How to prevent downloading technology by changing MDB to ASP

Download

Introduction: Yesterday and animator test a bit, the Data.mdb file renamed data.asp file in the Wwwroot directory. Then in IE input data.asp path, found that IE shows a blank, right key-> view source file, out of Notepad, the content saved as an. mdb file, opened with access, found that a password was required, that is, at least the file header was corrupted. Then use the FlashGet test to download the data.asp file, and save as a Data.mdb file, found to open with access is intact! It seems that a good number of programmers in the development of the time to think that the MDB suffix to the ASP can be downloaded to prevent the concept of the wrong! The background database is downloaded for a asp+a ccess site is undoubtedly a tragic disaster.

1, play your imagination modify the database file name

Needless to say, this is the most lazy way, but if the attacker through a third-party access to the database path, the game is over. For example, the attacker would have only access to the list right, the result of unexpectedly see the database path, can be sounding the database to download back to study. In addition, the data files are usually large size, and then hidden file names can not deceive people. So confidentiality is the lowest.

2, the database name suffix changed to ASA, ASP, etc.

This method should be in conjunction with some settings, or else it will appear at the beginning of this article

(1) Binary field add (this recruit I have not yet refined)

(2) In this file, IIS will be parsed according to ASP syntax, and then will report 500 errors, nature can not download. But if it's simply a matter of adding <% to the text or Memo field in the database, it won't work, because access will handle the contents of it, and in the database he will be in the form of <, invalid! The correct approach is to save the <% into the OLE Object field so that our purpose is achieved.

Action method:

First of all, use Notepad to create a new content for <% text file, a name to archive.
Next, open your database file with access, create a new table, name it, add an OLE object's field to the table, add a record, insert the previously created text file, and, if it is correct, you should be able to see a newer record named "Packet". Can.

3, the database name before adding "#"

Just add the first name of the database file to the #, and then modify the database address in the database connection file (such as conn.asp). The principle is that the download can only identify & nbsp, #号前名的部分, for the back of the automatic removal, such as you want to download:http://www.****.com/date/123.mdb (if present). Whether it's IE or flashget, it's all down.Http://www.*****.com/datE/index.htm (index.asp, default.jsp etc you set up in IIS homepage document)

In addition, in the database file name to retain a number of spaces also play a similar role, because the HTTP protocol to address the specificity of resolution, the space will be encoded as "%", such as http://www.test.com/date/123 456.mdb, download the timehttp://www.Test.com/date/123%456.mdb. And our directory is not 123%456.mdb this file, so the download is invalid such modifications, even if you expose the database address, under normal circumstances, others are also unable to download!

4. Encrypt the database

First in the selection tool-> security-> encryption/decryption database, select the database (such as: Employer.mdb), and then determine, then the "Database encryption Save as" window, Save as: Employer1.mdb. Then the employer.mdb will be encoded and stored as employer1.mdb. Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.

Next we encrypt the database, first by opening the encoded Employer1.mdb, and when we open it, select "Exclusive" mode. Then select the "Tools-> security-> settings Database Password",& nbsp in the menu, and then enter your password. So even if someone gets the Employer1.mdb file, he can't see Employer1.mdb without a password.

To modify the database Connection page after encryption, such as:
Conn.Open "Driver={microsoft access DRIVER&NB sp; (*.mdb)};uid=admin;pwd= database password; dbq= database path"

After this modification, the database can not be opened even if it is downloaded (provided that the password on your database connection page is not compromised).

However, it is noteworthy that, because the Access database encryption mechanism is relatively simple, even if the password is set, decryption is easy. The database system forms an encrypted string by "XOR" the password entered by the user with a fixed key and stores it in the area where the *.mdb file starts at the address "&h42". So a good programmer can easily make a dozens of-line applet to get the password of any Access database easily. Therefore, as long as the database is downloaded, its information security is still unknown.

5. The database is placed outside the Web directory or the database connection file is placed under another virtual directory

If your web directory is e:\webroot, you can put the database into the E:\data folder, in the E:\webroot database Connection page to modify the database connection address is: ". /data/database name ", so that the database can be called normally, but cannot be downloaded because it is not in the Web directory! This method is generally not suitable for users who buy virtual space.