Warning "Give your FileSystemObject object plus lock"

zhaozj2021-02-08  208

In the article "Give your FileSystemObject Object," Let's change the name of HKEY_CLASSES_ROOT / SCRIPTING.FILESTEMOBJECT to reach the method to lock the object, which is also a tuning, many websites have been turned over this article, if Really doing this network management, the consequences are unimaginable.

The method of solving this lock is as follows:

<%

'Now you can use Objfs.

%>

It's really escaped and can't escape the temple!

In fact, FileSystemObject object is really very dangerous. Even NTFS plus strict permissions settings, it is difficult to block vulnerabilities. Two days ago I had a very famous support for ASPs in ASP (this server added filtering with the parameter of the FileSystemObject object) to use this object, and then use some unconventional methods, you can see the server directory on the server. Many important files such as system configuration files and web access records. Later, I sent an email to the website, and said that the vulnerability, but unfortunately, it has not received a reply yet.

For FileSystemObject, I think a better way is to uninstall the Scrrun component (of course, IIS's web management function is no longer available), and then use services to provide services to the FileSystemObject object, perform Simulation, filtering, and monitoring of FILESystemObject objects.

Of course, don't forget, the functionality of the ASP is very powerful, and many components such as Script.Shell are very dangerous. So a website that provides an ASP service will face a big challenge. After all, Microsoft's main object considered during development is not these customers, and it is also understood why many sites are strictly qualified for applicants.

Author: Fractal (fractal@263.net)

转载请注明原文地址:https://www.9cbs.com/read-2587.html

New Post(0)
CopyRight © 2020 All Rights Reserved
Processed: 0.034, SQL: 9