The shelling of the network database-vulnerability warning-the black bar safety net

ID MYHACK58:6220066383
Type myhack58
Reporter 佚名
Modified 2006-01-15T00:00:00


Say to a website is the lifeblood of, non-database, website database which usually contains the entire website of news, articles, registered users, password and other information, for some companies, the government type of website, which even contains the important business information, so enhancing a website's security, the most fundamental is to protect the database not being attacked for plagiarism.

Is currently the more popular database attack method than the“proof library”.“ Explosion library”, as the name suggests is the use of forcible means, so that the target site's database path is exposed, and thus successfully download the database, the peep in which the privacy of data, on site safety hazards.

Here the author to the“power article system”for the“proof library”attack, for example, introduce“critical Library”of the operation method and prevention Essentials.

Tip: the power of the article system is a very popular whole Station program, using Asp+Access structure, its appearance and function are first class. Many companies, government sites are using it as a reference to be modified, and unfortunately although it is functional, beautiful are first-class level, but the presence of the currently popular“proof library”vulnerability.

One, begin burst library

1. Looking for strike target

Power article system there is a database connection file conn. asp request error, you can use it to burst any use of the power post system website of the database path, and download. Online using the power post system website thousands, just to find a few to start with goals! Open the Baidu search engine enter keywords: power article system statement, you can search to a lot of power articles system article, just open a proof Gallery combat:

2. Explosion library before the necessary settings

In proof the library of combat before the first of the IE browser for some settings, the settings related to the database whether the path is broke. Click the IE browser toolbar“Tools”button, in the drop-down menu, select“Internet Options”, Open Internet Options Settings Panel, click the switch to the“Advanced”tab, then find“show friendly HTTP error message”, this option is removed, such as Figure 1)。

Figure 1


Tip: there may be readers will ask, why the“show friendly HTTP error messages”removed? This is because only remove it in order to display the error information of the real information, otherwise the browser returns the error information is like information: 5 0 5 error, 4 0 5 error, and so on. Say to 5 0 5 error, 4 0 5 the error and other information, you must not unfamiliar, this is according to a different page to display the returned information, such as opening a website, if the display 4 0 5 error message then indicates that the page does not exist; if the display 5 0 5 error message then indicates that the page of data and other errors, and the result can not be normal display.

3. Broke the database path

For the following just find the power of the article management system of the site for explosive storage. Steps are very simple, only need to the target web site address http://www. targent. org/jizhetuan/wenzhangguanli/root path behind the submitted characters: inc/conn. asp.

The submission is completed, confirm open, you can see below shows some of the error information, a closer look at these error message such as Figure 2: The

Figure 2


From this one sentence message: E:\myweb\ jizhetuan\wenzhangguanli\inc\database\ adfadfasdf. the mdb can be obtained in target site database path: http://www. the input to the IE address bar, you can easily download to the website database.

4. For a database of sensitive information to hack

Open the already downloaded database adfadfasdf. mdb, you can see in the database there are many table, which is more important probably than the Admin table, the Admin table is stored in the background of the administrator account and password. Double-click to open the Admin table, you can see this table is probably divided into 3 columns: ID, Username, Password, respectively ID number, user name, password. Password information similar to: 04f07d3 6066c3d37, this is the md5 encrypted password hash, as shown in Figure 3, The need for brute force to get the original password, a brute-force method is also very simple. 利用 到 的 工具 是 破解 软件 md5.exe one can for specifies the md5 password for a variety of styles of violence hack tool.

Figure 3


Open a CMD command line window, 输入命令md5.exe, you can see the help as shown in Figure 4)。

Figure 4


According to the help tip, here the use of pure digital mode crack md5 password: 04f07d36066c3d37, enter the hack command: md5.exe 1 1c773f3f8dc8b 4be 1 0, where 1 0 represents the pure digital restrictions in the 1 0 digits or less, type a carriage return after the can begin to crack.

Second, the explosion of the library to effectively prevent

Detail above to explain the explosion of the library steps and principles, in fact, boils down to two reasons:

  1. conn. asp and call it the file such as INDEX. ASP is not the same directory, resulting in the submission of malicious explosion of the library data, so that the database path is broke.

  2. conn. asp connect to the database with a relative path, i.e., such a form/data/ "asdfasdf". mdb, and conn. asp in the programming on the presence of omissions.

As a site administrator, your site is not also the existence of such a vulnerability, if it exists, then quickly take preventive measures, to solve the site of the explosion library vulnerability, there are the following several ways:

  1. Change the conn. the asp directory in the storage position, so that it is stored in the Save database files to a directory, for example saved in the database directory. However, due to the conn. asp the path of change implicated in many other asp files, so modification is very troublesome.

  2. Edit conn. asp file, on the inside plus so the sentence: On Error Resume Next as in Figure 5, so as not to burst the database path, but display another error message.

Figure 5