How to prevent Web site database intrusion

Sohu, 163, Yahoo, etc. are often frequented by internet users of large portal sites, these sites provide search engine services are most favored by everyone. But it is precisely these search engines for hackers to open the door, many hackers can use the search engine easily get a Web site database, so that the site's management account and password, and can control the entire site management rights. As a result, some confidential documents stored in the database that only administrators can see are leaked. In fact, through the search engine intrusion site process is very simple, understand the intrusion method, you can know how to solve the problem. So what is the specific way to prevent it? First from the intruder perspective, analyze a piece of code: 〈%connstr= "dbq=" +server.mappath ("Data/data.mdb") + "; Defaultdir=;driver={microsoft Access DRIVER (*.mdb)} ; "Set Conn=server.createobject (" ADODB. CONNECTION ") Conn.Open connstr%〉 above is a section of ASP's code to invoke the database, where" +server.mappath ("Data/data.mdb") + "plays a role in setting the database location. It's not hard to see that this site's database is in the Data.mdb file in the Dada directory. Many large web site search engines, there is a powerful feature, that is, you can search the search engine has not registered Web pages. With this feature, let's search for the "Server.MapPath" field. The result is: [Untitled document] ... = "+server.mappath". /up/mucal/calp.mdb ") +"; Defaultdir=;driver={microsoft Access DRIVER (*.mdb)}; "Set conn= ...-(URL: slightly) Users get a lot of search results with database location information. But there will be some moisture in the result, and the range is too large. What if the user only wants to get the code for a particular site? In fact, this is also very simple, search engines usually with multiple keyword query function, as long as the search in the middle of the two keywords to enter a "+" on it. For example, users want to find out about the computer World Web site on the security of all Web pages, as long as users in the search engine type "Computer World + network security" can be. Similarly, users can use this method to solve the problem above. If the user wants to get a database of a program, such as the name of the program is "Calf Lake", then users search the search engine "calf lakes + server.mapPath "You can get the following results: [calf lakes] ... =" +server.mappath ". /xajh/data/mycalf.mdb ") +;defaultdir=;driver={microsoft Access DRIVER (*.mdb)};" Set conn= ...-(web address: Www.mycalf.com/xajh /index.asp at this point, the program's database location will be clear:/xajh/data/mycalf.mdb. Then the user to download the database, with the corresponding database software to open, you can get the content. Use this vulnerability can also get the password of MSSQL server, can even further manage the other side of the entire server. A spear is a shield. The use of the search engine to get the site database of the problem can be resolved in many ways, one of the most effective way is to hide this statement, using the method of invoking other files to implement the call database. First you need to establish a content for 〈% connstr= "dbq=" +server.mappath ("Data/data.mdb") + "; Defaultdir=;driver={microsoft Access DRIVER (*.mdb) }; "Set Conn=server.createobject (" ADODB. CONNECTION ") conn.open connstr%> asp file. For example, name the file dbconn.asp. This enables the invocation of the database as long as the!--#include file= "dbconn.asp"--> in the ASP file that requires the database to be invoked. 　 In this way, it realizes the hiding of the phrase section, solves the problem that the search engine gets the website database by others. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original: How to prevent Web site database intrusion return network security home