How to Prevent website database intrusion

The importance of databases is needless to say, and all data is stored in it.

Sohu, 163, and Yahoo are all large portal websites frequently visited by the masses. The search engine services provided by these websites are most favored by everyone. However, these search engines open the door to hackers. Many hackers can use the search engine to easily obtain the database of a website, so as to obtain the Administrator account and password of the website, and can control the administration of the entire website. In this way, some confidential files that can only be viewed by administrators in the database are leaked.

In fact, the process of website intrusion through search engines is very simple. After learning about the intrusion method, you can know how to solve the problem. So what are the specific preventive measures?

First, analyze a piece of code from the perspective of intruders:

<% Connstr = "DBQ =" + server. mappath ("data/data. mdb ") +"; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb )};"

Set conn = server. createobject ("ADODB. CONNECTION ")

Conn. open connstr %> 〉

The above is a piece of ASP code for calling the database. "+ server. mappath (" data/data. mdb ") +" serves to set the database location. It is not difficult to see that the database of this website is in the data. mdb file in the dada directory.

Among the search engines of many large websites, a powerful function is to search for webpages not registered in this search engine. With this function, we can search for the field "server. mappath. The result is as follows:

[Untitled document]

...... = "+ Server. mappath (" ../up/mucal/calp. mdb ") +"; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb )};"

Set conn = ......

-(URL: omitted)

In this way, you will get a lot of search results with database location information. However, there will be some moisture in the results, and the range is too large. What should I do if I only want the code of a website? In fact, this is also very simple. A search engine usually has the multi-Keyword query function. You only need to enter a "+" in the middle of the two keywords to be searched. For example, if you want to search for all web pages related to network security on a computer world website, you only need to enter "Computer World + network security" in the search engine. Similarly, you can use this method to solve the problem above. If you want to obtain the database of a program, for example, the name of the program is "mavericks Lake", you can search for "mavericks Lake + server" in the search engine. mappath "to get the following results:

[Mavericks]

...... = "+ Server. mappath (" ../xajh/data/mycalf. mdb ") +; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb )};"

Set conn = ......

-(Website: www.mycalf.com/xajh/index.asp)

In this case, the database location of this program is clear at a glance:/xajh/data/mycalf. mdb. Next, the user downloads the database and opens it with the corresponding database software to obtain the content. This vulnerability can also be exploited to obtain the mssql server password, or even further manage the entire server of the other party.

If there is a spear in the world, there should be shield. This problem can be solved in many ways by using search engines to obtain the website database. One of the most effective methods is to hide this statement and call other files to call the database.

First, you need to create a content: <% connstr = "DBQ =" + server. mappath ("data/data. mdb ") +"; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb )};"

Set conn = server. createobject ("ADODB. CONNECTION ")

The ASP file of conn. open connstr %>. For example, name this file dbconn. asp. In this way, you only need to add it to the ASP file that needs to call the database! -- # Include file = "dbconn. asp" --> to call the database. In this way, we can hide call segments and solve the problem that others can use the search engine to obtain the website database.