The number one killer of the script vulnerability, the database download vulnerability, is now well known to more and more people. In the era of rapid updating of information technology, the loopholes are followed by various coping strategies, such as changing the suffix of the database, modifying the name of the database and so on. Many people think that as long as this can solve the problem, but the fact is often not as you wish, even if you do so will not escape the fate of the master attack. Therefore, we need to understand some of the methods of attack, to enhance their security skills.
1. Force download of a database file with a suffix named ASP and ASA
Most of the network management in order to save time, the site of the article System, forum, and other programs are directly downloaded from someone else's source program after a partial modification after use. And now many people do the ASP source program has the database suffix from the original MDB to ASP or ASA. It would have been a good thing, but in a society where the information was so inflated, the old ways had been limited in time. For ASP or ASA suffix of the database files, hackers as long as they know where they are stored, can easily be downloaded with the download software such as thunder. Figure 1 that the author uses the Thunderbolt to download the database file (note that the database suffix is ASP).
Figure 1
2. Fatal symbol--#
Many network administrators think that adding a # number in front of the database can prevent the database from being downloaded. Yes, I also thought IE was unable to download the file with the # number (ie will automatically ignore the content behind the # number). But "Chengye, Shenya," We forget that Web pages can be accessed not only through common methods, but also by using IE's coding techniques.
1 2 Next page > full text reading tips: Try "←→" button, turn the page more convenient Oh!