Talk about database download Attack and Defense

I have found a lot of articles on the Internet to see the opposite relationship between providers of database downloads. There are also a lot of things on the Internet. The following are some methods for downloading databases. Some of these methods are usable by vulnerabilities, but some are tricky, but look at the Administrator method is quite good!

1: Use your imagination to modify the database file name
This is the most basic. I don't think there are many people who are too reluctant to change the database file name? As for what to change, you should at least make sure that the file name is complex and cannot be guessed. Of course, you cannot open the directory browsing permission in the directory where your database is located!
This type of database address is useless as long as the database address is exposed. However, if the directory where the database is located does not enable the directory browsing permission, it is estimated that the database cannot be downloaded. I have not tested it and dare not talk about it, you can tell me what you know.

2: Change the database name suffix to ASA, ASP, etc.
I have heard that this is very popular, but I have tested it many times and found that it is not ideal. If you really want to prevent downloading, you need to add some binary fields and other settings. --- one sentence, complex and complex (if you have a lot of databases, this method is not very good)

As the above method is not practical, it is easy to crack, not to mention

3: Add "#" before the Database Name
You only need to add # To the front Name of the database file, and then modify the database address in the database connection file (such as conn. asp. The principle is to download the part can only recognize # before the first name, for the next automatic removal, such as you want to download: http://www.pcdigest.com/date/#123.mdb (if there is ). Both IE and FLASHGET are http://www.pcdigest.com/date/index.htm (index. asp, default. jsp, etc. You are on the IIS settings of the home page Documentation)
In addition to the database file name to retain some spaces also play a similar role, because of the special nature of the HTTP protocol address resolution, space will be encoded as "%", such as http://www.pcdigest.com/date/123; 456.mdb, download http://www.pcdigest.com/date/123%456.mdb. Our directory does not have the 123% 456. mdb file at all, so the download is also invalid. After such a modification, even if you expose the database address, it is generally impossible for others to download it!

Add "#" to the name. Although this is an anchor during url parsing, the system prompts that the file cannot be found, but FlashGet can still be downloaded ., Others can use % 23 instead of # download. However, in practice, I still use % 23, but I still cannot download it. The younger brother is ignorant. It is estimated that I have put it down and processed it, or others!

4: Encrypted Database
After using ACCESS to open your database in an exclusive manner, go to tool-security-set the Database Password. After encryption, modify the database connection page, for example:
Conn. open "driver = {microsoft access driver (*. mdb)}; uid = admin; pwd = Database Password; dbq = database path"
After this modification, even if the database is downloaded, it cannot be opened by others (provided that the password on your database connection page is not leaked)
However, it is worth noting that the encryption mechanism of the Access database is relatively simple, and it is easy to decrypt even if a password is set. The database system creates an encryption string and stores the password entered by the user in *. the mdb file starts from the address "amp; H42. Therefore, a good programmer can easily create dozens of rows of small programs to easily obtain the password of any Access database. Therefore, as long as the database is downloaded, its information security remains unknown.
This is indeed because I changed the password on the local machine and it is easy to crack. This is very low in security and the password on the database connection page is easy to leak!

5. Store the database outside the WEB directory
If your WEB directory is e: webroot, you can put the database in the e: data folder and modify the database connection address :".. /data/Database Name ", so that the database can be called normally, but cannot be downloaded, because it is not in the WEB directory! This method is generally not suitable for users who buy virtual space.

This method is loose.

6. Use ODBC Data sources
In programming such as ASP, if conditions are met, try to use the ODBC Data Source. Do not write the database name in the program. Otherwise, the database name will be lost along with the password of the ASP source code. For example: DBPath = Server. mapPath (".. /123/abc/asfadf. mdb ")
Conn. open "driver = {Microsoft Access Driver (*. mdb)}; dbq =" amp; DBPath
It can be seen that even if the database name gets weird, the hidden directory goes deeper, and the ASP source code is easily downloaded after the password is lost. If you use an ODBC data source, you will not have this problem: conn. open "ODBC-DSN name", but this is more annoying, if the directory is moved, you have to re-set the data source, more convenient way please see the 7, 8 method!

7. Add the extended MDB ing of database names such as MDB
This method is implemented by modifying the IIS settings. This method is suitable for friends who have control over IIS and is not suitable for users who buy virtual hosts (unless the Administrator has already set it ). I think this method is the best at present. The database of the entire site can be modified to prevent downloading. You do not need to modify the code to prevent downloading even if the target address is exposed,
In IIS properties --- main directory --- configuration --- ing --- application extension, add the application parsing of the. mdb file. Note that the selected DLL (or EXE) here does not seem arbitrary. If you choose improperly, the MDB file can still be downloaded. You are advised not to select asp. dll. You can perform multiple tests on your own.
In this way, download the database, such as http: // 192.168.1.5/HaoBbs/data/dvbbs6.mdb. (404 or 500 errors)
Very good method
8: advantages of using. net
The wooden bird on the Internet wrote a "WBAL anti-leech tool" to prevent illegal file downloads ". Specific can login http://www.9seek.com/WBAL;
However, it only prevents non-local downloads and does not provide a real anti-download function. However, this method is almost the same as Method 5. You can modify the. NET file to achieve local download!

Only 7th and 8 of these methods are uniformly modified. After a configuration is modified, the database of the entire site can be prevented from being downloaded. The other methods need to modify the Database Name and connection file respectively, it is troublesome, but this is also the only option for virtual host friends!

In fact, 6th methods should be extended by 5th methods, which can implement special functions, but are not supported. net host or for fear of setup troubles, we still use the 5th method directly. By default, the 6th methods can still be copied and connected to the same host's forum or message book for publishing, then you can click Download (because the reference page is from the same host)

These methods have different lengths. Please use them on your own. These methods are not absolutely secure. website administrators also need to pay attention to system security and write ASP/ASP.. NET/JSP code. Otherwise, it may be downloaded or modified!

In addition, the blue ideal shows that what a friend said is also good: I think the better way is to change the database name to the name with %, and then change the extension. asp. For example, s34s % 50cc. asp. Because whether you use IE or the download tool to download, this % 50 will be parsed into uppercase letters P, that is, s34sPcc. asp. Now, even if he knows the name and path of your database, he will still prompt that the file cannot be found.
To be more perfect, put a file named s34sPcc. asp on the site. Let him download the file. It is useless to download it. This method is really clever and cannot be downloaded! In the past, someone wrote a nodown table with <% in the OLE object and renamed it asp. Then, an error occurs during parsing. To prevent downloads. However, it seems that this method is also vulnerable!

In short, the database is a key thing. In the confrontation between attack and defense, careful thinking is the key