ASP Hack & Anti-hack (through ASP intrusion Web server, steal file Destroy system, this is not sensational ... )

Source: Internet
Author: User
Tags file copy iis access database
Server|web ASP Hack & Anti-hack

This paper mainly describes the safety problems of Asp/iis and the corresponding countermeasures, and does not advocate the use of the
method to do any damage, or else bring the consequences to the conceited

Through ASP intrusion Web server, steal file Destroy system, this is not sensational ...

Security issues with IIS
1.IIS3/PWS's vulnerability
I have experimented, WIN95+PWS running ASP program, only need to add a decimal point in the browser address bar
The ASP program will be downloaded. IIS3 heard that the same problem, but I did not try to come out.
2.IIS4 's vulnerability
IIS4 a widely known vulnerability is:: $DATA, is the ASP's URL after adding these characters, code
Can also be seen, using IE's view source to see the ASP code. Win98+pws4 doesn't have that problem.
There are several solutions, one is to set the directory to be unreadable (ASP can still execute), so that the HTML file
Cannot be placed in this directory, otherwise HTML cannot be browsed. The second is to install the patch program provided by Microsoft. Three is
Install IE4.01SP1 on the server.

3. Problems in support of ASP's free homepage
Your ASP code may be available to someone.
ASP1.0 's example has a file to view the ASP's original code,/aspsamp/samples/code.asp
If someone put this program up, he can check other people's programs.
For example: code.asp?source=/someone/aaa.asp

The Access database you use may be downloaded by someone
Since the ASP program can be people get, others can easily know where your database is placed,
and download it, if the database contains the password is not encrypted, that ... It's dangerous.
Webmaster should take certain measures to prohibit the code.asp such procedures (it seems difficult to do,
However, you can periodically retrieve the signature code) to restrict the download of the MDB (No, NO)

4. Threats from the FileSystemObject
IIS4 ASP's file operations can be implemented through FileSystemObject, including reading and writing of text files
Directory operations, file copy renamed Delete, etc., but this dongdong is also very dangerous. Using Filesystemobjet
You can tamper with downloading any file on a FAT partition, even NTFS, if permissions are not set, you can also
Destruction, unfortunately many webmaster only know that the Web server is running, and NTFS is rarely set for permissions.
For example, a Web server that provides virtual hosting services, if permissions are not set, users can
Easily tamper with deleting any files on the machine and even let NT crash.
Program please refer to Active Server Explorer on the
This program can browse all files and directories of the unprotected Web server.
Webmater should have web directories built on NTFS partitions, not web directories do not use the Everyone full
control, and it should be the administrator who can control it.

5.ASP applications may face attacks
Bird Homepage on the message, the WWW BBS program has been several times
JavaScript bombs attack, unfortunately they all failed, such as someone wrote 〈script〉do while (true)
alert (); 〈/script〉, but only the source code is displayed. The reason is that the bird's program will 〈〉.
While supporting JavaScript can allow people to use fancy messages with colorful fonts, I'm more focused on the "safety
First ":)

Welcome to the mistake that exists in the original text.
Bird (Veryhard)
Welcome to visit
Home of the birds:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.