How to prevent website database intrusion

Sohu, 163, Yahoo, etc. are large portals frequented by netizens. The search engine services provided by these websites are the most popular among you. However, it is precisely these search engines that open the door for hackers. Many hackers can easily obtain a website's database by using a search engine, thereby obtaining the management account and password of the website, and controlling the management rights of the entire website. As a result, some confidential files stored in the database that only administrators can see are leaked.

In fact, the process of invading the website through the search engine is very simple, understand the method of intrusion, you can know how to solve the problem. So what is the specific method of prevention?

First of all, from the perspective of the intruder, analyze a piece of code:

<%connstr="DBQ="+server.mappath("data/data.mdb")+";DefaultDir=; DRIVER={Microsoft Access Driver (*.mdb)};”

set conn=server.createobject(“ADODB.CONNECTION”)

conn.open connstr %〉

The above is a piece of ASP calling database code, where "+server.mappath("data/data.mdb")+" plays the role of setting the database location. It is not difficult to see that the database of this website is in the data.mdb file in the dada directory.

In many search engines for large websites, there is a powerful feature that can search for web pages that have not been registered with this search engine. Using this feature, let's search for the "server.mappath" field. The result is:

[Untitled Document]

......="+server.mappath("../up/mucal/calp.mdb")+";DefaultDir= ;DRIVER={Microsoft Access Driver (*.mdb)};”

set conn=......

-(URL: 略)

This way, the user will get A lot of search results with database location information. But there will be some moisture in the results, and the scope is too big. What if the user only wants to get the code of a certain website? In fact, this is also very simple, the search engine usually has multiple keys. The word query function, just enter a "+" in the middle of the two keywords to be searched. For example, the user should find all the web pages about the network security in the computer world website, as long as the user types "computer world" in the search engine. + Network security can be. Similarly, users can use this method to solve the above problem. If the user wants to get a database of a program, such as the name of the program is "Mavericks", then the user searches in the search engine "Mavericks and rivers + server .mappath" can get the following results:

[小牛江湖]

......="+server.mappath("../xajh/data/mycalf.mdb")+ ;DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};”

set conn=......

-(URL: www.mycalf.com/xajh/index.asp

At this point, the database location of this program is clear: /xajh/data/mycalf.mdb. Then the user downloads the database and opens it with the corresponding database software to get the contents. Using this vulnerability can also get the password of mssql server, and even further manage the entire server of the other party.

There is a shield in the world. This problem can be used by others to use the search engine to get the website database. One of the most effective methods to solve the problem is to hide this statement and use the method of calling other files to implement the call to the database.

First need to create a content <% connstr="DBQ="+server.mappath ("data/data.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb )};"

set conn=server.createobject("ADODB.CONNECTION")

conn.open connstr %> ASP file. For example, name this file dbconn.asp. So as long as you add the !--#include file=“dbconn.asp”--> in the ASP file that needs to call the database, you can implement the database call. In this way, the hiding of the calling segment is realized, and the problem of using the search engine to obtain the website database by others is solved.