many users have encountered such embarrassing things, because the server’s security vulnerabilities, resulting in loss of data, permissions have been illegally obtained. The server mainly refers to the WEB server, DATA server, DNS server and MAIL server that store the data of the website. Now the main reason why the WEB server that is linked to the horse and black and the solutions.
can be roughly divided into two aspects: the server itself and the website itself.
server is as follows:
1 SQL database injection vulnerability.
this vulnerability is more common, such as asp+Access injection, Asp+MSSQL injection. Aspx+MSSQL injection, etc..
injection vulnerability is mainly to use the ASP program to connect to the database, without filtering, use select, from, update and other statements to execute any SQL statement. But if this vulnerability is used on ACcess, then queries can only be used. ACCESS is the encapsulated database. But SQL is different. MSSQL uses a lot of loopholes, such as poor allocation of permissions, through SQL development and permissions weakness, column directory, differential backup LOG files, cross library queries, CMD command line execution. MSSQL’s exec and other commands. The way to prevent this vulnerability is to prohibit using any characters modified after the GET parameter. For example, " and 1=1" and so on. There are many anti injection programs on the network. Also note the few unattractive injection characters. " " "%". % accurate. Is the character transcoding?. Many types of encodings can be converted. HTML coding, for example. WINHEX et al. Can interfere with a lot of anti injection files. Microsoft’s MSSQL was built on the Windows platform. He has two ways to authenticate users, one for MSSQL users and one for Windows authentication. So extreme insecurity is here. If an attacker gets system privileges. Then he can change the administrator password. Then use the administrator password, with Windows authentication login to the machine MSSQL, you can access any data corresponding database. And modify, delete. You can also set up a SQL account with SYSTEM ADMIN privileges. Here’s a general solution. When building a MSSQL management account, remember that you don’t use the default mode to login. MSSQL if you are logging in in default mode, you can use Windows user authentication. So you can only use the MSSQL account. Delete xp_cmdshell, etc.. Each disk is set permissions. Do not allow direct access to the root directory of the letter MSSQL. The WEB directory name is as complex as possible. Don’t use Vhost, wwwroot, etc.