Database branches

xiaoxiao2021-03-06 38

The first language: It turns out that MDB can prevent the download is a ghost.

Persons: Yesterday and Animator tried, rename the Data.mdb file to the data.asp file in the wwwroot directory. After entering the Data.asp path in IE, I've discovered that IE showed a blank, right button -> inspection of the source file, jumped out of the notepad, saving the content as a .mdb file, open with Access, and find a password, that is, at least the file header destroyed.

Then use the flashget test to download the Data.asp file, and save it as a Data.mdb file, find that it is intact with Access to open! ! ! It seems that some programmers believe that when developing, it is wrong to prevent the MDB suffix to prevent download. The background database is downloaded for an ASP Access website. It is undoubtedly a tragic disaster. Today, I found the article of all parties, and I will pay the following 9 ways to prevent the database from being downloaded (welcome to supplement):

1. Play your imagination to modify the database file name

Needless to say, this is the most lazy way, but if the attacker has obtained the path of the database through a third party path), it will finish it. For example, the attacker can only get the List right, and the result is unexpectedly sees the database path, you can go to the database back to study the database. In addition, the data file usually has a large size, and the name of the hidden file is not muted. Therefore, the confidentiality is the lowest.

2. Database name suffix is changed to ASA, ASP, etc.

This approach is in line with some settings to do, otherwise the situation in this article will appear.

(1) Adding binary fields (I have not been refined into -_- this trick).

(2) Add <% or%>, IIS will parse according to the ASP syntax, and then report 500 errors, naturally cannot be downloaded. However, if it is just a simple text or note field to the database, it is useless, because Access will process the content, he will exist in <% in the database! The correct way is to deposit <% in the OLE object field so that our purpose can be reached.

Method:

First, use NotePad to create a new content for a text file, just a name archive.

Next, use Access to open your database file, create a table, just get a name, add a field of an OLE object in the table, then add a record, insert the previously established text file, if the operation is correct, you should be able to see A new record called "packet". I.e.

3. Database name before "#"

Just add the database file before adding a #, then modify the database address in the database connection file (such as Conn.asp). The principle is to identify the previously named section of the ##, for example, if you want to download: http://www.pcdigest.com/date/#123.mdb (if you exist). Whether IE or Flashget, etc. is http://www.test.com/date/index.htm (index.asp ,default.jsp etc. Home documentation in IIS settings)

In addition, some spaces in the database file name also play a similar role, because the HTTP protocol parses the address parsing, space will be encoded as "%", such as http://www.test.com/date/123; 456 .mdb, when downloaded http://www.test.com/date/123% 456.mdb. And our directory does not have 123% 456.mdb file, so download is also invalid, even if you expose the database address, it is generally unable to download it! 4. Encrypt the database

First, "Tools-> Security-> Encrypted / Decrypting Database, select the database (such as: EMPLOYER.MDB), then then then determine, then" Database Caused Save Save Save "window, save: Employer1.mdb. Employer.mdb will be encoded, then eMployer1.mdb .. It is important to note that the above action is not a password to the database, but only the database file is encoded, the purpose is to prevent others from using another tool to view The content of the database file.

Next we are encrypted by the database, first open the encoded Employer1.mdb, select "exclusive" mode when opening. Then select the "Tools -> Security -> Setting Database Password" of the menu, then enter the password. This is even if someone gets the Employer1.mdb file, there is no password. He can't see Employer1.mdb.

To modify the database connection page after encryption, such as:

Conn.open "driver = {Microsoft Access Driver (* .mdb)}; uid = admin; pwd = database password; DBQ = database path"

After this is modified, even if the database is downloaded, others can't open (provided that the password in your database connection page is not leaked)

However, it is worth noting that because the encryption mechanism of the Access database is relatively simple, even if the password is set, it is easy to decrypt. The database system forms an encrypted string by "distinguishing the user input password" varying or ", and stores it in the * .mdb file from the address" & H42 "start. So a good programmer can easily make a dozen lines of applets to easily get the password for any Access database. Therefore, as long as the database is downloaded, its information security is still an unknown number.

5. Database placed outside the web directory or puts the database connection file in other virtual directories

If your web directory is E: / Webroot, you can put the database into the E: / DATA folder, modify the database connection address in the database connection page in E: / Webroot: "../ DATA / Database name "The form of such a database can be called normally, but it cannot be downloaded because it is not in the web directory! This method is generally not suitable for users who purchase virtual space.

6. Use the ODBC data source.

In ASP and other programming, if there is condition, try to use the ODBC data source, do not write the database name in the program, otherwise, the database name will be lost with the discontinuation of the ASP source code, for example: dbpath = Server.mAppath (" ../123/ABC/ASFADF.MDB ")

Conn.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath

It can be seen that even if the database name is weird, the hidden directory is deep, and the ASP source code is unexpected, it is easy to download. If you use the ODBC data source, there will be no such problem: Conn.open "ODBC-DSN name", but this is more annoying, the directory moves to reset the data source, more convenient way, please see 7, 8 law! 7. Add the database name, such as MDB extension mapping

This method is to implement the IIS settings, suitable for friends with IIS control, is not suitable for purchasing virtual host users (unless the administrator has set). I think it is best now. As long as you modify, the database of the entire site can prevent being downloaded. There is no need to modify the code even if you expose the target address.

We add. Mdb file application analysis in IIS properties - home directory - configuration --- mapping --- application extension. Note that the selected DLL (or EXE et al.) Seems to be not arbitrary, improperly selected, this MDB file can still be downloaded, note that it is best not to choose ASP.DLL. You can test yourself.

This modified download database is downloaded as: http://www.test.com/data/dvbbs6.mdb. Appeared (404 or 500 error)

8: Use the superiority of .NET

The wood bird of the network has written a "WBAL anti-theft chain tool" that prevents illegal download files. You can log in http://www.9seek.com/wbal/;

However, that only achieves the ability to prevent non-local downloads, there is no functionality that acts as a real anti-download database. However, this method has been almost different from 5 laws to achieve local files, and it cannot be downloaded locally!

Among these methods, only seventh and eight are uniformly changed. After a modification configuration, the database of the entire site can prevent downloading, and the other must modify the database name and connection file, more troublesome, but for virtual The host's friends can only be like this!

In fact, the sixth method should be the extension of the fifth method, you can achieve special functions, but for the host that does not support .NET, if you are afraid, use the fifth method, and by default Method, you can still pass the connection to the top of the same host or the message book, then click to download (because such a reference page is from the same host)

9. Use the NTFS partitioned file permission settings (by percyboy)

We already know that ASP.NET uses ADO.NET to access the database, access to the Access database via OLEDB - we are very commonly used in one of the low-end databases. This article discusses a number of error prompts that may see in ASP.NET, see the database files created from Access 2000 and Access XP, and there is less than an error message when an error occurs. I hope to be helpful. Another point is that you want to pass this article, you have a new understanding of NTFS permissions for ASP.NET in ASP.NET.

(1) Experimental process

To describe convenience, a specific example is made: the application is / test, the data inventory is placed in D: / wwwroot/test/data/db1.mdb, we already know that in the ASP.NET is called ASPNET virtual users. If you have access to the database, we need to give this account with a specific NTFS permission to make the ASP.NET program running normally.

In order to get the most stringent NTFS permission setting, we will give the program's lowest NTFS permissions when the experiment begins:

a) D: / wwwroot / test / data / folder to the user ASPNET as follows:

Allow full control □ □

Modification □ □

Reading and running √ □

List the folder directory √ □

Read √ □

Write □ □

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

1.1 For an ASPX program containing only the "Select" command, the above permissions set the run without obstacles, namely: the above authority has met the operation of such programs.

1.2 For ASPX programs that contain commands such as "update" "INSERT" UPDATE ",

(a) If db1.mdb is the database created by Access 2000, the following error appears:

Server errors in the "/ TEST" application.

---------------------------------------

Microsoft Jet Database Engine does not open file 'D: / wwwroot / test / data /'. It has been opened by other users, or no access to data.

Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.

Abnormal Details: System.Data.Oledb.oledBException: Microsoft Jet Database Engine does not open file 'D: / wwwroot / test / data /'. It has been opened by other users, or no access to data.

(b) If db1.mdb is the database created by Access XP, the following error appears:

Server errors in the "/ TEST" application.

----------------------------------------------

Operation must use an updateable query.

Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.

Abnormal Details: System.Data.Oledb.oledBException: Action must use an updateable query.

(c) Cause Preliminary analysis: Because including "Update" "INSERT" "UPDATE", you need to write a write operation on the database file itself, so the above permissions cannot meet this requirement, and we need to further release permissions.

We let go of some permissions,

a) d: / wwwroot / test / data / folder unchanged:

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

Allow rejection

Full control □ □

Modification □ □

Reading and running √ □

List the folder directory √ □

Read √ □

Write √ □

1.3 Continue experimentation after disconnection

(a) If db1.mdb is the database created by Access 2000, the following error appears:

Server errors in the "/ TEST" application.

------------------------------------------

Can't lock the file.

Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.

Abnormal Details: System.Data.Oledb.oledBexception: You cannot lock the file.

(b) If db1.mdb is the database created by Access XP, there is no error. (c) Cause Preliminary analysis: We found that when opening the Access database, we will generate a * .ldb file in the directory, which is an Access's lock tag. In view of this, when we guess, when the user ASPNET accesss the Access database, it is also necessary to generate a lock tag, and the directory does not allow it to write, so an error. As for the database created by Access XP, why not know this error, the reason is not known.

We further release permissions,

a) D: / wwwroot / test / data / folder to the user ASPNET as follows:

Allow rejection

Full control □ □

Modification □ □

Reading and running √ □

List the folder directory √ □

Read √ □

Write √ □

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

1.4 Continue experimentation, discovering the error has been resolved, then this permissions are the "minimum authority" we need to release.

(a) If db1.mdb is a database created by Access 2000, we will find a small problem: generated * .ldb files do not delete themselves, the file still exists after access, but this problem does not affect the normal ASP.NET run.

(b) If db1.mdb is the database created by Access XP, there is no similar problem.

(c) Cause Preliminary analysis: We just gave the ASPNET to write the authority of the folder, did not give it the permissions to modify, so once the file was written, it could not modify its content, *. ldb also deleted it.

If you do not solve this problem, further release of permissions is:

a) D: / wwwroot / test / data / folder to the user ASPNET as follows:

Allow rejection

Full control □ □

Modify √ □

Reading and running √ □

List the folder directory √ □

Read √ □

Write √ □

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

1.5 Announced, the experiment: We use db1.mdb to open edit in Access, and access ASP.NET.

(a) If db1.mdb is the database created by Access 2000, we have found that there is no problem.

(b) If db1.mdb is the database created by Access XP, the following error appears:

Server errors in the / zhao application.

------------------------------------------------

Can't use ''; files are already in use.

Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.

Abnormal Details: System.Data.Oledb.oledBexception: You cannot use ''; files are already in use.

(c) Cause Preliminary analysis: Access database is a single-user single-threaded database. When we open an edit database file in Access, it is actually in the current Windows user (such as Administrator), and ASP.NET uses ASPNET virtual User (belonging to the user group), the level is lower than the Administrator, cannot be "robbed", so there is a conflict error. As for the case of Access 2000 Ignore this problem, we don't have to discuss it, it may be that access 2000 does not consider so many factors. 1.6 Reconstruction: Change the attribute of DB1.mdb to "Read", whether it is Access 2000 or Access XP will appear the same error prompts as the respective errors in 1.2.

(2) Experimental conclusion

(1) Let's first summarize the origin of the NTFS permission settings of the Access database file:

In ASP.NET, the default is to access the identity of a virtual user called ASPNET, and you can operate the database, you can "Control Panel" - "Administrative Tool" - "Local User and Group" - "User "See this user, by default:

Full name: ASP.NET Computer Account

Described as: an account for running an ASP.NET Assist Process (ASPNET_WP.EXE).

Belong to: Users group.

With such a user who belongs to the User group to perform file operations, the risk of database operation is much smaller than the risk of users with an Administrators group, which is also a consideration of ASP.NET in security.

Since it is such a user who needs access, the database file itself needs, then we need to give it a certain NTFS permission to allow it to access. Obviously there is no NTFS permission license, ASPNET cannot access, operate the database, will appear in the above experiment.

(2) After the above experiment, we already know that the following NTFS permission settings can meet the general needs:

a) D: / wwwroot / test / data / folder to the user ASPNET as follows:

Allow rejection

Full control □ □

Modification □ □

Reading and running √ □

List the folder directory √ □

Read √ □

Write √ □

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

At the same time, we also noticed whether DB1.mdb has a "read-only" file to ASPNET access.

(3) The above permissions settings can be set directly to the ASPNET user, or they can be set to the UserS group, or directly to the above permissions to the EVERYONE group. Because the ASPNET is part of the UserS group, you can set permissions to the ASPNET through the user group.

(4) NTFS authority The "Properties" dialog box obtained after the file or folder is right - Set the settings in the Security tab, in general, you can consider it to the Adminitrators group with "full control" permissions, do not easily "Reject" tick, the skills for NTFS permission settings can consult the network administrator, network security expert's recommendations.

Note: NTFS permissions are not supported in the partition in the FAT, FAT32 format.

(5) Windows 2000 series, the "Security" tab of the Windows Server 2003 series is easy to find, but the "Security" tab in Windows XP Professional is off default, "Control Panel" - "folder Options "-" Advanced Settings "in the" Advanced Settings "in the" √ "removal," OK "is removed," OK "is" OK ", and then follow the" Security "tab again. . ===========

In summary, 2, 3, 4 method is used, is to prevent the database from being downloaded the most basic, most effective way, which applies to network management that has jurisdiction over the server, and is suitable for users of virtual hosts, recommended every A maker must use these three methods

If you have jurisdiction over the server, it is recommended to add method 9. The security of your Access database can be greatly improved.

Suppose the website is blocked (the attacker takes the URL of the database through a variety of ways). For a weaker web system, this means that the database will be downloaded back by the attacker, and the website is all backed up.

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

At the same time, we also noticed whether DB1.mdb has a "read-only" file to ASPNET access.

Note: NTFS permissions are not supported in the partition in the FAT, FAT32 format.

===========

If you have jurisdiction over the server, it is recommended to add method 9. The security of your Access database can be greatly improved.

转载请注明原文地址:https://www.9cbs.com/read-65637.html

9cbs

New Post(0)