Common ASP Security Vulnerabilities

ASP vulnerabilities are very few, and it is not easy to find the actual location of the database. However, this does not mean that hackers can access the database without holes, generally, programmers often forget to carefully check for vulnerabilities. Therefore, website data may be stolen. Today, I am going to talk to you about common ASP security vulnerabilities to attract your attention and take effective preventive measures. (Note: Do not try the methods described in this article. Please consciously abide by the network rules. Thank you !)

Microsoft's Internet Information Server (IIS) provides webpage services dynamically generated by Using Active Server P (ASPs. An ASP file is a file that directly contains program code on an HTML webpage. A request for an ASP file will prompt IIS to run the embedded program code on the webpage, and then directly send the running result back to the browser. On the other hand, static HTML pages are uploaded back to the browser as they are, without any parsing. Here, IIS uses an additional file name to differentiate the file type. An additional file named. htm or. html is a static HTML file, while an additional file named. asp is an Active Server Pages file. Because of this, this Active Server Pages leaves a backdoor for others.

For example, you can use this simple parameter to display the time of the system in which it is located. The date is automatically obtained from the system and transmitted as a webpage. When you query this webpage through a browser, we will not see the code of the program, but the execution result of the Code, maybe in all network security vulnerabilities, the most important thing is the security vulnerabilities that are inadvertently exposed to unparsed file content or program code. Simply put, these security vulnerabilities allow users to defraud dynamic web page program code from the web server.

In the past, the earliest way people used ASP security vulnerabilities was to use the data transmission serial feature of Windows NT to access files. You only need to use the simplest parameter (: $ DATA) to view the original ASP program.

For example, the following URL:
Http: // 10.1.1.11/login. asp: $ DATA
You will obtain an unparsed asp program code in the file named login. ASP. Because the URL string does not end with. asp, IIS cannot determine whether the queried file is an ASP file.

The displayed program code is as follows:
Xxxx
Alert ("enter your password !! ")
}
Else {
Document. f1.action = "checkuser. asp"
Document. f1.submit ()
}
}
Xxxx

Note: checkuser. asp is used to check the account password!

Of course, not all program code security vulnerabilities are attributed to web server software. For example, if you use the typical installation of Widows NT Option Pack 4.0, the installer will install the registration Air, which is a website application program provided to ASP programmers as an example. Among them, the showcode. asp file of Widows NT Option Pack 4.0 will display the original program code of the registration Air sample Website neatly. Because there is no strict permission verification program in the program, an experienced visitor can guess the file name and their directory path, and he can use showcode. asp reads any files in the file system.

This hacker only needs to use a URL string in his browser to specify the correct file name and directory path as the parameter of eye code. asp. For example, the following URL allows hackers to see the original program code in default. asp on the 10.11.11.15 Server:

Http: // 10.11.11.15/msadc/Samples/SELECTOR/showcode. asp? Source =/
Msadc/Samples/.../inetpub/wwwroot/default. asp

Msadc/Samples/SELECTOR/showcode. asp is a FSO sample program. It is mainly used to teach you how to use FSO to View the Source of ASP. Although there are limited files in the program, they can only View/msadc/samples. However, you can use the syntax in MapPath to return to the previous layer to crack it. (You can use a series of "../" to jump to the top layer of the file system and then steal files from other directories. Of course, you must first pass the access permission .)

If you have set up a server, you can try this Link and see the files under your root directory. If you can, you should pay attention to it!

One of the security vulnerabilities in IIS 5.0 is the security vulnerability that uses the. htr control module (handler) to parse files. IIS Internet Service Manager uses ism. dll to process. htr files. IIS uses asp. dll to process ASP files. By exploiting the. htr security vulnerability, hackers can copy any files (including. asp files and. as magpie files? Ism. dll, rather than asp. dll. Because ism. dll is not designed to process ASP tags, it directly displays the original program code. To exploit this security vulnerability, remote hackers only need to add +. htr to the tail of their URL string. For example, to view the original program code of default. asp on 10.11.11.15, a hacker can use the following URL:

Http: // 10.11.11.15/default. asp +. htr

In this case, you only need to select "View/source file" on the menu bar of the browser to view the ASP program. Everything is very simple and the firewall cannot block this. However, unlike showcode. asp, this vulnerability does not allow hackers to steal specified files from outside the root directory of the website Server File. In addition, if the ASP document has a volume label, this method will not work very smoothly. When the % sign is reached, the output result is terminated. Therefore, what this vulnerability can steal is the ASP file that uses the script runat = "SERVER".../SCRIPT volume.

Generally, in any website built on iis asp and SQL Server, the information that interest hackers is global. asa. The global. asa file exists under the root directory of the website file. It contains the set parameters of some web applications. The set parameters can include the variables defined by zg, database user identification code and password, system name, and database server address. Once hackers get global. asa, they get the key to the entire website.

For example, you can use the following URL: http: // 10.11.11.15/global. asa +. htr to obtain the global. asa File above 10.11.11.15. Note the UID and PWD in the database connection string. This gives the hacker a user name and password:

Script language = "VBScript" RUNAT = "Server">
Sub Application_OnStart
Set Db = Server. CreateObject ("Commerce. DbServer ")
Db. ConnectionString = "DSN = trans. db; UID = sa; PWD = n0t4u2c"
Db. Application = http: // 10.11.11.15/
Set Application ("Db") = Db
End Sub
Sub Session_OnStart
= Visual InterDev Generated-DataConnection startspan =
-- Project Data Connection
Session ("DataConn_ConnectionString") =
"DSN = CertSrv; DBQ = C: WINNT2System32CertLogcertsrv. mdb; DriverId = 25;
FIL = MS Access; MaxBufferSize = 512; PageTimeout = 5 ;"
Session ("DataConn_ConnectionTimeout") = 15
Session ("DataConn_CommandTimeout") = 30
Session ("DataConn_RuntimeUserName") = ""
Session (r route Conn_RuntimePassword ") = ""
= Visual InterDev Generated-DataConnection endspan =
End Sub
/SCRIPT

Microsoft has fixed this security vulnerability.

After the. htr security vulnerability was corrected, Hackers found a new entry point: the security vulnerability of the Translate: f module. Translate: The f module is a part of Microsoft's WebDAV designed for FrontPage 2000 and FrontPage 2000 Server extensions on Windows 2000. If a backslash () is appended to the requested file resource, and the Translate: f module is in the header of the HTTP header for the request, then the web server will return Completely unprocessed ASP original program code.

Below is a use of Netcat (related URL: http://www.l0pht.com /~ Weld/netcat/) sends the HTTP header of the query, which can be used to obtain the original program code of default. asp in 10.11.11.15:

$ Nc10.11.11.1580
GET/default. asp % 5C HTTP/1.0
Host: 10.11.11.15
User-Agent: Mozilla/4.0
Content-Length: 18
Content-Type: text/html
Translate: f
Match = www & errors = 0

Note: % 5C is used in GET query. The hexadecimal ASCII code of the backslash () is % 5C. This method can be used in ASP and ASA files. In addition, how does one install and run FrontPage 4.0 Server extensions on IIS 2000? What are the top posts? A class = Channel_KeyLink href = http://www.3800cc.com> vulnerability. If you want to learn more about this security vulnerability, you can go to the http://www.securityfocus.com/bid/1578, and Microsoft has published a fixed patch .)

Conclusion:

When the system is set up, carelessness during programming is often the main cause of leaks. To reduce your web servers from being threatened by such security vulnerabilities, make sure that your web servers do not have any programs or unnecessary scripts or files that may leak valuable information, install only what you need, and regularly use security detection software to check the server. Learn the latest system security messages and knowledge online.