How to Prevent Access Database downloads

I tried it with animator yesterday and renamed the data. mdb file to the data. asp file and put it in the wwwroot directory. Then input data in IE. after asp path, IE is displayed blank. Right-click to view the source file, jump out of notepad, and save the content. mdb file, opened with ACCESS, found that the password is required, that is, at least the file header is damaged. Then

I tried it with animator yesterday and renamed the data. mdb file to the data. asp file and put it in the wwwroot directory. Then input data in IE. after asp path, IE is displayed blank. Right-click to view the source file, jump out of notepad, and save the content. mdb file, opened with ACCESS, found that the password is required, that is, at least the file header is damaged. Then

I tried it with animator yesterday and renamed the data. mdb file to the data. asp file and put it in the wwwroot directory. Then input data in IE. after asp path, IE is displayed blank. Right-click to view the source file, jump out of notepad, and save the content. mdb file, opened with ACCESS, found that the password is required, that is, at least the file header is damaged.

Then use Flashget to testDownloadData. asp file and save it as a data. mdb file. It is found that the file is opened intact with ACCESS! It seems that some programmers thought during development that modifying the mdb suffix to asp would preventDownloadIs wrong! BackgroundDatabaseQuiltDownloadFor an asp + access website, it is undoubtedly a terrible disaster. I found articles from various parties today and summarized the following nine methods:PreventDatabaseQuiltDownload(Please add ).

1. Make full use of your imagination to modifyDatabaseFile Name

Needless to say, this is the most lazy method, but If attackers obtainDatabase. For example, the attacker could only obtain the list permission.DatabasePath, you can takeDatabaseDownloadI went back to study. In addition, the data file size is usually relatively large, and hidden file names cannot be concealed. Therefore, the confidentiality is the lowest.

2.DatabaseName suffix changed to ASA, ASP, etc.

This method must be used with some settings, otherwise the situation at the beginning of this article will appear.

(1) Add binary fields.

(2) When this file is added, IIS will parse it according to ASP syntax, and then it will report Error 500, which naturally cannotDownload. HoweverDatabaseInDatabaseIt will exist in the form of <%, invalid! The correct method is to store <% Into the OLE object field, so that our goal can be achieved.

Operation Method:

First, use notepad to create a text file whose content is <%.

Next, use Access to open yourDatabaseFile, create a new table, just name it, add an OLE object field to the table, add a record, and insert the text file created before. If the operation is correct, you can see a new record named "data packet. You can.

3.DatabaseAdd "#" before name "#"

You only needDatabaseAdd # In front of the file, and then modifyDatabaseIn a connection file (such as conn. asp ),DatabaseAddress. The principle isDownloadYou can only recognize the part before #.Download: Http://www.pcdigest.com/date/#123.mdb (if any ). Both IE and FLASHGET are http://www.test.com/date/index.htm (index. asp, default. jsp, etc. You are on the IIS settings of the home page documentation ).

In additionDatabaseSome spaces in the file name also play a similar role, because of the special nature of the HTTP protocol for address resolution, the space will be encoded as "%", such as http://www.test.com/date/123;456.mdb,DownloadHttp://www.test.com/date/123104456.mdb. Our directory does not have the 123% 456. mdb file, soDownloadIt is also invalid after such modification, even if you exposeDatabaseAddress. In general, no one else canDownload!

4. EncryptionDatabase

First, choose tools> Security> encryption/decryption.Database, SelectDatabase(E. g.: employer. mdb), and then confirm, and then"DatabaseThe encrypted window is saved as ": employer1.mdb. Then employer. mdb will be encoded and stored as employer1.mdb .. note that the above actions are not correct.DatabaseSet the password.DatabaseFile encodingPreventOthers use other tools to viewDatabaseFile Content.

Next we willDatabaseEncryption: first, enable the encoded employer1.mdb. When you enable it, select the "exclusive" mode. Select Tools> Security> settings in the menu.DatabasePassword ", then enter the password. In this way, even if someone else gets the employee 1.mdb file, he cannot see the employee 1.mdb without a password.

To be modified after EncryptionDatabaseConnection page, such:

Conn. open "driver = {microsoft access driver & nb sp;

(*. Mdb)}; uid = admin; pwd =DatabasePassword; dbq =DatabasePath"

After this modification,DatabaseEven ifDownloadAnd no one else can open it.DatabaseThe password on the connection page is not leaked ).

　

However, it is worth noting that the AccessDatabaseThe encryption mechanism is relatively simple, and decryption is easy even if a password is set. TheDatabaseThe system creates an encryption string by comparing the password entered by the user with a fixed key and stores it in *. the mdb file starts from the address "& H42. Therefore, a good programmer can easily create dozens of rows of small programs to easily obtain any AccessDatabasePassword. Therefore, as longDatabaseQuiltDownloadIts information security is still unknown.

5.DatabasePut it outside the WEB directory orDatabasePut the connection file in another virtual directory

If your WEB directory is e: \ webroot, you canDatabasePut it in the e: \ data folder.DatabaseModify on the connection pageDatabaseConnection address: "../data/DatabaseName format, suchDatabaseCan be called normally, but cannotDownloadBecause it is not in the WEB directory! This method is generally not suitable for users who buy virtual space.

6. Use ODBC Data sources

In programming such as ASP, if conditions are met, Use ODBC data sources whenever possible.DatabaseWrite the name in the program. Otherwise,DatabaseThe password will be lost along with the password of ASP source code, for example:

DBPath = Server. MapPath ("../123/abc/asfadf. mdb ")

Conn. open "driver = {Microsoft Access Driver & nb sp; (*. mdb)}; dbq =" & DBPath

Visible, even ifDatabaseThe name is strange, and the hidden directory is deep. After the ASP source code is out of password, it is easy to beDownload. If you use an ODBC data source, you will not have this problem: conn. open "ODBC-DSN name", but this is more annoying, if the directory is moved, you have to re-set the data source, more convenient way please see the 7, 8 method!

7. AddDatabaseName extension ing, such as MDB

This method is implemented by modifying the IIS settings. This method is suitable for friends who have control over IIS and is not suitable for users who buy virtual hosts (unless the Administrator has already set it ). I think this method is the best at present. You only need to modify one ofDatabaseYesPreventQuiltDownload. You do not need to modify the code, even if the target address is exposed.PreventDownload.

In IIS properties --- main directory --- configuration --- ing --- application extension, add the application parsing of the. mdb file. Note that the selected DLL (or EXE) here does not seem to be arbitrary, and the MDB file can still beDownload, Be sure not to select asp. dll. You can perform multiple tests on your own. After modificationDownloadDatabase(404 or 500 ).

8. advantages of using. net

The wooden bird on the Internet has written an anti-illegal code.DownloadFile "WBAL anti-leech tool ".

But that only implementsPreventNon-localDownloadIs not really effectiveDownloadDatabase. However, this method is almost the same as Method 5. You can modify the. NET file to make it local.Download!

Only 7th and 8 of these methods are uniformly modified.DatabaseYesPreventDownload, The other several must be modified separatelyDatabaseIt is troublesome to use the name and connection file, but this is also the only option for virtual host friends!

In fact, 6th methods should be extended by 5th methods, which can implement special functions, but are not supported. net host or for fear of setup troubles, we still use the 5th method directly. By default, the 6th methods can still be copied and connected to the same host's forum or message book for publishing, then you can clickDownload. (Because the reference page is from the same host)

9. use NTFS partition File Permission settings (bypercyboy)

We already know that ASP. NET uses ADO. NET to accessDatabaseYou can Access the accesskey through the OleDb connection.Database-- We often use low-endDatabase. This article discusses several error prompts that may be seen in ASP. NET.DatabaseFile. When an error occurs during access, a different error message is displayed. Hope to help you. Another key point is to use this article to enable users to Access ASP. NETDatabaseFile NTFS permission settings have a new understanding.

(1) experiment process

For the sake of convenience, let's take an experiment: The application is/test,DatabaseStored in D: \ wwwroot \ test \ data \ db1.mdb. We already know that ASP. NET is accessed as an ASPNET virtual user.DatabaseTo run ASP. NET programs normally, we need to grant this account specific NTFS permissions.

To get the strictest NTFS permission settings, we will give the program the lowest NTFS permission at the beginning of the experiment:

A) grant the following permissions to aspnet in the d: \ wwwroot \ test \ data \ Folder:

Reject allowed

Full Control & n bsp; □□

Modify & nbs p; □□

Read and run √ □;

List folder directories; √ □

Read & nbs p; √ □

Write & nbs p; □□

B) The D: \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions:

√ Allow propagation of inherited permissions from parent to this object

1.1 For An aspx program that only contains the "SELECT" command, the above permission settings are not available during running, that is, the above permissions have met the operation of such programs.

1.2 For aspx programs that contain commands such as "UPDATE" "INSERT" "UPDATE.

(A) If db1.mdb is created by Access2000Database, The following error occurs:

Server error in the "/test" application.

MicrosoftJetDatabaseThe engine cannot open the file 'd: \ wwwroot \ test \ data \'. It has been opened exclusively by another user or has no permission to view data.

Note: An unhandled exception occurs during the execution of the current Web request. Check the stack trace information for details about the error and the source of the error in the code.

Exception details: System. Data. OleDb. OleDbException: MicrosoftJetDatabaseThe engine cannot open the file 'd: \ wwwroot \ test \ data \'. It has been opened exclusively by another user or has no permission to view data.

(B) If db1.mdb is created by AccessXPDatabase, The following error occurs: "/test" server error in the application.

The operation must use an updatable query.

Note: An unhandled exception occurs during the execution of the current Web request. Check the stack trace information for details about the error and the source of the error in the code.

Exception details: System. Data. OleDb. OleDbException: The operation must use an updatable query.

(C) Preliminary Analysis of the Cause: Because there are commands such as "UPDATE" "INSERT" "UPDATE ",DatabaseWrite operations on the file itself, so the above permissions cannot meet this requirement, we need to further open the permissions.

We release some permissions,

A) D: \ wwwroot \ test \ data \ Folder unchanged;

B) D: The \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions;

Reject allowed

Full Control & n bsp; □□

Modify & nbs p; □□

Read and run √ □;

List folder directories; √ □

Read & nbs p; √ □

Write & nbs p; √ □

1.3 open the permission and continue the experiment

(A) If db1.mdb is created by Access2000Database, The following error occurs: "/test" server error in the application.

Files cannot be locked.

Note: An unhandled exception occurs during the execution of the current Web request. Check the stack trace information for details about the error and the source of the error in the code.

Exception details: System. Data. OleDb. OleDbException: the file cannot be locked.

(B) If db1.mdb is created by AccessXPDatabase.

(C) Preliminary Analysis of the Cause: We found thatDatabaseAt the same time, a *. ldb file with the same name will be generated in the directory where it is located, which is an Access lock mark. In view of this, we guess that the user ASPNET accesses AccessDatabaseYou also need to generate a lock mark, and the directory does not allow it to write, so an error occurs. ForDatabaseThe reason for this error is unknown.

For the original article, refer to the webmaster network.

We further open the permissions,

A) D: \ wwwroot \ test \ data \ folder to give the user ASPNET the following permissions:

Reject allowed

Full Control & n bsp; □□

Modify & nbs p; □□

Read and run √ □;

List folder directories; √ □

Read & nbs p; √ □

Write & nbs p; √ □

B) The D: \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions:

√ Allow propagation of inherited permissions from parent to this object

1.4 continue the experiment and find that the error has been resolved. The above permission is the "minimum permission" we need to release ".

(A) If db1.mdb is created by Access2000DatabaseWe will find a small problem: the generated *. ldb file will not be deleted by itself, and the file still exists after access, but this problem will not affect the normal operation of ASP. NET.

(B) If db1.mdb is created by AccessXPDatabase.

(C) Preliminary Analysis of the Cause: We only gave ASPNET the permission to write folders and did not have the permission to modify them. Therefore, once a file is written, its content cannot be modified ,*. ldb cannot be deleted.

If you have to solve this problem, you can further release the permission:

A) D: \ wwwroot \ test \ data \ folder to give the user ASPNET the following permissions:

Reject allowed

Full Control & n bsp; □□

Modify & nbs p; √ □

Read and run √ □;

List folder directories; √ □

Read & nbs p; √ □

Write & nbs p; √ □

B) The D: \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions:

√ Allow propagation of inherited permissions from parent to this object

1.5 is included in the experiment. In another case, we open and edit db1.mdb in Access and Access ASP. NET at the same time.

(A) If db1.mdb is created by Access2000Database, We found that there was no problem.

(B) If db1.mdb is created by AccessXPDatabase, The following error occurs: & nb.

(T003)