ACCESS attack: Download and modify the path of the database to be searched

Source: Internet
Author: User
1. using your imagination to modify the database file name may not theoretically prevent downloading. The purpose of modifying the database name is to prevent the database from being downloaded. But if we guess the database name, we can download it directly. Therefore, this cannot guarantee that 100% cannot be downloaded. The common method to guess the database is

1. using your imagination to modify the database file name may not theoretically prevent downloading. The purpose of modifying the database name is to prevent the database from being downloaded. But if we guess the database name, we can download it directly. Therefore, this cannot guarantee that 100% cannot be downloaded. The common method to guess the database is

1. Use your imagination, Modify DatabaseFile Name. Theoretically, it may not be able to prevent Download. Modify DatabaseIt is designed to prevent us from guessing DatabaseHowever Download. But in case we guess DatabaseName, you can directly Download. Therefore, this cannot guarantee that 100% cannot be Download. Guess DatabaseThe common method is to write a program to guess DatabaseName: determines whether the WEB returns a 404 error. If an MDB file is submitted and no 404 error is returned, you can guess it. Download. Of course, this has some limitations, because if DatabaseThe name is very complex. A large number of logs are generated. The Administrator may have discovered it early. In addition, it may take a long time to guess.

II: DatabaseChanging the name suffix to ASA or ASP may not prevent Download. IIS is using asp. dll processing. when an asp extension file is used, it is output directly without any processing of any other content. However, if the MDB file does not contain any ASP entity, we directly input the URL in IE to return the data in IE, that is, the data in the MDB file. We can directly use software such as FLASHGET. Download, DownloadAnd then you can use it.





III: DatabaseAdd "#" before the name to prevent Download.

Some people mistakenly think: "You only need DatabaseAdd # In front of the file, and then Modify DatabaseIn a connection file (such as conn. asp ), DatabaseAddress. The principle is DownloadYou can only identify the part before #, and remove it automatically ."

This is safer. This is not suitable for common users. Download. Because they do not know or understand the IE coding technology. In encoding, we use % 23 instead. So if we have DatabaseYes: http://www.xxx.com/data/#datapro.mdb. We can simply enter: http://www.xxx.com/data/%23datapro.mdb in IE. DownloadNow:





Iv. Encryption Database.

Some people think that DatabaseEncrypted to obtain DatabaseHe cannot get any information in it. This is an error. DownloadAnd then two seconds later. DatabasePassword. Access DatabaseThe encryption mechanism is very fragile. After Encryption DatabaseThe system creates an encryption string by "XOR" the password entered by the user and a fixed key, and stores it in *. the mdb file starts from the address "& H42. The program can easily write the cracking code. Such a program already exists on the Internet. Now I recommend an old but practical method for cracking. DatabasePassword program: accesskey.exe



5. We used special requests to cause parsing errors in the script. Database Path.

On the network, many people directly use the following code to connect DatabaseSee... DB_Path = "Data/ABCD1234! @ # 1po. mdb "DB_String =" Provider = Microsoft. jet. OLEDB.4.0; Data Source = "& Server. mapPath (DB_Path) Set Conn = Server. createObject ("ADODB. connection ") Conn. open DB_String .... DatabaseThe file name is too complex to use a program to crack it. I think no one wants to try it. We can directly obtain a connection like this. Database Path. This method is too dangerous, and few people know this method. I am afraid to announce it here. Once the website is published DatabaseWill be Download. Wait and check the situation later. So here I will only provide you with temporary patches. Add a sentence ON Conn. Open DB_String: on error resume next to solve this problem.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.