20155304 "Cyber Confrontation" EXP8 Web Foundation

20155304 "Cyber Confrontation" EXP8 Web basic Practice Requirements

(1). Web front-end HTML

Can install normally, start and stop Apache. Understand the HTML, understand the form, understand the get and post methods, and write an HTML containing the form.

(2). Web Front End Javascipt

Understand the basic JavaScript functionality and understand the DOM. Write JavaScript to verify the user name, password rules.

(3). Web backend: MySQL Foundation: normal installation, start MySQL, build library, create user, change password, build table

(4). Web backend: Writing PHP Web pages, connecting databases, authenticating users

(5). The simplest SQL injection, XSS attack test

Function Description: User can login, login user name password saved in the database, login successfully display welcome page.

Experimental process web front end: HTML

Use NETSTAT-APTN to see if 80 ports are occupied (the last experiment was set to Apache using 80 ports), and if it was occupied, kill the original process number (because I did not shut down the virtual machine last week so just demo killed 80 process, re-opened Apache), If you are free, use Apachectl start to open Apache, and then use NETSTAT-APTN to view port occupancy again.

Enter localhost:80 on Kali's Firefox browser to test if Apache is working properly

Enter the Apache working directory/var/www/html, create a new tyn001.html file, write a form containing the input user name, password to implement the login HTML.

Open the browser to access localhost:80/tyn001.html, and the HTML page that you just wrote appears.

Click will jump, but because I have not set the jump page login.php, so there will be the following error message:

Web Front end: JavaScript

Use JavaScript to write a function to verify the user name, password, when it is empty prompt error message, it and the previous tyn001.html together to form a new HTML page tyn002.html.

Web back end: MySQL Basics

Use/etc/init.d/mysql start to open the SQL service.

Enter Mysql-u root-p login with account root, and according to the prompt to enter the corresponding password, my MySQL default password is directly enter, has not understood the meaning of Yes, and finally in the direct hit enter MySQL after.

Use show databases; View basic information

To modify the root user password for MySQL, you can perform the following steps

• with use MySQL;, select MySQL database.

• With select User, password, host from user, view the user name, password, and permissions stored in the Users table in the MySQL library.

• Enter update user SET Password=password ("New password") WHERE user= ' root '; Change password.
• Use flush privileges to update.

Re-login Verify password change succeeded

MySQL Build table Build Library

CREATE SCHEMA `库表的名称`;CREATE TABLE `库表的名称`.`users` ( `userid` INT NOT NULL COMMENT ‘‘, `username` VARCHAR(45) NULL COMMENT ‘‘, `password` VARCHAR(256) NULL COMMENT ‘‘, `enabled` VARCHAR(5) NULL COMMENT ‘‘, PRIMARY KEY (`userid`) COMMENT ‘‘);

Enter the Use library table name using the newly built library table.

Enter insert into users (userid,username,password,enabled) values (ID number, ' User ID ', password ("User password"), "TRUE"), and add a new user.

Enter show databases; To view information for the new library table

PHP test

Create a new PHP test file vi/var/www/html/test.php, enter the following

<?php    echo ($_GET["A"]);        include($_GET["A"]);    echo "php page 5304!<br>";?>

Open localhost:80/test.php with the browser, you can see the following interface, test success

Php+mysql Implement login Web page writing

Open the previous login page settings to write the folder/var/www/html, input vim login.php (because I have previously written HTML code has set the jump page login.php), through PHP to achieve the connection to the database

Using this newly entered user and password to log in to the Web page is no problem.

XSS attack test

XSS attack, the Universal cross-site scripting attack, is a computer security vulnerability in Web applications that allows malicious Web users to embed code into pages that are available to other users.

We enter 33333.jpg in the User name input box to read the image under the/var/www/html directory:

Basic question Answer

(1) What is a form

A form is a region that contains form elements.

Form elements are elements that allow users to enter information in a table consignments (such as a text field, drop-down list, radio box, check box, and so on).

(2) The browser can parse what language to run.

Hypertext Markup Language: HTML

Extensible Markup Language: XML

Scripting languages: ASP, PHP, script, JavaScript, VBScript, Perl, Python, ColdFusion, Java, JSP, etc.

(3) What dynamic languages are supported by webserver

Asp,jsp and PHP are most commonly used

Experiment Summary and experience

The attack of this experiment is not many, the main time is spent in the production attack environment, currently in the verification of the landing link against the database attack is still more common, so in the time of writing web code should ensure its security, do not give the database attacks to leave the opportunity to attack. This experiment also touched the PHP code, to perform the action of the Dynamic Web page, PHP is more simple than the previous learning JSP, suitable for us to write this kind of smaller test code.

20155304 "Cyber Confrontation" EXP8 Web Foundation