20155206 EXP8 Web Foundation Practice

20155206 EXP8 Web Foundation Practice Basic Questions answered

(1) What is a form
Forms are primarily responsible for data collection functions in Web pages.
There are three basic components of a form:
Form Labels: Here The bread contains the URL of the CGI program used to process the form data and the method by which the data is submitted to the server.
Form fields: Contains text boxes, password boxes, hidden fields, multiline text boxes, check boxes, radio boxes, drop-down selection boxes, file upload boxes, and so on.
Form buttons: Includes the Submit button, reset button, and General button, which can be used to transfer data to CGI scripts on the server, or to cancel input, and to use form buttons to control other processing tasks that define the processing script.

(2) The browser can parse what language to run.
Support for HTML (Hyper-text Markup Language), XML (Extensible Markup Language), and many scripting languages such as ASP, PHP, script, JavaScript, VBScript, Perl, Python, Java, JSP, etc.

(3) What dynamic languages are supported by webserver
Currently dynamic voice: ASP, PHP, CGI, Lisp, Perl, Python,smalltalk, Ruby, etc.

Experimental thoughts and experiences

This experiment is a combination of the previously learned web programming techniques, as well as a basic understanding of web attack techniques, and the invocation of databases to establish a connection. Understand the basic principles of SQL injection, the feeling of the greatest harvest is to say some knowledge combined with the use, before learning are scattered knowledge, a lot of fragmentation of knowledge to come, just these days is also our curriculum design time, just will be used here the idea of conversion, hope can be in the course set up a good result.

Apache Environment Configuration

, set the port number to your own number (by interest) enter the command to vi /etc/apache2/ports.conf change the listening port number of the Apache2,
, and then enter systemctl start apache2 open apache2.

, enter netstat -aptn The view port number to confirm that Apache is turned on correctly.

, using Kali's own browser to access 127.0.0.1:5206 (native address + The listening port you set), verify that Apache is turned on

, enter vi /var/www/html/20155210.txt a new TXT file, and then enter a string of characters

, browser open 127.0.0.1:5206/20155206.txt, you can see the content of 20155206.txt.

Front-end programming

, using the vi /var/www/html/20155206.html build .html file and entering the code

, open in Firefox now127.0.0.1:5206/20155206.html

OK, we've got a simple front end, and now we need to write a PHP
, vi /var/www/html/20155210.php continue to build a file in this directory .php , and enter the code
' <?php
$user = ($_post["user"]);

$PSW = ($_post["PW"]);

echo "Welcome";
Echo $user;
?> '
, now enter 20155206.html login

, no problem,!!!!!!.

Web front-end JavaScript

, modify the front-end code

, testing a new front-end
, (1) Do not enter anything

, (2) Enter 1-bit password

, no problem

Web back end, MySQL basics

, /etc/init.d/mysql start start MySQL
, enter mysql -u root -p , and follow the prompts to enter the password, the default password is to [email protected] enter MySQL

, initial password too troublesome, change
Input use mysql; , select MySQL Database
Input select user, password, host from user; , user names, passwords, and permissions are stored in the users table in the MySQL library
InputUPDATE user SET password=PASSWORD("新密码") WHERE user=‘root‘;
Input flush privileges; , update permissions
Enter quit exit
, think of a simple password123456
, re mysql -u root –p -enter, detect the new password can be successfully used, can successfully login.

, create a database testlogin:CREATE SCHEMA TestLogin;

, enter the use TestLogin database to select the created

, create a database table
create tableUsers ( userid int not null comment ‘‘, username varchar(45) null comment ‘‘, password varchar(256) null comment ‘‘, enabled varchar(5) null comment ‘‘, primary key ( userid) comment ‘‘);

, using insert into users(userid,username,password,enabled) values( 1,‘20155206‘,password("20155206"),"TRUE"); add information

, you can use the select * from users query

, adapt the 20155206.php, connect to the database, first change the PHP code
' <?php
$user = ($_post["user"]);

$PSW = ($_post["PW"]);

if ($user = = "" | | $PSW = = "")
{
echo ""
}
Else
{
$link =mysqli_connect ("127.0.0.1:5206", "root", "123456", "Testlogin");
mysqli_select_db ($link, "Testlogin");
Mysqli_query ($link, ' setname utf8 ');
$sql = "Select Username,password from Users where Username= ' $_post[user] ' and Password=password (' $PSW ')";
$result =mysqli_query ($link, $sql);
$row =mysqli_fetch_array ($result);
if ($num =mysqli_num_rows ($result))
{
echo "Welcome";
Echo $user;
}
Else
{
echo "";
}
}
?> ![](https://images2018.cnblogs.com/blog/1072276/201805/1072276-20180521231930343-1691316143.png) 、 再次进入201155206.html登录，输入账号密码，全为 20155206 '

???? It's obviously a problem.
, according to classmates advice, after the experiment with Windows
, first put Windows to do the paste up


, it's a losing pair.

, a hint that appears after entering data that is not in the database

Simplest SQL injection, XSS attack test SQL injection

, background statement: SELECT username,password FROM users WHERE username=‘‘ and password=（‘‘） to be changed, select username,password from users where username=‘‘ or 1=1#‘ and password=(‘‘) enter in the User name box ‘or 1=1# , password, you can see the successful landing

XSS attack

, rationale: Attackers exploit web site vulnerabilities (often these vulnerabilities mean that the Web site spooler does not filter user input well), enter HTML code that can be displayed on the page, affect other users, and because the victim's browser trusts the target server, When it accesses a page that is injected into a malicious script on the target server, this malicious script can execute successfully, achieving the purpose of obtaining a user cookie and being able to exploit the user's identity for illegal operation.
, type in the user name input box to read the picture, the picture and the page code in the same folder

20155206 EXP8 Web Foundation Practice