I. Introduction
Microsoft Active Server Pages (ASP) is a server-side script writing environment that uses it to create and run dynamic, interactive web server applications. Use ASP to combine HTML pages, scripting commands, and ActiveX components to create an interactive web page and web-based power-based applications.
Nowadays, many websites, especially the e-commerce website, mostly used ASP on the front desk. So now ASP is very common on the website application.
ASP is a quick tool for developing website applications, but some webmasters only see the rapid development capabilities of ASP, but ignore ASP security issues. The ASP has been subject to many vulnerabilities, the pain of the latter, including the nightmare of% 81, password verification, IIS vulnerability, etc. have always made the ASP website developers have been shocked.
This article tries from an Operating system vulnerability and ASP program itself, and explains the ASP security issues, and gives a solution or suggestion.
Two keywords
ASP, network security, IIS, SSL, encryption.
Three ASP working mechanism
Active Server Page technology provides the application developers with script-based intuitive, rapid, efficient application development methods, greatly enhances the development of the development. Let's take a look at how the ASP works before discussing the security issues of ASP. The ASP script is written in a plain text.
The ASP script is a file that is written in a text format that is composed of a script that is mixed with a standard HTML page in a series of specific symphony (currently supporting VBScript and JScript two scripting languages). When the client's end user uses a web browser to access an ASP script-based app, the web browser will send an HTTP request to the Web server. Web server analysis, judging that the request is an application of the ASP script, and automatically calls the ASP script to interpret the ASP script through the ISAPI interface. Asp.dll will get the specified ASP script file from the file system or internal buffer, then perform syntax analysis and explain it. The final processing result will form the contents of the HTML format, return to the web browser through the web server "original road", and the final result is presented by the web browser to the client. This completes a complete ASP script call. Several organic ASP script calls form a complete ASP scripting application.
Let's take a look at the environment you need to run the ASP:
Microsoft Internet Information Server 3.0 / 4.0 / 5.0 ON NT Server
Microsoft Internet Information Server 3.0 / 4.0 / 5.0 on Win2000
Microsoft Personal Web Server on Windows 95/98
Microsoft IIS with Windows NT Option Pack provides powerful features, but IIS is more dangerous in network security. Because few people will use Windows 95/98 as the server, this article I will discuss from the IIS security issues in NT.
Four Microsoft claims Safety advantages
Although our focus is to explore the ASP vulnerability and the back door, it is necessary to talk about the "advantages" of ASP in network security, "" because sometimes these Microsoft claims "advantages" is just its safety hidden. .
Microsoft said that ASP is a major advantage in network security. It is that users cannot see ASP's source programs. From ASP, the ASP executes and interprets a standard HTML statement to the client browser. "Shield" source can maintain the copyright of the ASP developer. Imagine that you have made a very good process, give people any Copy, what do you think? And hackers can also analyze your ASP program and pick out the vulnerability. More importantly, some ASP developers like to write passwords, privileged usernames and paths directly in the program, so others can find the "entrance" of the attack system through guessing code, guess the path. However, many vulnerabilities that can view the ASP source program have been discovered, and we will also discuss it later. IIS supports virtual directory, manage virtual directories by "Directory" tab in the Server Properties dialog. Establishing a virtual directory is very important for managing Web sites. The virtual directory hides important information about the site directory structure. Because the customer can obtain the file path information of the page by selecting "View Source Code", it is easy to obtain the file path information of the page. If you use the physical path in the web page, you will expose important information about the site directory, which is easy to cause the system to be attacked. . Second, as long as the two machines have the same virtual directory, you can move the web page from one machine from one machine without any changes to the page code. Also, when you place a web page in a virtual directory, you can set different properties to your directory, such as: Read, Excute, Script. Read Access Indicates that directory content is passed from IIS to your browser. The execution of access can perform executable files in this directory. When you need to use the ASP, you must set the directory of the .asp file to "Excute". It is recommended that when you set up a Web site, place the HTML file with the ASP file in different directories, then set the HTML subdirectory to "Read", set the ASP subdirectory to "Execute", which is not only convenient for web. Manage, and most importantly improve the security of the ASP program to prevent program content from being accessed by the customer.
Five ASP vulnerability analysis and solution
Some people say that a computer that is not contacted outside is the safest computer, a computer that closes all ports, and does not provide any services is also the safest. Hackers often use the port we open to implement attacks. These attacks are the most common is DDOS (denial of service attack). I will list more than 20 vulnerabilities in ASP, each vulnerability will have a vulnerability description and solution.
1 Add a special symbol after the ASP program, you can see the ASP source program
Affected version:
Win95 PWS
IIS3.0
98 PWS4 does not exist this vulnerability.
This loophole does not exist in IIS4.0 or more.
Problem Description:
These special symbols include decimal points,% 81,:: $ data. such as:
http: //someurl/somepage.asp.
http:// someurl / somepage.asp% 81
http:// Someurl / Somepage.asp :: $ data
http:// someurl / somepage.asp% 2E
http:// Someurl / SomePage% 2E% 41SP
http:// SomeURL / SomePage% 2E% ASP
http:// someurl / somepage.asp% 2E
http://someurl/msadc/samples/selector/showcode.asp? source = / msadc / samples /../../..../../../../..../../../../../...ini (you can see Boot. INI's file content) The SomePage.asp source program is easily seen in browsing of IIS3.0 and Win95 PWS. What is the reason for this terrible vulnerability? The root cause is actually the Windows NT-specific file system is doing strange. One of the common sense knows that in NT provides a file system completely different from FAT: NTFS, this technique called new technology file system makes NT have a high security mechanism, but it is because It has produced a lot of hazardous hazards. Everyone may not know that NTFS supports the multi-basis flow in a file, and this main data stream containing all content is called "data", so it makes it easy to access this characteristic of the NTFS system directly in the browser. The capture of the script in the file is possible. However, the reason for: $ data is due to the problem of IIS when the file name is analyzed, it does not standardize the file name.
Solutions and recommendations:
If you are WinodWS NT users, install IIS4.0 or IIS5.0, and Windows2000 does not exist. If you are Win95 users, install WIN98 and PWS4.0.
2 Access MDB databases have a vulnerability that may be downloaded
Problem Description:
When you use Access, you can download this Access database file if someone knows or guesses the path and database name of the server through various methods, then he can download this Access database file. This is very dangerous. For example: If your Access database book.mdb is placed in the Database directory in the virtual directory, then someone is in the browser:
http:// Someurl / Database / Book.mdb
If your book.mdb database does not encrypt in advance, all important data in book.mdb can master in the hands of others.
Solution:
(1) For your database file name, a complex unconventional name is made, and put him in a few
Mark down. The so-called "unconventional", for example, if there is a database to save information about books, don't give him a "book.mdb" name, a weird name, such as D34ksfslf.mdb, then Put him in a few layers of directories such as ./kdslf/i44/studi/, such a hacker wants to get your Access database file by guessing.
(2) Do not write the database name in the program. Some people like to write DSN in the program, such as:
Dbpath = server.mappath ("cmddb.mdb")
Conn.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath
If you gave people the source program, your ACCESS database's name is unlike. So I suggest you set the data source in the ODBC, then write this in the program:
Conn.open "shujiyuan"
(3) Use Access to encode and encrypt the database file. First select "Tools ->
All-> Encrypted / Decrypt Database, select the database (such as: EMPLOYER.MDB), then then then determine, then the "Database Caused Save Save Save" window is displayed as: Employer1.mdb. Then Employer.mdb will be encoded, then eMployer1.mdb .. It is important to note that the above action is not to set a password for the database, but only the database file is encoded, the purpose is to prevent others from using other tools View the contents of the database file.
Next we are encrypted by the database, first open the encoded Employer1.mdb, select "exclusive" mode when opening. Then select the "Tools -> Security -> Setting Database Password" of the menu, then enter the password.
After setting the password for the Employer1.mdb, then if you use the Acces database file, Access will first require a password to verify the correct database.
However, add the PWD parameters to the open method of the Connection object in the ASP program, for example:
Param = "driver = {Microsoft Access Driver (* .mdb)}; pwd = yfdsfs"
Param = param & "; dbq =" & server.mappath ("Employer1.mdb")
Conn.open Param
This is even if someone gets the Employer1.mdb file, there is no password. He can't see Employer1.mdb.
Five ASP vulnerability analysis and solution
3 Code.asp files will leak ASP code
Problem Description:
For a very simple example, there is a .asp file in the ASP1.0 of Microsoft, specifically used to view the source code for other .asp files, which is aspsamp / samples / code.asp. If someone uploads this program to the server, he can easily view the procedures of others. E.g :
Code.asp? Source = / Directory / File.asp
But this is a more old loophole, I believe this vulnerability now.
The following command is a relatively new:
http://someurl/iissample/exair/howitworks/code.asp? /lunwen/soushuo.asp=xxx.asp
The biggest hazard is that the ASA file can be read in the above manner; the database password is exposed in the form of a fashion;
Problem resolution or suggestion:
For the ASP program file of the show ASP code that comes with IIS, delete the file or disable access to this directory.
4, FileSystemObject component tampering with the vulnerability of any file on the FAT partition
Problem Description:
IIS3, IIS4 ASP file operations can be implemented through the FileSystemObject, including the read and write directory operation of the text file, the copy of the file is changed, but this powerful function has also left very dangerous "back door". Use FileSystemObjet to tamper with any files on the FAT partition. Even if the NTFS partition, if the permissions are not set, it can also destroy, and you may suffer from the disaster of the top. Unfortunately, a lot of WebMaster only knows that the web server is running, and rarely performs permission settings, and the default setting of NT directory permissions is low and terrible. So if you are a webmaster, it is recommended that you pay close attention to the server settings, try to build the web directory in the NTFS partition, do not set the Everyone Full Control, even if the member of the administrator group is generally there is nothing necessary, as long as there is Read, change the permissions is enough. You can also delete or rename the components of FileSystemObject. 5. Input standard HTML statement or JavaScript statement changes the output result
Problem Description:
What is the result of being entered into a standard HTML statement in the input box?
For example, a message, we are in the message content:
Hello there!
If you don't block the HTML statement in your ASP program, you will change the size of the "Hello" font. In the message, change the font size and the map sometimes not a bad thing, but it can make the message this vivid. But if you write a JavaScript cycle in the input box, for example: extra big news
Then other guests viewing the message will only move the mouse to "Extraordinary News", the user's browser will die because of the dead cycle.
Solutions and recommendations:
Writing a similar program should do a good job of this type of operation, such as writing a program to determine the client's input, and block all HTML, JavaScript statements.
Five ASP vulnerability analysis and solution
6, ASP program password verification vulnerability
Vulnerability Description:
Many websites placed passwords into the database, with the following SQL in login verification, (with ASP as an example)
SQL = "Select * from user where username = '" & username & "' and pass = '" & qus& ""
At this point, you only need to construct a special username and password according to SQL, such as Ben 'or' 1 '=' 1
You can enter the page you don't have privilege. Let's take a look at the statement above:
SQL = "Select * from user where username = '" & username & "' and pass = '" & qus& ""
At this point, you only need to construct a special username and password according to SQL, such as Ben 'or' 1 '=' 1
In this way, the program will turn this: sql = "select * from username where username =" & Ben'or'1 '= 1 & "and pass =" & pass "
OR is a logical operator, and the role is to judge two conditions, as long as one of the conditions is established, the equation will be established. In language, it is true (established). So in this line In the statement, the "AND" verification of the original statement will no longer continue, but since "1 = 1" and "OR" statement returns to true value .. In addition, we can also construct the following usernames:
Username = 'aa' or usrname <> 'aa'
Pass = 'aa' or passes <> aa '
The corresponding user name box in the browser is written in: aa 'or username <> AA Password box: AA' or Pass <> AA, pay attention to these two strings two heads are not '. This can successfully deceive the system.
Though the theory of the latter method, it is very difficult to practice, and the following two conditions must be available.
1. You must first be able to accurately know which two fields are used in the table to store usernames and passwords, only this can accurately construct this offensive string. In fact, this is hard to guess.
2. The system does not validate the string you entered.
Problem resolution and advice:
Processing of the input content verification and "'".
7, IIS4 or IIS5 installed with Index Server service vulnerability ASP source
Problem Description:
InDex Server running IIS4 or IIS5, you can see the ASP source or other pages. Even the system has been added to the system of the patch of the source code, or there is no .htw file system, there is the same problem. Get an ASP program, even the source code of the global.asa file, undoubtedly a very significant security hazard. User passwords and IDs are often included in these codes, as well as the source path and name of the database. This is very important for the attacker to collect system information.
You can see the program source code by building the following special programs:
Http://202.116.26.38/null.htw?ciwebhitsfile=/default.asp&cirestriction=none&cihilittype=full
This just returns some file code in HTML format, but when you add% 20 to ciWebhitsFile, you are as follows:
Http: //someurl/null.htw? ciWebhitsFile = / default.asp% 20 & Cirestriction = None & CiHilittype = FULL
This will get the source code of the program.
(Note: /Default.asp is calculated by the root of the web. Such as a site http://welcome/welcome.asp
Then correspond to:
Http: //someurl/null.htw? ciWebhitsFile = / Welcome / Welcome.asp% 20 & CIRESTRICTION = None & CiHilittype = FULL
)
Since the 'null.htw' file is not a real system mapping file, it is just a virtual file stored in system memory. Even if you have removed all the true .htw files from your system, because the request for null.htw file is processed by WebHits.dll. Therefore, IIS still receives the threat of the vulnerability.
Problem solving or suggestion:
If the function provided by the WebHits is that the system must, download the corresponding patch. If there is no need, use IIS's MMC management tool to simply remove the .htw image file.
The patch is as follows: INDEX Server 2.0:
Intel:
http://www.microsoft.com/downloads/release.asp?releaseid=17727
Alpha:
Http://www.microsoft.com/downloads/release.asp?releaseid=17728
INDEXING SERVICES for Windows 2000:
Intel:
http://www.microsoft.com/downloads/release.asp?releaseid=17726
8. Vulnerability of the ASP chat room program
Problem Description:
If the chat room ASP program is not properly designed, it is easy to use it to make a bad thing: you can kick, wear a wall, trouble.
First, let's take a look at what vulnerabilities in the chat room. Let's take a look at the following code:
..............................
..................
.........
OnSubmit = "Return Chksend ();">>
******
*********
Ruminous
quietly:
Object:
expression:
!!!!!!
!!!!
The above code is that I use the "tester" as a "tester" in a chat room, which is only a small part, but there are two vulnerabilities in this small part of the code.
First vulnerability
Let's take a look at the two of the "*", the "Tester" in the first sentence is the name I logged in, and "BOY" in the second sentence is the gender when landing. There is another look at the two sentences that I added, I still have the name when I log in, and these sentences are what I want to say now. If you want to wear a wall in this chat room, just save the code of the speech frame, change the "form" "action" to the address of the chat room, and then test the first sentence of "*" "The words change to the desired name can be. You can also transform gender, as long as the "BOY" of the second sentence is changed to "Girl". This is the so-called wall. You can even change it into the name of the line, and then speak, so you will pretend to be a name conversation of others.
Second vulnerability
The vulnerability of the kickman is this, let's take a look at the first sentence of "!", There is a legal user to log in, then look at the second sentence, he has "getout", plus it on the other " "Tab, this is the code when we exit the chat room, what is this? Let's try it first, first of all, or to change the "Action" tag of the "form" to the address of the chat room, otherwise I don't know which guy submitted. Then change the "wind" to the name of the person you want to play, and click "Exit", then kick the person out of the chat room. This is a vulnerability of chat room kicks.
These two vulnerabilities are mainly why the two vulnerabilities make the service program not to identify the instruction issued by the customer. The above two drag swam programs are renamed to make a statement, or renamed exit, making real users to be victimized.
Of course there is a vulnerability above, the input box does not filter the HTML statement and the JavaScript statement. This problem we have analyzed in the vulnerability 5, and you will not talk about it here.
Problem solving or suggestion:
