Databases, the foundation of website operations, and the elements of website survival depend heavily on the support of website databases for both individual and enterprise users. However, many specially crafted attackers also value website databases. For personal websites, the Access database has become the first of the webmasters of individual websites.
Databases, the foundation of website operations, and the elements of website survival depend heavily on the support of website databases for both individual and enterprise users. However, many specially crafted attackers also value website databases. For personal websites, the Access database has become the first of the webmasters of individual websites.
Database,WebsiteOperation basis,WebsiteElements of survival, whether individual users or enterprise users, are very dependent onWebsiteDatabaseHowever, many malicious attackers are equally "valued"WebsiteDatabase.
For individualsWebsiteAccessDatabaseBecome a majority of individualsWebsiteWebmasters preferred. However, AccessDatabaseThere are manySecurityHidden Danger. Once an attacker findsDatabaseFile Storage path and file name, with the suffix ". mdb" AccessDatabaseThe file will be downloaded,WebsiteA lot of important information will be displayed at a glance, which is terrible. Of course, you have adopted various measures to enhance AccessDatabaseFileSecurityBut is it true?
Vulnerability Protection Measures
The most widely used AccessDatabaseFile protection measures areDatabaseThe file suffix is changed from ". mdb" to ". asp", and then modified.DatabaseIn a connection file (such as conn. asp ),DatabaseAddress content, so that even if others knowDatabaseThe file name and storage location cannot be downloaded.
This is the most popular type of enhanced Access on the Internet.DatabaseSecurityAnd a powerful "theoretical basis ".
Because ". mdb files are not processed by the IIS server, but are directly output to the Web browser. asp files are processed by the IIS server. The Web browser displays the processing result, not the content of the ASP file.
However, we ignore a very important issue, which is what the IIS server processes in the ASP document. Here, I would like to remind you that only the content between the "" mark in the ASP file will be processed by the IIS server, while other content will be directly output to your Web browser. YourDatabaseDoes the file contain these special identifiers? Even if yes, Access may perform special processing on the "" identifier in the document to make it invalid. Therefore, the suffix is ". asp"DatabaseFile is notSecurityWill be maliciously downloaded.
12 3 next page