Security of data security. mdb database

Source: Internet
Author: User
Keywords Data security MDB database
What is an MDB database? Any network administrator who has a bit of experience in making Web sites knows that the "iis+asp+access" combination is the most popular way to build a website, and most small and medium Internet sites use the "package", but the attendant security issues are becoming more pronounced. The most easily exploited by attackers is the MDB database being illegally downloaded. The MDB database is not secure, so long as the intruder guesses or scans the path to the MDB database, it is easy to download it to the local hard drive using the download tool, combined with brute force cracking tools or some super crack tools to easily view the contents of the database file inside. Corporate privacy and employee passwords are never safe. Is there no way we can enhance the security of the MDB database? Does it bother SQL Server or Oracle even if we have a little bit of data? The answer is no, this article will tell you the secret of creating a secure MDB database file. First, the cause of the crisis: Generally, based on ASP-built Web site programs and forum database extensions default to MDB, which is very dangerous. Just by guessing the location of the database file, and then entering its URL in the browser's address bar, you can easily download the file. Even if we add the password to the database and the password of the admin inside is also encrypted by MD5, it is easy to be cracked after being downloaded to the local. After all, the current MD5 has been able to crack through violence. So as long as the database is downloaded, the database has no security whatsoever. Two, commonly used remedial method: The current commonly used database file prevents the illegal downloading the method to have the following several kinds. (1) Modify the name of the database and put it under a very deep directory. For example, changing the database name to Sj6gf5.mdb and putting it in a multilevel directory makes it difficult for an attacker to simply guess the location of the database. Of course, the disadvantage is that if the ASP code file leakage, it is no matter how deep hidden. (2) Modify the database extension to ASP or ASA, etc. without affecting the data query name. But sometimes modified for ASP or ASA can still be downloaded, such as we modify it to ASP, directly in IE's address bar input network address, although there is no hint download but in the browser appeared a large garbled. If you use a professional download tool such as FlashGet or AV conveyor, you can download the database files directly. However, this method has a certain blindness, after all, the intruder can not ensure that the file must be the MDB database file to modify the file name extension, but for those who have enough energy and time for intruders, can download all the files and all modify the extension to guess. The level of preparedness for this approach will be greatly reduced. Third, the author's heretical: in the author's testing process encountered ASP and ASA file will also be downloaded problems, theThe following methods have been found in the study. If you name the database file as "#admin. Asa", you can completely avoid the use of IE download, but if the flashget guessed the path of the database, with the user can still successfully download, and then renamed the downloaded file as " Admin.mdb ", the website secret will be exposed. So we need to find a way to flashget that we can't download, but how can we make it impossible for him to download it? Presumably because of a previous Unicode vulnerability attack, the site will not handle a link that contains a Unicode code. So we can use Unicode coding (such as "%3c" instead of "<", etc.) to achieve our goal. FlashGet, while dealing with links containing Unicode code, "smart" to deal with the Unicode encoding, such as automatic "%29" This section of the Unicode code form of the characters into the "(", so you submit to flashget an HTTP ://127.0.0.1/xweb/data/%29xadminsxx.mdb download link, it is explained as http://127.0.0.1/xweb/data/ (Xadminsxx.mdb, look at the site above us and the place where the rename is different, flashget the "%29xadminsxx.mdb" to "(Xadminsxx.mdb), when we click the" OK "button to download, It looks for a file called "(Xadminsxx.mdb"). In other words, flashget to lead us astray, it certainly cannot find, so the hint failed. However, if you are prompted to fail, the attacker will definitely want to take other attack methods. From this we can adopt another method of precaution, since flashget to find the file named "(Xadminsxx.mdb), we can give it a, we give it a simulation of the database named" (Xadminsxx.mdb), So when the intruder wants to download the file, it does download a database back, but the database file is False or empty, in their secretly happy time, in fact, the ultimate victory is ours. Summary: Through this heretical to protect the MDB database file method Introduction, we can identify two security, one is confusing, that is, the hacker wants to change things, such as changing the MDB file file name or extension; Replace it with a meaningless thing, so that even if the hacker succeeds, it is a false message, and they will stop for the invasion to succeed.Next attack. To force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original: Data security protection to create security. MDB database return network security Home
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.