
insert into lkq values(‘admin‘,‘123‘);, you'll find that you've added a piece of data after logging in
- Note: first because you want to use more than one SQL statement to attack, so to
if ($result = $mysqli->query($query_str)) query() change in, and multi_query($query_str) second, because the default length defined in the previously set of HTML is not long enough to put the injected attack statement
5.3 For XSS attacks, in user name input
, the password is arbitrary, the expected result is to display the picture, but
5.4 After the query, the original is not enough permissions to the picture, using
chmod 755 123.jpgGive the picture enough permission to succeed.
Three, the basic question answer
(1) What is a form
- HTML forms are used to collect different types of user input. A form is a region that contains form elements.
Form elements are elements that allow users to enter information in a table consignments (such as a text field, drop-down list, radio box, check box, and so on).
Forms use Form labels (
(2) The browser can parse what language to run.
- Browser can parse run HTML, xml,javascript and other scripting language, for JS script, will call JS script engine to handle, the browser itself does not handle program code.
(3) What dynamic languages are supported by webserver
- Javascript, PHP, Ruby and other scripting languages
Iv. Experience
- Through this experiment, a more rapid, systematic study of the front and back end of the web, and the combination of the two to use, the experiment can say and our Internet activities are closely related to every day we visit each page is a piece of code, We also attack the vulnerability of the code (although most Web sites can now block), understand the meaning of the code, I think it is very meaningful.
20154324 Liu Kang-quan Exp 8 web Base
