出处:计算机世界 Source: Computer World
大家都知道一般免费主页提供商为了安全都不会提供浏览目录的权限,但我为了方便自己管理网站空间,所以自己就通过ASP中的“Scripting.File-SystemObject”对象编了一个可以浏览自己网站的文件和目录的ASP程序。 We all know the general free home security providers do not offer to browse the directory permissions, but I manage websites for the convenience of their own space, so in their own through the ASP "Scripting.File-SystemObject" object made up a can browse your site files and directories of the ASP program.
刚开始的时候,我只是用这个程序来检查自己的文件,后来我忽然想到既然这个程序可以浏览自己网站的文件和目录,应该可以浏览服务器上的任何文件和目录吧?心动不如手动,于是就把这个程序略微修改一下,试一试可不可以浏览服务器上的文件和目录。 At first, I just use this program to check their own files, then I suddenly thought that since this program can visit your site files and directories on the server should be able to browse any file and directory, right? Got it all manually, so they slightly modify this program, try Can browse files and directories on the server.
我首先是在汕头的服务器执行这个程序,果然不出我的所料,汕头的服务器上硬盘的所有文件和目录都出现在我的电脑屏幕上,就像操作自己本机上的文件和目录一样方便。 I first server in Shantou perform this procedure, I could not really expected, Shantou hard disk on the server all the files and directories appear in my computer screen, like the operation of the machine on their own files and directories as easy . 当时我的心为之一震,心想要读出服务器的文件和目录原来是如此容易,但只是读出了目录结构是没有多大的用处,读出了目录结构的目的是为了知道服务器上的 WEB站点ASP程序所在的位置,方便我将这些ASP程序的源代码读出(因为ASP程序是在服务器端执行的,在客户端是无法察看其源代码,客户端所看到的只不过是ASP程序执行的结果),由于ASP文件是文本格式的,我只要通过“Scripting.FileSystemObject”对象把ASP文件的内容读出即可察看其源代码。 My heart was startled, thinking to read the original server's files and directories is so easy, but just read the directory structure is of little use, read out the purpose of the directory structure on the server to know WEB site, the location of the ASP program to facilitate the ASP program I read the source code (because the server-side ASP program is executed, the client is unable to look at the source code, the client can see only ASP result of program execution), the ASP file is a text format, I just passed "Scripting.FileSystemObject" object to read the contents of the ASP file can look at the source code.
由于主页提供商一般都是将该服务器上用户信息存储在数据库中的,我只要知道了ASP程序中的内容就可以知道该数据库的一些信息,如:使用什么类型的数据库(SQL或MS ACCESS),SQL数据库的用户名和密码,ACCESS数据库(*.mdb)文件所在的位置等信息,于是我再编写了一个ASP程序通过这些信息来访问数据库,即可以知道服务器上用户信息:用户名、密码、身份证号码、电话号码、地址等私人信息。 As home providers are generally the server on the user information is stored in the database, I know the ASP program as long as the contents of the database can know some information, such as: what type of database (SQL or MS ACCESS) , SQL database, user name and password, ACCESS database (*. mdb) file location and other information, so I re-wrote an ASP program to access the database through the information that the user can know the server information: user name, password, ID number, phone number, address and other personal information. 由于一般的人的许多密码都是相同的,所以知道他一个密码就等于知道他所有的密码,例如:电子邮箱、上网帐号等的密码,如此一来,这些用户的利益就会受到损害。 Many ordinary people because the password is the same, so we know he knows a password is equivalent to all of his passwords, such as: e-mail, Internet account such as password, this way, the user's interests will be damaged. 后来我又将这个程序在别的免费主页提供商的服务器上执行,发现多个免费主页提供商都出现这些漏洞,包括外国比较出名的免费主页提供商:domaindlx.com,所以我借此机会公布这个漏洞,使各提供免费主页并开放执行ASP程序权限的主页提供商提高警惕赶快做出防御措施,以防类似的情况发生(因为我也是受害者,有个网友已经通过我这个程序成功获得我的帐号和密码,黑了我的网站,大家可以对照一下 http://169boy.163.net/和http://169boy.on.net.cn/)。 Then I turn this program on another provider's server for free home run and found a number of free page providers have such vulnerabilities, including free home countries relatively well-known provider: domaindlx.com, so I take this opportunity to announce the vulnerability, so that all offer free home and open the home page of the implementation of the ASP program provider permission to make a defense quickly alert measures to prevent similar situations (because I am also the victim, I have friends in this program has been successful by my account number and password, hacked my site, you can control what http://169boy.163.net/ and http://169boy.on.net.cn/).
不但这一类免费主页服务的网站存在这些漏洞,就是ISP提供的虚拟主机也有这些漏洞——只要服务器的操作系统是Windows NT,并对用户开放执行ASP权限都存在这些漏洞。 Not only this type of home services site free existence of these vulnerabilities is also provided by the ISP hosting these loopholes - as long as the server operating system is Windows NT, and user privileges are open to run the ASP existence of these vulnerabilities. 因为虚拟主机也是多个用户用同一部服务器,如果有某个用户不怀好意,那么这部服务器所有用户都遭殃,虽然我没有测试虚拟主机,但我想结果也是一样的,所以提供的虚拟主机的ISP需要认真测试(因为某些原因,我不能公开测试程序的源代码)。 Because the virtual host is a server with the same number of users, if a malicious user, then this server, all users suffer, though I did not test the virtual host, but I think the result is the same, so the virtual hosts provided ISP requires careful testing (for some reason, I can not open the test program source code).
其实把“Scripting.FileSystemObject”对象封了,就可以解决这些漏洞,用读写数据库来代替 “Scripting.FileSystemObject”对象就可,毕竟“Scripting.FileSystemObject”对象都不是很安全,也不是必须的。 In fact, the "Scripting.FileSystemObject" object sealed, we can address these vulnerabilities, with read-write database, instead of "Scripting.FileSystemObject" object can be, after all, "Scripting.FileSystemObject" object is not very safe, is not necessary.
由于本人不是黑客,并没有损害任何单位和个人的利益的意图,只是尽一个网民的义务才将这个漏洞公布,其中并没有违反任何的法律,如果有任何单位和个人通过这个漏洞去损害别人的利益与本人无关。 Since I am not a hacker, and did not damage the interests of any unit and individual intentions, but the obligations of Internet users to make one before the release of this vulnerability, which does not violate any law, if there are any units and individuals through this vulnerability to harm others I have nothing to do with interest.
Tidak ada komentar:
Posting Komentar