Build your own IIS to find ASP program vulnerabilities

Source: Internet
Author: User
Tags file upload html form iis microsoft website
iis| Program teacher elated: You rookie, "The teacher turns to do, today to my house", now it is my turn to give lectures, not quickly welcome?!
Students: Dizzy, said so easily, your turn to be a teacher? Why would you do that?
Teacher Nu Yue: Why? Hum, do not give you some color to see you do not know I can be a teacher! Small A, small k, see you two of expression, is not defy ah? Believe it or not, I now DDoS your two personal homepage?
Small A and little K: Khan ... Personal homepage all have to DDoS ... You ruthless! Do you still not?!
Teacher a face complacent: I just good, students if not obey the teacher I this lesson how to say? OK, let's start the class now!
Student D: Teacher, what are you talking about today?
"Halo, yesterday just remember today I do the teacher, incredibly forgot to prepare a lesson ..." Teacher secretly hair cold sweat, but the teacher after all well-informed, difficult not to fall, "this well, since I do the teacher's self feel good, of course, I am not afraid of everyone to find a variety of problems to me. Now give you 5 minutes to discuss how hard it is today to teacher! ”
The students discussed ...
5 minutes later, student F summed up the results of the discussion: teacher, now easy to move the Web site management system is very good, we are using this to do their own site, powerful AH. Don't know if there are any new loopholes to exploit?
Teacher: Well, since everyone is interested in moving, let's take a look. Moving easy to produce three products: Mypower, Freepower and powereasy are very good dongdong, we can use them very easy to complete the personal website, the company's website production, development to now, moving easy products have not only a single article management system, Now even can do downloading, picture Website! Because the function is so powerful, now more and more people use this system! For example, we often go to the www.77169.com is the use of this system.
"Teacher, don't say this, we are all on these what function of what, not interested, we want to know can black?" ”
"Alas, you students, you know, do bad things ..."
The teacher opens the notebook computer on the desk, to the easy official website www.asp163.net downloads the newest "The Movement Easy website Management system Ver4.03", "in order not to cause the damage to other people's website, we in this machine constructs the test environment to explain." ”
"Teacher, download the files are ASP, how to open ah?" Do you use Notepad? The student little Z asks cautiously.
"Halo, in my rookie hacker classes incredibly still have such students, I won the jackpot, I will buy lottery ticket to go", the teacher really helpless ah, incredibly also asked ASP file how to open ...
"Then I will teach you honestly." We usually look at the Web site, mostly HTML and ASP pages, as for the HTML I do not explain, this class of students understand, and the ASP is not the same, it is in the remote server implementation, such as we browse the Microsoft website of an ASP page, Then some of the scripts on the page are executed at the Microsoft server, and the results are returned to us in HTML form. With ASP can easily make dynamic features of the page. ”
"So how can we browse the ASP's Web site?" Microsoft has given us a simple solution-use IIS to do the Web server, the default is to support the ASP, you can in the Control Panel ' Add/Remove Programs ' SELECT ' Add/Remove Windows Components ', and then choose ' Internet Information Services ' there, the next step to know the completion of the good. After completion, go to the ' program-admin tool-internet Service Manager ', in general we test in the local can choose ' Default Web Site ', of course, you can create a new site. The following is the main interface for IIS:
  
Select ' Properties ', we have three places to set, 1, ' Web site ', in ' IP address ' Here Select your own computer's ip;2, ' home directory ' you need in ' Local path ' Here Select the file you downloaded to extract after the directory, of course, if you want to be lazy, you can extract your ASP files to the system disk directory below the Inetpub Wwwroot directory; 3, ' Document ' is responsible for setting up your site's home directory or the subordinate directory of the default display file, such as you add a ' index.asp ' then your site will open a folder by default when the contents of this file call. ”
"Can I set this home file to be my name?" "And little a asks," like a.htm or a.asp? ”
"Of course, as long as you add this home document on it, if you add these two, which on the above, which on the first implementation, there is a priority order," the teacher said.
  
"By default, we download the ' Easy website Management system Ver4.03 ' home file is index.asp, we just add index.asp on the ' document '. Below we unzip the package, the ' free version ' of the files inside the Wwwroot folder, of course, you can specifically specify a folder, security is better. ”
"Teacher, say quickly, when the website can see Ah!" ”
"Right away, don't rush," the teacher drank a cup of tea, run his throat, "well, after releasing the program to the folder, open the browser, enter your IP address, and install the boot file name, for example, I can enter: http://192.168.1.9/ Install.asp, the program prompts you to enter the name of the website, the copyright what, as long as the need to fill in accordance with their own and then the next step can be. Remember after the execution to delete install.asp Ah, otherwise will be used by people with ulterior motives. ”
"Yes, sir!" he said. And then what? "A bunch of side dishes stare at the teacher with expectant eyes.
Then Open the browser, enter your IP, you can see the site! ”
"Sure enough!" he said. Add the article now! "Small c, small d a face of excitement."
"But ..." the teacher deliberately slowed the pace of the speech.
"But what, teacher?" Can't it be run? ”
"Of course it can run, but today I'm talking so much about how to get this article system path, physical path." This is just discovered the loophole, has not told others! ”
All the rookie a listen to the spirit, "the teacher said quickly!" ”
"Well, things are like this, and now you're in the website we just did. Each registered an account number, and then point to publish the article, will appear to you to enter the content of the page, see a want to upload the file you have a reminder box? ”
  
"Browse" and "upload" the position between the two buttons, click the right mouse button, look at the source code, find the following lines:
<form action= "upfile_article.asp" method= "Post" Name= "Form1" onsubmit= "return Check ()" Enctype= "multipart/ Form-data ">
<input name= "FileName" type= "FILE" class= "tx1" size= ">"
Change to the following content:
<form action= "http://192.168.1.9/editor/upfile_article.asp" method= "Post" Name= "Form1" onsubmit= "return Check ()" Enctype= "Multipart/form-data" >
<input name= "FileName" type= "FILE" class= "tx1" size= ">"
<input name= "FileName" type= "FILE" class= "tx1" size= ">"
This way then save to the desktop, the format is HTM on it. ”
"Teacher, what can you do?" Why do you have to add the article to change the code ah, it seems to be a cross station attack ah "vegetable question."
"Oh, a bit like," the teacher smiled and said, "Now we open this file that we just modified the code, there will be two input files of the box:
  
Find two picture files, can be a, not a also indifferent, and then point upload, what happened? ”
  
"Wow, the physical path!" "A piece of cake and cheer!"
"Oh, we now do the test of the dynamic version is the latest 4.03, we can try another version of" the teacher said. "Below you are free to discuss for 10 minutes and then give me a summary of the speech." ”
10 minutes later ...
"Well, now tell me what you feel, there is progress in communication!" ”
Little a: "I said first!" Is that the program must be moving easily ... (It's obvious nonsense!) )”
Small e: "Must login system, or can't upload file!" ”
"And, I have the most insight!" Inc/upfile_class.asp and upfile_article.asp exist this loophole, after my test, where to invoke several files of inc/upfile_class.asp upfile_article.asp, Upfile_ Softpic.asp and so on can succeed! "Little K shouted.
"Also," said Little D, who had always been slow to take the action, "to be successful, you must also have a server that does not have a message that masks Microsoft VBScript run-time errors." For example, China's use of this method will appear ' processing URL when the server error. Contact your system administrator. ' This depends on the administrator's settings for IIS. ”
"Well, we're from the tip of the content ' This key has been associated with an element of the set ' can be known, mainly in/inc/upfile_class.asp This file is not good enough for duplicate submissions. For example, when we submit two files at the same time, two file information is written to the database at the same time, because the program only set up a file upload situation, so the first write, the second inevitable error. Thus exposing the physical path of the site. ”
"Well, the students do very well," the teacher is very satisfied with the effect of this lesson, "Students, today's good, today's homework is to go back to test the next move easy production of the other two sets of procedures, MyPower3.51 and FreePower3.62 have this problem!" Of course, should have this problem is not only easy to move the program, this everybody after class own experiment! Class! Good-bye, boys and girls! ”
"Goodbye, Teacher!" ”......



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.