Give your FileSystemObject object plus lock

zhaozj2021-02-08  262

It is now more and more free space in China. It is undoubtedly a good momentum for ASP enthusiasts. Security Question. For example, this year's April Fool's Day "Dongguan Window" all the homepage has been attacked by hackers. In fact, this thing is very simple, that is, using the FileSystemObject object, the specific program will no longer discuss. And another more famous site "net" site "net" also has this security vulnerability, which is easy to attack. Not only these security vulnerabilities are available in this security vulnerability, but also this security hazard is also available in many domestic virtual host providers. This is a great harm to commercial users.

So how can we limit users using FileSystemObject objects? An extreme practice is to completely reverse registration to provide the component of the FileSystemObject object, that is, Scrrun.dll. The specific method is as follows:

Type under the MS-DOS State:

Regsvr32 / u c: /windows/system/scrrun.dll

(Note: To change the actual path of your local time when actual operations)

However, it is obvious, if this is done, anyone including the site system administrator will not use the FileSystemObject object, which is not the result of the site management person to get, after all, we can use this object to be convenient Online station management, if the system administrator can't be used, it will not be worthless, but this dangerous object will bring security vulnerabilities to their sites. So there is no way to have a good way? Have! The specific method is as follows:

We can do other people from illegally using the FileSystemObject object, but we can still use this object.

Methods as below:

Find registry

HKEY_CLASES_ROOT / SCRIPTING.FILESYSTEMOBJECT key value

Change it into the string you want (right -> "rename"), such as changes

HKEY_CLASS_ROOT / SCRIPTING.FILESYSTEMOBJECT2

In this way, this object must be referenced in ASP:

SET FSO = CreateObject ("scripting.filesystemObject2)

Can't use:

SET FSO = CreateObject ("scripting.filesystemObject")

If you use the usual way to call the FileSystemObject object, you will not be able to use it.

Oh, as long as you don't tell others, this changed object name, others cannot use the FileSystemObject object. In this way, as a site manager, we will put an illegal use of the FileSystemObject object, and we can still use this object to make it easy to implement the website online management!

(The above method is passed in Win98 PWS and WinNT4 IIS4 Environment)

(Author: Suhongtu Super)

转载请注明原文地址:https://www.9cbs.com/read-1277.html

New Post(0)