Start database protection and build a "copper wall and iron wall"

What does a database mean for a website? Many webmasters may say it is just a tool for recording data. This statement is true, but missing an important point. The database is also a center for website security. Once the database is hacked/"target = _ blank>, in this case, the website data and user privacy information are obtained, and the website is penetrated, affecting the security of the entire server. Because many webmasters do not have sufficient awareness of database security, many security problems occur. This article will let everyone know the importance of a database to a website and build a "copper wall" for the database ".
I. database acquisition

The importance of databases for websites is self-evident. How can hackers obtain website databases?

1. Default database path

Many webmasters build websites or forums use off-the-shelf full-site programs, which creates a great security risk, that is, the default database path. Although the system prompts you to modify the default path of the database in the instruction documents of these programs, some webmasters with low security awareness will not modify the default path. In this way, when a hacker enters the path of the default database after the address of the website, it can be easily downloaded to the database.

2. Storm library display path

What is "Violent database"? Simply put, it is to construct a special address to make the website program run wrong and obtain the database path from the error information. Brute-force databases are not a very advanced technology, but they can quickly find the database path and have a high success rate. To perform a brute-force database, you must first set IE, run IE, click "Tools" menu> "Internet Options", and switch to the "advanced" tab, remove the check box before "show friendly HTTP Error information" and save it. In this way, the browser returns the actual error information instead of 505 error, 405 error and other processed error messages. Find a program with a brute-force Library Vulnerability, for example, an earlier version of "dynamic Article System ". Open any page of "Power Article System", replace the last "/" displayed on the page in the IE Address Bar with "% 5c", and press Enter, if the brute-force database vulnerability exists, the database path is immediately displayed.

3. The anti-download settings are not strict enough.

The reason for excluding the program is that a large part of the database is downloaded because of human factors. Some Webmasters have realized the importance of databases. Although they have not modified the default path, they have changed the default database suffix "mdb" to "asp", so that even if others know the database path, it cannot be downloaded in a browser, but the database content is displayed directly on the page. Of course, it is garbled. However, although we cannot download data in a browser, we can use a dedicated download software to download the database, or copy all the content on the page to a text document, change the suffix of this document to "mdb ".

Another case is that the webmaster adds the "#" symbol to the database file name. For example, if the original database name is 123.mdb, add the "#" symbol and change it to "#123. mdb, so that when we enter "http: // www. ***. com/#123. mdb is unable to download the database. Instead, it displays "the Web page cannot be found ". This is because the browser's encoding format will change the "#" to "% 23" by default, which will become another Web site. Of course, it is impossible to download it to the database. In turn, we replace "% 23" with "#" and enter it in the URL. Can the database be downloaded correctly?