Data security protection to create a Security. mdb database

 

What is an mdb database? All network administrators who have some experience in website creation know that the combination of "IIS + ASP + ACCESS" is the most popular in website creation. Most small and medium Internet websites use this "package ", however, security issues are becoming increasingly prominent. Among them, the most vulnerable to attackers is the illegal download of the mdb database.

Mdb databases do not have security protection. As long as intruders guess or scan the path to the mdb database, they can be easily downloaded to the local hard disk using the download tool, combined with brute-force cracking tools or some super-cracking tools, you can easily view the content of the database files in it. The company's privacy and employee passwords are never secure. Is there no way to enhance the security of mdb databases? Even if we only have a little bit of data, do we have to bother SQL server or oracle? The answer is no. In this article, I will tell you the unique secret to creating secure mdb database files.

I. Cause of crisis:

In general, the default extension of website programs and Forum databases built based on ASP is mdb, which is very dangerous. Just guess the location of the database file and enter its URL in the address bar of the browser to download the file easily. Even if we add a password to the database and the administrator password in it is also encrypted by MD5, it will be easily cracked after being downloaded to the local device. After all, MD5 can be cracked by brute force. Therefore, as long as the database is downloaded, there is no security in the database.

Ii. Common remedy:

Currently, the following methods are commonly used to prevent unauthorized download of database files.

(1) modify the database name and put it under a deep directory. For example, you can change the database name to Sj6gf5. mdb and put it in a multi-level directory. This makes it difficult for an attacker to guess the location of the database. Of course, the drawback of this is that if ASP code files are leaked, it will be useless no matter how deep it is hidden.

(2) Change the database extension to ASP or ASA without affecting the data query name. But sometimes it can still be downloaded after being modified to ASP or ASA. For example, after modifying it to ASP, you can directly enter the network address in the address bar of IE, although the download is not prompted, a large piece of garbled code appears in the browser. If you use professional download tools such as flash get or audio and video conveyor belt, you can directly download the database files. However, this method is blind. After all, intruders cannot ensure that the file is a file with the MDB database file to modify the extension, but for those intruders who have enough energy and time, you can download all the files and modify all the extensions to guess. The defense level of this method will be greatly reduced.

3. The author's context:

During the test, I encountered the problem that ASP and ASA files were also downloaded. Therefore, the following methods were found after research.

If you name a database file, the database file is named "# admin. "asa" can completely avoid using IE to download, but if the attacker guesses the database path, he can still download it successfully with FlashGet, and then rename the downloaded file as "admin. mdb. So we need to find a method that cannot be downloaded by flash get, but how can we make it unavailable? This is probably because the website was previously attacked by the unicode vulnerability and will not process links containing unicode codes. So we can use unicode encoding (for example, we can use "% 3C" instead of "<") to achieve our goal. While FlashGet processes links containing unicode codes, it intelligently processes unicode encoding, for example, the unicode encoded character "% 29" is automatically converted to "(", so you submit an http: // 127.0.0.1/xweb/data/% 29xadminsxx to FlashGet. the download link of mdb is interpreted as http: // 127.0.0.1/xweb/data/(xadminsxx. mdb. Check that the URL above is different from the renamed URL below. FlashGet calls "% 29xadminsxx. mdb is interpreted as "(xadminsxx. mdb. When we click OK to download the object, it looks for an object named "(xadminsxx. mdb file. That is to say, FlashGet leads us astray. Of course, it cannot be found, so it prompts a failure.

However, if a message indicating a download failure occurs, attackers must take other attack methods. Therefore, we can adopt another defense method. Since FlashGet goes to the "(xadminsxx. mdb file. We can prepare one for it. We will give it a simulated database named "(xadminsxx. mdb ", so when the intruders want to download files, they actually download a database, but the database file is false or empty, in fact, the final victory belongs to us.

Summary:

This article introduces how to protect MDB database files. We can clarify two security measures: obfuscation and change what hackers want, for example, you can change the file name or extension of an MDB file. Second, you can use a replacement method to hide what hackers want and replace it with something that has no practical significance. In this way, even if hackers successfully intrude into the file, what they get is also a false information, and they will stop the next attack for the intrusion.