Access Database Security Defense Policy

Preface:
There is no absolute security in the network. This is a classic saying, and I don't have to say much about it!
Today we will show you how to download the Access database and prevent the Access database from being downloaded.

Attack:

1. using your imagination to modify the database file name may not theoretically prevent downloading.
The purpose of modifying the database name is to prevent the database from being downloaded.
However, if we guess the database name, we can download it directly. Therefore, we cannot guarantee that 100% cannot be downloaded.
A common method to guess the database is to write a program to guess the Database Name and determine whether the WEB returns a 404 error. If an MDB file is submitted and no 404 error is returned, you can guess it, download it directly.
Of course, this has some limitations, because if the database name is very complex, a large number of logs will be generated. The Administrator may have discovered it early, and it will take a long time to guess.

2. Changing the database name suffix to ASA or asp may not prevent downloading.
IIS is using asp. dll processing. when an asp extension file is used, it is output directly without any processing of any other content. However, if the MDB file does not contain any ASP entity, we directly input the URL returned data in IE, that is, the data in the MDB file. We can download the data directly using software such as FLASHGET. After downloading the data, we can change the name and use it. 1: How?

(Figure 1)

3. Add "#" before the database name to prevent downloading.

Some people mistakenly believe that:
"You only need to add # To the front Name of the database file, and then modify the database address in the database connection file (such as conn. asp. The principle is that you can only identify the part before # When downloading, and remove it automatically ."

This is safer. this is only unavailable for normal users. because they do not know or understand the IE coding technology. in encoding, we use % 23 instead. so if we have a database:
Http://www.xxx.com/data/#datapro.mdb
In IE, enter:
Http://www.xxx.com/data/%23datapro.mdb
You can download. 2:

(Figure 2)
4. encrypt the database. After the download, the password of the database will be calculated in 2 seconds.
Some people think that, even if the ACCESS database is encrypted, it cannot obtain any information in the database. This is an incorrect solution. The Access database encryption mechanism is very fragile.

. After encryption, the database system creates an encryption string by "unusual" the password entered by the user and a fixed key, and stores it in *. the mdb file starts with the address "& H42"

In the region, you can use a program to easily write the code for cracking. Such a program already exists on the Internet. Now I recommend a relatively old password cracking program: accesskey.exe (available on the CD)

Figure 3:

(Figure 3)
5. We use special requests to make the script parse an error and get the database path.
On the network, many people directly use the following code to connect to the database:
....
DB_Path = "Data/ABCD1234! @ # 1po. mdb"
DB_String = "Provider = Microsoft. Jet. OLEDB.4.0; Data Source =" & Server. MapPath (DB_Path)
Set Conn = Server. CreateObject ("ADODB. Connection ")
Conn. Open DB_String
....
The database file name is complicated enough to be cracked by a program. I think no one wants to try it.
We can directly obtain the path of the database in this EDGE connection mode.
This method is too dangerous and few people know this method. I am afraid to announce it here.
Once the database of the unknown website is published, the database will be downloaded. Wait and check the situation later.
So here I will only provide you with temporary patches.
Add a sentence to Conn. Open DB_String:
On error resume next can solve this problem.

Defense:

We introduced how to download the database.
Here I will explain some methods to prevent the database from being downloaded.

1. You are using a VM:

First, create a table in your MDB file. The name of the field in the table is NotDownLoad.
Enter a field in the table name. Field:
4:

(Figure 4)
Well, I changed the database name to. Asp. Why is it named as actually = 'a'-1 here you can enter it randomly?
As long as it is not a correct Asp statement. Because the extension is changed to. ASP and entered in IE.
When he encounters it, he will explain the code between them. Let him explain it. Errors may occur, so the database will never be downloaded correctly. 5:

(Figure 5)

Are you safe? It's not safe yet. We have to add a # number before the database name.
For example: # Data. Asp # is not used to prevent downloading. The process to prevent downloading has been explained. When you have multiple MDB files and put them in the same directory, for example, 12yes's full-site system.

If we guess the location of the Administrator MDB file and obtain the SQL injection vulnerability from another system
You can use the ACCESS cross-database query method to obtain records in the administrator database.
If we add the # sign before the database name, even if you guess, we are not afraid.
Submit: Select * from D:/web/data/# data. ASP. admin SQL query statement, the system will prompt an error. because # in SQL syntax, it indicates the date. if a syntax error occurs, the query condition will not be executed. (haha 12yes there is another vulnerability that I have successfully used to attack cross-database access !)

In my opinion, the safer database should be # file name. asp and a temporary table with a field in the table
Enter ASP code so that ASP cannot be correctly interpreted.

2. Host hosting:
This kind of anti-download method is too easy to handle. Hehe put your database in a directory other than IIS. He killed me and I couldn't even get down.
If your web directory is in the D:/web/website directory.
Store the database in the D:/web/data directory.
　
Conclusion:
I don't know what you think after reading this article. I believe that only practice will give you the truth. Please try it out. Maybe you will find a better way to prevent downloading and communicate with me.