20155306 White Jiao "Network attack and Defense" EXP8 Web Foundation

20155306 White Jiao "Network attack and Defense" EXP8 Web Foundation one, question answer

-What is a form

表单：一般用来收集用户的信息和反馈意见表单包括两个部分：一部分是HTML源代码用于描述表单（例如，域，标签和用户在页面上看见的按钮），另一部分是脚本或应用程序用于处理提交的信息（如CGI脚本）。不使用处理脚本就不能搜集表单数据。表单由文本域、复选框、单选框、菜单、文件地址域、按钮等表单对象组成，所有的部分都包含在一个由标识符标志起来的表单结构中。表单的种类有注册表、留言薄、站点导航条、搜索引擎等。

-Browser can parse what language to run

超文本标记语言：HTML可扩展标记语言：XML脚本语言：ASP、PHP、Script、JavaScript、VBScript、Perl、Python、ColdFusion、Java、JSP等。

-What dynamic languages are supported by webserver

JavaScript、ASP、PHP、Ruby等脚本语言，ASP基于IIS WEB SERVER，是微软的服务器端脚本技术，PHP基于APACHE WEB SERVER，与ASP有几分类似，都是一种在服务器端执行的嵌入HTML文档的脚本语言。

Ii. Experimental Steps (1) Web front-end HTML

1. Use the command apachectl start to open the Apache service and use NETSTAT-APTN to view the port occupancy. Kill the process with the kill+ process ID , the Apache service opens, will open the last experimental Cloning Web page, that we Apache normal work.

2. Edit the test1.htmlin the/var/www/html directory:

代码：

(2) Web Front End Javascip

JavaScript是一种属于网络的脚本语言,已经被广泛用于Web应用开发,常用来为网页添加各式各样的动态功能,为用户提供更流畅美观的浏览效果，通常JavaScript脚本是通过嵌入在HTML中来实现自身的功能的。

The test2.html code is as follows :

• Hint function: If the user name or password is empty, the following warning will appear.

• Reset function: Directly press the reset button, you can empty the previously populated user name and password.

As you can see, empty directly

(3) Web backend: MySQL Foundation: normal installation, start MySQL, build library, create user, change password, build table

1. Open SQL Service /etc/init.d/mysql star
   2. Enter mysql-u root –p, and follow the prompts to enter the password, the default password is * *[email protected]* *, into MySQL
   3. Change your password

- 输入use mysql;//选择mysql数据库- 输入UPDATE user SET password=PASSWORD("新密码") WHERE user='root';//更改密码- 输入flush privileges;//更新权限- 输入quit//退出

4. Create a Database

[email protected]:/# mysql-u root-p//Enter the password as prompted, the default password is [Email protected]enter password:welcome to the MariaDB  Monitor. Commands End With; or \g.your MariaDB connection ID is 8Server version:10.1.26-mariadb-1 Debian unstablecopyright (c), Oracle, Ma RIADB Corporation Ab and others. Type ' help ', ' or ' \h ' for help. Type ' \c ' to clear the current input statement. MariaDB [(None)]> use mysql;//select MySQL database reading table information for completion of table and column namesyou can turn Off this feature to get a quicker startup with-adatabase changedmariadb [mysql]> CREATE TABLE ' T_user ' (-I d ' Int (one) not null auto_increment, ' userName ' varchar () DEFAULT NULL, ' password ' varchar DEFA ULT NULL, PRIMARY KEY (' id '), engine=innodb auto_increment=2 DEFAULT charset=utf8;//create Table table name ( field setting list); Set data table query OK, 0 rows affected (0.20 sec) MariaDB [mysql]> insert INTO ' t_user ' (' id ', ' userName ', ' Password ') val UEs (1, ' 20155306 ', ' 123456 ');//insert into table name values (' Value 1 ', ' Value 2 ', ' Value 3 ' ...); Insert Data query OK, 1 row Affected (0.00 sec) MariaDB [mysql]> select * FROM T_user-//select * FROM table name query table Data +----+- ---------+----------+| ID | UserName |  Password |+----+----------+----------+| 1 | 20155306 |  123456 |+----+----------+----------+1 row in Set (0.00 sec) MariaDB [mysql]>

(4) Web backend: Writing PHP Web pages, connecting databases, authenticating users

PHP是一种通用开源脚本语言，语法吸收了C语言、Java和Perl的特点，主要适用于Web开发领域。它可以比CGI或者Perl更快速地执行动态网页。用PHP做出的动态页面与其他的编程语言相比，PHP是将程序嵌入到HTML文档中去执行，执行效率比完全生成HTML标记的CGI要高许多；PHP还可以执行编译后代码，编译可以达到加密和优化代码运行。

1. We can create a new PHP test file in the/var/www/html directory.

<?php  echo ($_GET["a"]);  include($_GET["a"]);  echo "i am 20155306!<br>";?>

The browser opens LOCALHOST:80/LXM_TEST.PHP?A=/ETC/PASSWD to see the contents of the/etc/passwd file.

2. Next, we use PHP and MySQL in conjunction with the previously compiled login page for simple user authentication.

test2login.php:

代码：

3. Change the Action property of the form in the test2.html code of the previously compiled login page to test2login.php, and then enter it in Firefox localhost:8082/login_test.html Visit your login page: [Note: The port number depends on your own situation to determine!] ]

4. User name and password write the last step of the MySQL database the new user name and password, matching success is shown as follows

5. If the mismatch is displayed as follows

(5) Simplest SQL injection

SQL注入，就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串，最终达到欺骗服务器执行恶意的SQL命令。具体来说，它是利用现有应用程序，将（恶意的）SQL命令注入到后台数据库引擎执行的能力，它可以通过在Web表单中输入（恶意）SQL语句得到一个存在安全漏洞的网站上的数据库，而不是按照设计者意图去执行SQL语句。

1. Perpetual attack

In the User name input box, enter: ‘ or 1=1# , enter any password.

2. Common SQL attacks

• In the User name input box, enter:

';insert into users(id,userName,password) values(5,'1553',password("5306"));#

• After logging in, the following interface appears:

• Query the database to find a true add success, the comparison indicates the success of inserting:

• Log in with the user name and password you just inserted and log in successfully.

(6) XSS attack

SS攻击：跨站脚本攻击(Cross Site Scripting)，为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆。故将跨站脚本攻击缩写为XSS。XSS是一种经常出现在web应用中的计算机安全漏洞，它允许恶意web用户将代码植入到提供给其它用户使用的页面中。比如这些代码包括HTML代码和客户端脚本。

1. Refer to a common test, enter 20155306 in the User name input box to read the picture in the/var/www/html directory, but the interface is always present, and no image appears.

1. The type of XSS is generally divided into three types:

第一种：反射型XSS反射型XSS只是简单的把用户输入的数据“反射”给浏览器.也就是说需要诱使用户“点击”一个恶意链接，才能攻击成功。反射型XSS也叫作“非持久型XSS”第二种：储存型XSS储存型XSS会把用户输入的数据“储存”在服务器端。这种XSS具有很强的稳定性第三种：DOM Based XSS

Here, we use reflection type XSS, by sending someone a URL with malicious script code parameters, when the URL address is opened, the unique malicious code parameters are parsed and executed by HTML.

• Suppose a page outputs the parameters entered by the user directly to the page.

- 正常情况下，用户提交数据会展示到页面中Http://127.0.0.1/xss.php?param=This is a test! ", get the following results:

When viewing the page source code, you can see:<div>/This is a xss test!</div>

• If you submit an HTML code:
  http://127.0.0.1/xss.php?param=<script>alert(/This is a xss test!/)</script>, you will find that alert (/this is a XSS test!/) executes on the current page.

• Then view the source code:
  <div><script>alert(/This is a xss test!/)</script></div>
  Script entered by the user has been written to the page, which is not what the developer wants to see. This is the principle of reflective XSS attacks.

Third, the difficulties encountered

Issue: Error 1045 (28000): Errors may occur after executing command mysql-u root-p in MySQL.

Solution: Through Baidu, found the solution is as follows, you can refer to the tutorial error 1045 (28000)

[email protected]:/#/etc/init.d/mysql stop[OK] stopping MySQL (via Systemctl): Mysql.service. [email protected]:/# mysqld_safe--user=mysql--skip-grant-tables--skip-networking &[1] 3687[email  protected]:/# 180516 19:38:54 mysqld_safe Logging to syslog.180516 19:38:54 Mysqld_safe starting mysqld daemon with Databa Ses from/var/lib/mysql mysql-u root mysqlreading table information for completion of table and column namesyou can turn  Off this feature to get a quicker startup With-awelcome to the MariaDB Monitor. Commands End With; or \g.your MariaDB connection ID is 2Server version:10.1.26-mariadb-1 Debian unstablecopyright (c), Oracle, Ma RIADB Corporation Ab and others. Type ' help ', ' or ' \h ' for help. Type ' \c ' to clear the current input statement. MariaDB [mysql]> UPDATE user SET Password=password (' NewPassword ') where user= ' root '; Query OK, 4 rows affected (0.03 sec) rows Matched:4 changed:4 warnings:0mariadb [mysql]> FLUSH privileges; Query OK, 0 rows affected (0.01 sec) MariaDB [mysql]> quitbye[email protected]:/#/etc/init.d/mysql restart[OK] Rest Arting MySQL (via Systemctl): Mysql.service.  [email protected]:/# Mysql-uroot-penter Password:welcome to the MariaDB Monitor. Commands End With; or \g.your MariaDB connection ID is 4Server version:10.1.26-mariadb-1 Debian unstablecopyright (c), Oracle, Ma RIADB Corporation Ab and others. Type ' help ', ' or ' \h ' for help. Type ' \c ' to clear the current input statement. MariaDB [(None)]> Select User, password, host from user; ERROR 1046 (3d000): No database selectedmariadb [(none)]> MariaDB [(none)]> use MySQL; Reading table information for completion of table and column namesyou can turn off this feature to get a quicker startup W Ith-adatabase changedmariadb [mysql]> Select User, password, host from user;+------------------+------------------- ------------------------+--------------------+| user |                       Password           | Host |+------------------+-------------------------------------------+--------------------+| Root | *fe4f2d624c07aaebb979da5c980d0250c37d8f63 | localhost | | Root | *fe4f2d624c07aaebb979da5c980d0250c37d8f63 | aphrodite.kali.org | | Root | *fe4f2d624c07aaebb979da5c980d0250c37d8f63 | 127.0.0.1 | | Root | *fe4f2d624c07aaebb979da5c980d0250c37d8f63 | :: 1 | | Debian-sys-maint | *93fe00cd040e5b41447c242efdc6e00481b98c3d | localhost |+------------------+-------------------------------------------+--------------------+5 rows in set (0. XX sec) MariaDB [mysql]> UPDATE user SET Password=password ("20155306") WHERE user= ' root '; Query OK, 4 rows Affected (0.00 sec) rows Matched:4 changed:4 warnings:0mariadb [mysql]> flush privileges; Query OK, 0 rows Affected (0.00 sec)

20155306 White Jiao "Network attack and Defense" EXP8 Web Foundation