What is an mdb database? Any experience in website creationNetworkManagementMembers know that currentlyUseThis combination of "IIS + ASP + Access" is the most popular way to build websites. Most small and medium Internet websites use this "package", but the followingSecurityProblemAnd is becoming increasingly prominent. Among them, the most vulnerable to attackers is the illegal download of the MDB database.
MDB databases are not securePreventionAs long as the intruders guess or scan the path to the mdb database, they can use the download tool to easily download it to the local hard disk, combined with brute-force cracking tools or some super-cracking tools, you can easily view the content of the database files in it. The company's privacy and employee passwords are never secure. Is there no way to enhance the security of MDB databases? Even if we only have a little bit of data, do we have to bother SQL Server or Oracle? The answer is no. In this article, I will tell you the unique secret to creating secure mdb database files.
I. Cause of crisis:
In general, the default extension of website programs and Forum databases built based on ASP is mdb, which is very dangerous. Just guess the location of the database file and enter its URL in the address bar of the browser to download the file easily. Even if we add a password to the database and the administrator password in it is also encrypted by MD5, it will be easily cracked after being downloaded to the local device. After all, MD5 can be cracked by brute force. Therefore, as long as the database is downloaded, there is no security in the database.
Ii. Common remediesMethod:
Currently, the following methods are commonly used to prevent unauthorized download of database files.
(1) modify the database name and put it under a deep directory. For example, you can change the database name to sj6gf5. MDB and put it in a multi-level directory. This makes it difficult for an attacker to guess the location of the database. Of course, the drawback of this is that if ASP code files are leaked, it will be useless no matter how deep it is hidden.
(2) Change the database extension to ASP or ASA without affecting the data query name. But sometimes it can still be downloaded after being modified to ASP or ASA. For example, after modifying it to ASP, you can directly enter the network address in the address bar of IE, although the download is not prompted, a large piece of garbled code appears in the browser. If you use professional download tools such as flash get or audio and video conveyor belt, you can directly download the database files. However, this method is blind. After all, intruders cannot ensure that the file is a file with the mdb database file to modify the extension, but for those intruders who have enough energy and time, you can download all the files and modify all the extensions to guess. The defense level of this method will be greatly reduced.
3. The author's context:
During the test, I encountered the problem that ASP and ASA files were also downloaded. Therefore, the following methods were found after research.
If you name a database file, the database file is named "# admin. "asa" can completely avoid using IE to download, but if the attacker guesses the database path, he can still download it successfully with flashget, and then rename the downloaded file as "Admin. MDB. So we need to find a method that cannot be downloaded by flash get, but how can we make it unavailable? This is probably because the website was previously attacked by the Unicode vulnerability and will not process links containing Unicode codes. So we can use Unicode encoding (for example, we can use "% 3C" instead of "<") to achieve our goal. While flashget processes links containing Unicode codes, it intelligently processes unicode encoding, for example, the unicode encoded character "% 29" is automatically converted to "(", so you submit an http: // 127.0.0.1/xweb/data/% 29xadminsxx to flashget. the download link of MDB is interpreted as http: // 127.0.0.1/xweb/data/(xadminsxx. MDB. Check that the URL above is different from the renamed URL below. flashget calls "% 29xadminsxx. MDB is interpreted as "(xadminsxx. MDB. When we click OK to download the object, it looks for an object named "(xadminsxx. MDB file. That is to say, flashget leads us astray. Of course, it cannot be found, so it prompts a failure.
However, if a message indicating a download failure occurs, attackers must take other attack methods. Therefore, we can adopt another defense method. Since flashget goes to the "(xadminsxx. MDB file. We can prepare one for it. We will give it a simulated database named "(xadminsxx. MDB ", so when the intruders want to download files, they actually download a database, but the database file is false or empty, in fact, the final victory belongs to us.
Summary:
By introducing the method to protect mdb database files, we can clarify two security measures. One is the obfuscation method, that isHackerChange what you want, such as changing the file name or extension of the MDB file. The second is the replacement method, that is, hiding what the hacker wants and replacing it with something that has no practical significance, in this way, even if a hacker successfully intrude into the system, the hacker obtains false information and stops the next attack even if the intrusion is successful.