Database download vulnerability attack technology [group chart] is the No. 1 killer of script vulnerabilities-database download vulnerability, which is now widely known to more and more people. In this era of rapid information technology updates, vulnerabilities are followed by various countermeasures, such as modifying database suffixes and database names. Many people think that if you do this, you can solve the problem, but the fact is often not as good as you wish. even if you do this, you cannot escape the fate of being attacked by experts. Therefore, it is necessary to understand some attack techniques to enhance our security skills.
1. force download of database files with the suffix ASP and ASA
In order to save time, most of the website's article systems, forums, and other programs directly download others' source programs and use them after some modifications. Currently, many ASP Source programs have changed the database suffix from the original MDB to ASP or ASA. This is a good thing, but in a society with extremely expanded information, the old method can maintain a limited amount of time after all. For database files suffixed with ASP or ASA, hackers can easily download files from the software such as thunder by knowing where they are stored. That is, I used the database file downloaded by Thunder (note that the database suffix is ASP ).
Figure 1
2. fatal symbols ――#
Many network administrators think that adding a # number before the database can prevent the database from being downloaded. Yes, I also thought that IE could not download files with the # sign (IE will automatically ignore the content after the # sign ). However, we forget that web pages can be accessed not only through common methods, but also through IE coding technology.
In IE, each character corresponds to an encoding, and the encoding character % 23 can replace. In this way, we can still download a database file that only modifies the suffix and adds the # number. For example, # data. mdb is the file we want to download. we only need to enter % 23data in the browser. mdb can use IE to download the database file. in this way, the # Defense method is equivalent to the virtual setting ().
Figure 2