Hi Fravia, I have been following your site for the last one month, all that I can say is: its Fantabulous!! I have read the articles on CGI scripts cracking, but ASP (Active Server Pages) cracking doesnt seem to have been discussed till now. So I thought I should write something about this 'technology' from our Micro$oft's friends... Regds, Indian Maharaja (Indian-Maharaja(at)usa(point)net)
Active Server Page reversing
By Indian Maharaja
Tools Required :
Nothing but your browser .
When M$ launched Windoze NT server, it was trying to compete against existing Unix
platforms.
Since Billy boy couldnt make much progress he had this idea of 'bundling' software, to
snare people who thought that all the software was for 'free'.
One of the many bloatwares that were launched were SQL-Server (an abomination of a rdbms),
IIS (Internet Info server). Now M$ decided CGI was a worthless technology (since they
couldnt control it) , so they laucnhed something called ISAPI (Internet Server Api).
If you look, at the documentation for IIS, it mentions full support for CGI, but you will
find the documentation littered with references as to why Isapi is a million times greater
and better than CGI.
Lets prove the opposite..:-)
So what really is Asp ? Its availlable for download from the M$ website, but it requires
IIS or PWS (personal web server installed). (Install Exe is 9Megs+ if this isnt bloatware
at its best then I am not maharaja).
Basically Asp is a wrapper on Isapi and allows server side scripting using VeeBee Script
or JavaScript (sorry JScript -- m$ version of Javascript).
A vey simple asp script is some thing like :
<HTML> <%Response.Write("Hello")%> </HTML> which will result in a htm => <HTML> Hello </HTML>
which is downloaded to the clients machine, so if I do a view source I can see only the
resultant HTM , and not the Asp code as this translated to HTM on the server and then
sent.
So what people generally do is keep all the code for validating Passwords, redirecting to
hidden pages inside the Asp file , and based on some user input show only the required
things to the user. Even if the user does a view-source he can see only the downloaded
htm. It would be very nice if we could see the Asp source...
There are very many sites using Asp and still more sites using Isapi Dlls.
Since Asp is a wrapper (a filter as the documentation says) on Isapi, it is possible to
write Dlls using VeeCee++ (ver 5.0 has an App-wizard option for that) and Mfc which can
provide lower level functionality.
If you find a page like this www.indianmaharaja.com/default.asp => bulls-eye this site
uses Asp.
If you find a page like this www.indianmaharaja.com/validate.dll?12473636 => most
probably it is an Isapi dll.
So lets get down to business...
1) if you are on an Asp page do this : www.indianmaharaja.com/default.asp::$DATA You will
find that either the Asp code is dispalyed in your browser window (or) a download window
pops up which allows you to download the Asp.
So much for code security. It seems its a bug in Isapi and a fix is availlable at m$
sites. All the micro$oft sites have run this fix :-( . But I found many-many other web
sites , who are still running the unfixed version :-).
2) Next I checked out a site which was using an Isapi dll, I tried doing this :
www.indianmaharaja.com/validate.dll (entering just the name of the dll) -- nope i got a
message : 'Hackers keep off' Too bad, so I tried the trick specified in 1)
www.indianmaharaja.com/validate.dll::$DATA Bingo ! I was able to download the dll.
I racked my brains as to how such a HUGE security hole could be there, I still havent been
able to figure it out. Most probably it is because of lousy coding done by the M$ loving
bozos or it was there for some devious reason known only to M$.
3) The story doesnt end here ... my next assignment was of running Asp on Apache Server
for NT. M$ never provided a version of Asp (i.e.Isapi) for web servers other than IIS. A
company called ChilliSoft provides a version called ChilliAsp which runs on Apache for
NT(I dont know why anybody would want to run Asp in the 1st place).
ChilliAsp availlable for download from M$'s site builder network site. Now if you have an
Asp file with a long file name say :
www.indianmaharaja.com/passwordval.asp
if you type the short file name in the browser
www.indianmaharaja.com/passwo~1.asp -- unbelievably the download window pops up and you
can download the asp script. I have noticed this problem only in the apache version of
asp. Though a fix might be availlable now ( i am not sure), there could be many sites....
4) One more screwup -- that is most commonly done by the person who wrote the Asp scripts
, Sometimes when I do a view source of a .asp file in my browser I get something like this
along with just the html :
<!--#include file = "inc/encrypt.inc"--> <!--#include file = "inc/AdminChk.inc"--> <HTML> . . Other stuff . . </HTML>
What the bozo who created the page has done is include some common .asp code (like
validation routines which are used across pages) in a .inc file . Now if the page being
viewed was : www.indianmaharaja.com/login.asp
just type in : www.indianmaharaja.com/inc/encrypt.inc
your browser will promptly download this file . Open the file and you have something like
this :
<SCRIPT RUNAT=SERVER> Function Encrypt(theStr) .. .. .. End Function </SCRIPT>
what you will see is the complete asp code.
Hope you find this information useful in the continuing battle against billy's boys at
Micro$oft.