What is an MDB database? Any network administrator with some experience in website production knows that the combination of "IIS+ASP+ACCESS" is the most popular way to build a website, and most small and medium-sized Internet websites use this "package", but the security problems that come with it are becoming more and more obvious. One of the most vulnerable to attackers is the illegal download of the MDB database.
As long as the intruder guesses or scans the path to the mdb database, you can easily download it to the local hard disk using a download tool, and then combine it with brute force cracking tools or some super cracking tools to easily view the database file content inside, and the privacy of the enterprise and the password of employees are no longer safe. Can't we strengthen the security of the MDB database? Even if we only have a little bit of data, we have to trouble sqlserver ororacleIs it? The answer is no, in this article, the author will tell you the unique secret of creating a secure MDB database file.
1. Causes of the crisis:
In general, the extension of the database of website programs and forums built on ASP is mdb by default, which is very dangerous. You can easily download the file by guessing the location of the database file and entering its URL in the browser's address bar. Even if we add a password to the database and the password of the administrator inside is also encrypted by MD5, it is easy to crack after downloading it locally. After all, MD5 can already be cracked by violence. Therefore, as long as the database is downloaded, the database is not secure at all.
2. Commonly used remedy methods:
At present, there are several commonly used methods to prevent illegal downloading of database files.
(1) Modify the name of the database and put it under a deep directory. For example, changing the database name to Sj6gf5.mdb and placing it in a multi-level directory makes it difficult for an attacker to simply guess the location of the database. Of course, the disadvantage of this is that if the ASP code file is leaked, it is useless no matter how deep it is hidden.
(2) Change the extension of the database to ASP or ASA and other names that do not affect the data query. But sometimes it can still be downloaded after changing it to ASP or ASA, for example, after we change it to ASP, we directly enter the network address in the address bar of IE, although there is no prompt to download, but a large number of garbled characters appear in the browser. If you use a professional download tool such as FlashGet or Video Conveyor, you can directly download the database file. However, this method has a certain blindness, after all, the intruder cannot ensure that the file is necessarily a file with an MDB database file modification extension, but for those intruders who have enough energy and time, they can download all the files and change the extension to guess. The level of protection of this method will be greatly reduced.
3. The author's side door:
During the author's test, I encountered the problem that ASP and ASA files will also be downloaded, so I found the following method after research.
If you name the database file "#admin.asa" when naming the database file, you can completely avoid downloading it with IE, but if the vandal guesses the path of the database, you can still successfully download it with FlashGet, and then rename the downloaded file to "admin.mdb", then the website secret will be exposed. So we need to find a way to make FlashGet not downloading, but how can we make it undownloadable? Probably because of previous unicode vulnerabilities, websites will not process links containing unicode code. So we can use unicode encoding (for example, we can use "%3C" instead of "<", etc.) to achieve our goals. However, when FlashGet processes links containing unicode code, it "cleverly" does the corresponding processing of unicode encoding, such as automatically converting the unicode encoding form of "%29" into (", so you submit a http://127.0.0.1/xweb/data/%29xadminsxx.mdb download link to FlashGet, but it interprets it as http: // 127.0.0.1/xweb/data/(xadminsxx.mdb, look at where we have the URL above and the renamed place below, FlashGet interprets "%29xadminsxx.mdb" as "(xadminsxx.mdb", and when we click the "OK" button to download, it goes to look for a file called "(xadminsxx.mdb". That is to say, FlashGet introduces us to go astray, and of course it can't find it, so the prompt fails.
However, if the download fails, the attacker will definitely want to take actionotherattack method. From this, we can use another prevention method, since FlashGet goes to find the file called "(xadminsxx.mdb", we can prepare one for it, we make a simulated database called "(xadminsxx.mdb", so that when the intruder wants to download the file, it does download a database back, but the database file is false or empty, when they secretly rejoice, In fact, the final victory is ours.
Summary:
Through this introduction of the method of protecting MDB database files, we can clarify two security measures: one is the confusing method, that is, changing what the hacker wants to get, such as changing the file name or extension of the MDB file; The second is the alternative method, that is, hiding what the hacker wants to get and replacing it with something that has no practical meaning, so that even if the hacker successfully invades, he gets a false information, and they will think that the intrusion is successful and stop the next attack.
|
|
Posted on 11/26/2014 3:46:39 PM
|
|
|
Posted on 10/22/2017 2:15:09 PM
|
