Database branches

source:[

jia219] Author: [

Jia219]

Persons: Yesterday and Animator tried, rename the Data.mdb file to the data.asp file in the wwwroot directory. After entering the Data.asp path in IE, I've discovered that IE showed a blank, right button -> inspection of the source file, jumped out of the notepad, saving the content as a .mdb file, open with Access, and find a password, that is, at least the file header destroyed.  Then use the flashGet test to download the Data.asp file, and save it as a data.mdb file, find that it is intact with Access! ! ! It seems that some programmers believe that when developing, it is wrong to prevent the MDB suffix to prevent download. The background database is downloaded for an ASP Access website. It is undoubtedly a tragic disaster. Today, I found the articles of the parties, and I've summarized the following 9 ways to prevent the database from being downloaded (welcome to supplement): 

1. Play your imagination to modify the database file name  Needless to say, this is the most lazy method, but if the attacker has obtained the path of the database through the third party path), it is finished. For example, the attacker can only get the List right, and the result is unexpectedly sees the database path, you can go to the database back to study the database. In addition, the data file usually has a large size, and the name of the hidden file is not muted. Therefore, the confidentiality is the lowest.  2. The database name suffix is ​​changed to ASA, ASP, etc. This method can cooperate with some settings, otherwise the situation at the beginning of this article (1) binary field Add (this trick I have not yet refined into -_ - ).   (2) Add <% or% in this file, IIS will parse according to the ASP syntax, and then report 500 error, naturally cannot download. However, if it is just a simple text or note field to the database, it is useless, because Access will process the content, he will exist in <% in the database! The correct way is to deposit <% in the OLE object field so that our purpose can be reached.      First, use NotePad to create a new content as a text file, just a name archive.  Next, use Access to open your database file, create a new table, just get a name, add a field of an OLE object in the table, then add a record, insert the previously established text file, if the operation is correct, you should look Go to a new record called "packet". That is, the database name is previously "#"   only to add the database file before the #, then modify the database address in the database connection file (such as Conn.asp). The principle is to identify the previously named section of the ##, for example, if you want to download: http://www.pcdigest.com/date/#123.mdb (if you exist). Whether IE or FlashGet, etc. is http://www.test.com/date/index.htm (index.asp ,default.jsp etc. Home documentation in IIS settings)                      Some spaces have also played a similar role. Due to the particularity of the HTTP protocol to address resolution, space is encoded as "%", such as http://www.test.com/date/1238456.mdb, download At http://www.test.com/date/123% 456.mdb. And our directory does not have 123% 456.mdb file, so download is also invalid, even if you expose the database address, it is generally unable to download it! 4. Encrypting Database  First, "Tools -> Security -> Encryption / Decryption Database, select the database (such as: EMPLOYER.MDB), then then determine, then the" Database Caused Save As "window, save : Employer1.mdb. Then Employer.mdb will be encoded, then save as Employer1.mdb .. It is important to note that the above action is not a password to the database, but only the database file is encoded, the purpose is to prevent others Use another tool to view the content of the database file.

Then select the "Tools -> Security -> Setting Database Password" of the menu, then enter the password. This is even if someone gets the Employer1.mdb file, there is no password. He can't see Employer1.mdb. After encryption, you want to modify the database connection page, such as: CONN.Open "driver = {Microsoft Access Driver (* .mdb)}; uid = admin; pwd = database password; DBQ = database path"   After modification, database Even if you are downloaded, others can not open (provided that the password in your database connection page is not leaked)   But notably, because the encryption mechanism of the Access database is relatively simple, even if the password is set, it is easy to decrypt. . The database system forms an encrypted string by "distinguishing the user input password" varying or ", and stores it in the * .mdb file from the address" & H42 "start. So a good programmer can easily make a dozen lines of applets to easily get the password for any Access database. Therefore, as long as the database is downloaded, its information security is still an unknown number. 5. Database plans outside the web directory or puts the database connection file in other virtual directories                                                                                                                  The database connection address in / Webroot is modified in the form of: "../ data / database name", so that the database can be called normally, but cannot download because it is not in the web directory! This method is generally not suitable for users who purchase virtual space.  6. Use the ODBC data source.  In ASP and other programming, if there is condition, try to use the ODBC data source, do not write the database name in the program, otherwise, the database name will be lost with the discontinuation of the ASP source code, for example: dbpath = server.mappath "../123/ABC/ASFADF.MDB")   conn.open "driver = {Microsoft Access Driver (* .mdb)}; DBQ =" & dbpath  visible, even if the database name is weird, hidden The directory is deeper, and after the ASP source code is lost, it is easy to download. If you use the ODBC data source, there will be no such problem: Conn.open "ODBC-DSN name", but this is more annoying, the directory moves to reset the data source, more convenient way, please see 7, 8 law!   7. Adding a database name, MDB, such as MDB, this method is to implement the IIS settings, suitable for friends with IIS control, is not suitable for purchasing virtual host users (unless the administrator has set). I think it is best now. As long as you modify, the database of the entire site can prevent being downloaded. There is no need to modify the code even if you expose the target address.  We add. MDB file application resolution in IIS Properties - Home Directory - Configuration --- Mapping --- Application Extension. Note that the selected DLL (or EXE, etc.) seemed to be arbitrary, improperly selected, this MDB file can still be downloaded,  Note that it is best not to select ASP.DLL. You can test yourself to download the database after modification, such as: http://www.test.com/data/dvbbs6.mdb.

Appears (404 or 500 and other errors)   8: Use the superiority of .NET                                   Specifically, you can log in http://www.9seek.com/wbal/ ics. Only the function of preventing non-local downloads, does not play a real debt database. However, this method has been almost different from 5 laws to achieve local files, and it cannot be downloaded locally! In these methods, only seventh and eight are uniform change. After a modification configuration, the database of the entire site can prevent downloading, and several other modifications to modify the database name and connection files, more troublesome, but Friends of virtual hosts can only be like this!  In fact, the sixth method should be the extension of the fifth method, which can achieve special functions, but for the host, the host, which is not supported, or uses the fifth method, and by default sixth Method, can still be copied by copying to the host's forum or message book, and then click to download (because such a reference page is from the host)   9. Using the NTFS partition file permission setting (by percyboy)   We already know that ASP.NET uses ADO.NET to access the database, access to the Access database through OLEDB - one of our very common low-end databases. This article discusses a number of error prompts that may see in ASP.NET, see the database files created from Access 2000 and Access XP, and there is less than an error message when an error occurs. I hope to be helpful. Another point is that you want to pass this article, you have a new understanding of NTFS permissions for ASP.NET in ASP.NET. (1) In order to narrative, it is an experiment, and a specific example is made: the application is / TEST, the data inventory is placed in D: / wwwroot/test/data/db1.mdb, we already know in ASP.NET In the identity of the ASPNET virtual user, we need to give this account to make the ASP.NET program to run normally in a specific NTFS permission. In order to get the most stringent NTFS permission settings, we give the minimum NTFS privilege when the experiment begins: a) D: / wwwroot / test / data / folder to the user ASPNET as follows:            allows full control    denied  □  □   modified  □  □   read operation and √                                                                                                                                               □   □ □                                                                                                        1.1 The above permissions set the run when only the "Select" command is included, that is, the above authority has been satisfied with the operation of such programs. 1.2. For an ASPX program containing commands such as "update" "update" update ", (a) If db1.mdb is the database created by Access 2000, the following error appears:" / test "application Server errors in. --------------------------------------- Microsoft Jet Database Engine can't open File 'D: / wwwroot / test / data /'.

It has been opened by other users, or no access to data. Description: Execute an unprocessed exception during execution of the current Web request. Check the stack tracking information to learn more about the error and the code caused in the code. Abnormal Details: System.Data.Oledb.oledBException: Microsoft Jet Database Engine does not open file 'D: / wwwroot / test / data /'. It has been opened by other users, or no access to data. (B) If db1.mdb is the database created by Access XP, the following error appears: "/ Test" server error. ---------------------------------------------- Operation must use an updateable query. Description: Execute an unprocessed exception during execution of the current Web request. Check the stack tracking information to learn more about the error and the code caused in the code. Abnormal Details: System.Data.Oledb.oledBException: Active query must be used. (C) Cause Preliminary analysis: Because including "update" "INSERT" "UPDATE", the database file itself needs to be written, so the above authority cannot meet this requirement, we need to further release permissions. We let go of some permissions, a) D: / wwwroot / test / data / folder constant:   D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows permissions:   refused to allow    full control  □  □   modify  □  □  Reading and operation √    文件 文件 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目 目  目 目 目  目 目 目   目 目 目 目 目  目 目 目 目 目 目  目  目 目 目 目 目 目  目  目 目 目   目    目                          (a) If db1.mdb is the database created by Access 2000, the following error appears: "/ test "Application server error. ------------------------------------------           Description: Execute an unprocessed exception during execution of the current Web request. Check the stack tracking information to learn more about the error and the code caused in the code. Abnormal Details: System.Data.Oledb.oledBexception: You cannot lock the file. (B) If db1.mdb is the database created by Access XP, there is no error. (C) Cause Preliminary analysis: We found that when opening the Access database, we will generate a * .ldb file in the directory, which is an Access's lock tag. In view of this, when we guess, when the user ASPNET accesss the Access database, it is also necessary to generate a lock tag, and the directory does not allow it to write, so an error. As for the database created by Access XP, why not know this error, the reason is not known.

We further release permissions,    d: / wwwroot / test / data / folder to users ASPNET as follows:              如 如 如 如 如 如 如 如 如 如 如 如 如 如 如 如 如 如 如 如 如Fully control                                    Clutch Directory √                             The wwwroot / test / data / db1.mdb file itself gives the user ASPNET to the following permissions:  √ √ √ √ √ 允 将 4 继 继 继 实 实 实       给 给 实 给 给 给 给 给 实 给 实 给 实 实 实It is the "minimum authority" we need to release. (A) If db1.mdb is the database created by Access 2000, we will find a small problem: generated * .ldb files do not delete themselves, the file still exists after access, but this problem does not affect ASP.NET Normal operation. (B) If db1.mdb is the database created by Access XP, there is no similar issue above. (C) Cause Preliminary analysis: We just give the ASPNET to write the permissions of the folder, no permissions to it, once the file is written, you can't modify its content, *. LDB will not delete it. . If you need to solve this problem, further release of permissions is: A) D: / wwwroot / test / data / folder to the user ASPNET as follows:                          allows full control denied  □  □   modified √ □   read and run √ □ List of folder catalog           写             D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET to the following permissions:  √ √ √ √ √ 5 5 将 将 将 将 给 给 给 给 给 给 给 给 给  给 给     给Another situation: We put DB1.mdb on Access to open editing, and access ASP.NET. (A) If db1.mdb is the database created by Access 2000, we have found that there is no problem. (B) If db1.mdb is the database created by Access XP, the following error occurs: "/ zhao" server error. ------------------------------------------------ Can't use ''; files are already in use. Description: Execute an unprocessed exception during execution of the current Web request. Check the stack tracking information to learn more about the error and the code caused in the code. Abnormal Details: System.Data.Oledb.oledBexception: You cannot use ''; files are already in use. (C) Cause Preliminary Analysis: Access database is a single-user single-threaded database. When we open an edit database file in Access, it is actually opened the database as the current Windows user (such as Administrator), and ASP.NET uses by default. The ASPNET virtual user (belonging to the UserS group), the level is lower than the Administrator, cannot be "robbed", so there is a conflict error. As for the case of Access 2000 Ignore this problem, we don't have to discuss it, it may be that access 2000 does not consider so many factors.

1.6 6 附 情 情: Change the attribute of DB1.mdb to "read only", whether it is Access 2000 or Access XP will appear the same error prompts as the respective errors in 1.2. (2) Experimental Conclusion   (1) We first summarize the origin of the NTFS permission settings of the Access database file:   Decreas in ASP.NET is to access the identity of a virtual user called ASPNET, Database, you can see this user in "Control Panel" - "Administrative Tool" - "Computer Management" - "Local User and Group" - "User", by default,:   Full Name: ASP .NET computer account                                                  belong to: User Group.   Use such a user who belongs to the User group to perform file operations, the risk of database operation is to be much smaller than the risk of users with an Administrators group, which is also a consideration of ASP.NET in security.   Since such a user needs access, the operation database file itself, then we need to give it a certain NTFS permission to allow it to access. Obviously there is no NTFS permission license, ASPNET cannot access, operate the database, will appear in the above experiment. (2) After the above experiment, we already know that the following NTFS permission settings can meet the general needs: A) D: / wwwroot / test / data / folder to the user ASPNET as follows:                                                          reading And operation      文件 目 目 目 目 目   目 目 目 目 目  目 目     目      目  目 目  目  目                                                                                                                                                                                                                      This object also noticed whether db1.mdb has a "read-only" file to ASPNET access. (3) The above permissions settings can be set directly to the ASPNET user, or they can be set to the UserS group, or directly to the above-described permissions to the EVERYONE group. Because the ASPNET is part of the UserS group, you can set permissions to the ASPNET through the user group. (4) NTFS permission is set in the "Properties" dialog box obtained after the file or folder - The "Security" tab is set, in general, can be considered to the Adminitrators group with "fully control" permissions, do not It is easy to tick the Trick to NTFS permission settings in "Reject", you can consult the recommendations of the network administrator and network security experts. NTFS permissions are not supported in the partition of FAT and FAT32 format. (5) Windows 2000 series, the "Security" tab of the Windows Server 2003 series is easy to find, but the "Security" tab in Windows XP Professional is off default, you can "Control Panel" - " Folder option "-" Advanced Settings "in the" Advanced Settings "in the" √ "removal," OK "in the" OK "," OK ", and then follow the" security "again according to the above method again. The tab is.

  ===========                                                     The network management of jurisdictions, but also users of virtual hosts, recommending each producer to use these three methods   If you have jurisdiction over the server, it is recommended to add method 9, your Access database is safe. It is greatly improved. Suppose the website is blocked (the attacker takes the URL of the database through a variety of ways). For a weaker web system, this means that the database will be downloaded back by the attacker, and the website is all backed up. -------------------------------------------------- ------------------------------ >>> related articles have no related articles