Build an access-oriented MDB database

What is an MDB database? Any network administrator who has a little experience in making a website knows that it is the most popular to use the "iis+asp+access" combination to build a Web site, most small and medium Internet sites use the "package", but the attendant security issues are becoming increasingly prominent. One of the most easily exploited by attackers is the MDB database being illegally downloaded.

What is an MDB database? Any network administrator who has a little experience in making a website knows that it is the most popular to use the "iis+asp+access" combination to build a Web site, most small and medium Internet sites use the "package", but the attendant security issues are becoming increasingly prominent. One of the most easily exploited by attackers is the MDB database being illegally downloaded.

The MDB database is not secure, so long as the intruder guesses or scans the path to the MDB database, it is easy to download it to the local hard drive using the download tool, combined with brute force cracking tools or some super crack tools to easily view the contents of the database file inside. Corporate privacy and employee passwords are never safe. Don't we have a way to secure the MDB database? Even if we only have a little bit of data, do you want to bother SQL Server or Oracle? The answer is no, the author of this article will tell you the secret of creating a secure MDB database file.

I. Causes of the crisis:

Typically, an ASP-built Web site program and a forum's database extensions default to MDB, which is dangerous. Just by guessing the location of the database file, and then entering its URL in the browser's address bar, you can easily download the file. Even if we add the password to the database and the password of the admin inside is also encrypted by MD5, it is easy to be cracked after being downloaded to the local. After all, the current MD5 has been able to crack through violence. So as long as the database is downloaded, the database has no security whatsoever.

Second, the commonly used remedial method:

The current commonly used database files to prevent the illegal downloading of the following methods.

(1) Modify the name of the database and put it under a very deep directory. For example, changing the database name to Sj6gf5.mdb and putting it in a multilevel directory makes it difficult for an attacker to simply guess the location of the database. Of course, the disadvantage is that if the ASP code file leakage, it is no matter how deep hidden.

(2) Modify the database extension to ASP or ASA, etc. without affecting the data query name. But sometimes modified for ASP or ASA can still be downloaded, such as we modify it to ASP, directly in IE's address bar input network address, although there is no hint download but in the browser appeared a large garbled. If you use a professional download tool such as FlashGet or AV conveyor, you can download the database files directly. However, this method has a certain blindness, after all, the intruder can not ensure that the file must be the MDB database file to modify the file name extension, but for those who have enough energy and time for intruders, can download all the files and all modify the extension to guess. The level of preparedness for this approach will be greatly reduced.

Third, the author's heterodoxy:

In the author's test process encountered ASP and ASA file will also be downloaded, so after the study found the following methods.

If you name the database file as "#admin. Asa", you can completely avoid the use of IE download, but if the flashget guessed the path of the database, with the user can still successfully download, and then renamed the downloaded file as " Admin.mdb ", then the website secrets will be exposed. So we need to find a way to flashget that we can't download, but how do we make it impossible for him to download it? Presumably because of previous Unicode exploits, the site will not process links that contain Unicode code. So we can use Unicode coding (such as "%3c" instead of "<", etc.) to achieve our goal. FlashGet, while dealing with links containing Unicode code, "smart" to deal with the Unicode encoding, such as automatic "%29" This section of the Unicode code form of the characters into the "(", so you submit to flashget an HTTP ://127.0.0.1/xweb/data/%29xadminsxx.mdb's download link, which is interpreted as a http://127.0.0.1/xweb/data/( Xadminsxx.mdb, look at the site above us and the place where the renaming is different, flashget the "%29xadminsxx.mdb" to "(Xadminsxx.mdb), when we click the" OK "button to download, It's going to look for a file called "(Xadminsxx.mdb"). That is to say FlashGet led us astray, of course, it can't find, so the hint failed.

However, if you are prompted to fail, the attacker will definitely want to take other attack methods. From this we can adopt another method of precaution, since flashget to find the file named "(Xadminsxx.mdb), we can give it a, we give it a simulation of the database named" (Xadminsxx.mdb), So when the intruder wants to download the file, it does download a database back, but the database file is False or empty, in their secretly happy time, in fact, the ultimate victory is ours.

Summarize:

Through this heterodoxy to protect the MDB database file method Introduction, we can identify two security, one is confusing, that is, the hacker wants to change things, such as changing the file name of the MDB files or extensions; the second is the substitution method, which is to hide what the hacker wants, Replace it with something that doesn't make sense, so that even if the hacker succeeds, it gets a false message, and they think the invasion is a success and stop the next attack.