Hacking Web server through ASP, stealing file corruption

Source: Internet
Author: User
Tags file copy iis access database ntfs permissions
This paper mainly describes the safety problems of Asp/iis and the corresponding countermeasures, and does not advocate the use of the
method to do any damage, or else bring the consequences to the conceited

Through ASP intrusion Web server, steal file Destroy system, this is not sensational ...

Security issues with IIS

1.IIS3/PWS's vulnerability
I have experimented, WIN95+PWS running ASP program, only in the browser address bar add a small dot ASP program will be downloaded down. IIS3 heard that the same problem, but I did not try to come out.

2.IIS4 's vulnerability
IIS4 a well-known vulnerability is:: $DATA, is the ASP's URL after adding these characters, the code can also be seen, using IE view source can see the ASP code. Win98+pws4 doesn't have that problem. There are several solutions, one is to set the directory is not readable (ASP can still execute), so that the HTML file can not be placed in this directory, otherwise HTML can not browse. The second is to install the patch program provided by Microsoft. The third is to install IE4.01SP1 on the server.

3. Problems in support of ASP's free homepage
Your ASP code may be available to someone. ASP1.0 's example has a file to view the ASP's original code,/aspsamp/samples/code.asp if someone put the program up, he can see other people's programs. For example: code.asp?source=/someone/aaa.asp

The Access database you are using may be downloaded by someone. Since the ASP program can be people get, others can easily know where your database, and download it, if the database contains passwords not encrypted, that ... It's dangerous. Webmaster should take certain measures, strictly prohibit the code.asp such programs (seemingly difficult to do, but can regularly retrieve the signature code), limit the MDB download (do not know do not do)

4. Threats from the FileSystemObject
IIS4 ASP file operations can be implemented through the FileSystemObject, including text file read and write directory operations, file copy renamed Delete, but this dongdong is also very dangerous. Using Filesystemobjet can tamper with downloading any file on a FAT partition, even NTFS, if the permissions are not set well, it can also destroy, unfortunately many webmaster only know that the Web server to run, very little NTFS permissions settings. For example, a Web server that provides virtual hosting services, if permissions are not set, users can easily tamper with deleting any file on the machine, or even let NT crash. Program refer to Active Server Explorer on http://www.pridechina.com/chinaasp/, which can browse all files and directories of the unprotected Web server. Webmater The web directory should be built on an NTFS partition, not a web directory, not the Everyone fullcontrol, but the administrator can control.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.