pentesterlab学习记录-week3
来源:互联网 发布:粗集料坚固性试验数据 编辑:程序博客网 时间:2024/06/09 18:34
——————————————————————————————————————————————————————————————————————————
Week 3:PHP and DNS
- PHP basics:
- Install PHP in your virtual machine (using your previous Apache installation), write a script that echoes back a parameter in the URL. For example, accessinghttp://vulnerable/hello.php?name=Louis will return "Hello Louis".
- Install Mysql and create a script that retrieves information from it, like article.php?id=1 returns a book and article.php?id=2 returns a computer.
- Create a page that sends data to itself using a POST request.
- DNS and whois:
- Install the command line tool dig in your vm.
- Find what name servers are used by PentesterLab, find what Mail servers are used by pentesterlab and find the Ip address of www.pentesterlab.com
- Obtain information about pentesterlab.com using the whois tool.
这周要学的东西比较多,包括:
1. 虚拟主机(virtual hosting)概念及在apache上的配置
虚拟主机是一种让单一服务器可以运行多个网站或服务的技术,实现方式主要有三种:
- 网址名称对应(Name-based)
- IP地址对应(IP-based)
- Port端口号对应(Port-based)
实际中可能几种方式一起使用。
在apache服务器中,需要编辑httpd.conf,配置<virtualhost>标签,我配置了两个虚拟主机“vulnerable"和”phpserver“,宿主机host文件也要相应修改,这样就能通过网址访问这两个”不同域名“的网站了(虽然是同一个IP)。
NameVirtualHost *:80<VirtualHost *:80> ServerName vulnerable DocumentRoot /var/www</VirtualHost><VirtualHost *:80> ServerName phpserver DocumentRoot /var/www/php</VirtualHost>
2. DNS Zone Trasfer的概念及安全威胁
除了wiki的介绍外,我觉得How the AXFR protocol works也值得看看
3. Mysql基础
ubuntu里装的版本是5.5,边看官方的文档边练习。
建了个pentest数据库,建了张pet表,建了个pentest用户赋予select pet表权限。
4. PHP基础
自学建议还是看官方文档。W3CSchool也有个教程,但不详细。
下面是前两个练习的代码,PHP5.3:
- echoname.php主要代码,访问http://phpserver/echoname.php?name=xxx
<?phpecho "Hello, ".htmlspecialchars($_GET["name"]);?>
- mysql_select.php,访问http://vulnerable/mysql_select.php?sex=f (pet表中sex一列,f表示female,m表示male,其他输入忽略)
<!DOCTYPE html><html><body><?php//Create connection$con = new mysqli("localhost", "pentest", "pentest", "pentest");if ($con->connect_errno) {echo "Failed to connect to MySQL: ".$con->connect_errno.") ". $con->connect_error;}//get pet_sex value, if not equal "f" or "m", ignore it.$pet_sex = htmlspecialchars($_GET["sex"]);if ($pet_sex == "f" || $pet_sex == "m") {$query = "select * from pet where sex = '".$pet_sex."'";if ($result = $con->query($query)) {echo "<table border='1'>\n";//print table columnsecho "<tr>\n";$col = $result->fetch_fields();foreach ($col as $val) {echo "<th>".$val->name."</th>\n";}echo "</tr>\n";//print resultswhile ($row = $result->fetch_row()) {echo "<tr>\n";foreach ($row as $val) {echo "<td>".$val."</td>\n";}echo "</tr>\n";}echo "</table>\n";$result->close();}}$con->close();?></body></html>
0 0
- pentesterlab学习记录-week3
- pentesterlab学习记录-week1
- pentesterlab学习记录-week2
- 记录week3
- week3学习总结
- Week3
- week3
- week3
- week3
- week3
- 【KMP】Hihocoder/Week3 学习笔记
- Coursera机器学习 week3 assignment
- web前端学习-week3-four
- Coursera机器学习 Week3 笔记
- CS50 2016-Week3 学习笔记
- deeplearing.ai week3 学习笔记
- css页面布局 week3学习
- coursera Machine Learning Week3-1 学习笔记
- trie基本用法
- 看你的飞洒洛克菲勒看能否
- iReport专题学习之报表元素03
- 使用ENVI打开raw格式影像
- 玩玩儿Flyway:数据库迁移
- pentesterlab学习记录-week3
- 九度1464:Hello World for U
- HDU 2594 Simpsons’ HiddenTalents(KMP:后缀与前缀)
- Java List/ArrayList操作示例----添加/排序/取子块/删除/追加元素
- 启动app时 出现程序默认标题栏 解决办法
- Java第4周实验
- 第六周项目2-对象作为数据成员
- 求3个处理机同时工作完成7个任务所用时间
- AOV网络与拓扑(二)——实现