Search Members Help

» Welcome Guest
[ Log In :: Register ]

 

[ Track This Topic :: Email This Topic :: Print this topic ]

reply to topic new topic new poll
Topic: Asp help?< Next Oldest | Next Newest >
 Post Number: 1
solid Search for posts by this member.
Kiloposter
Avatar



Group: Members
Posts: 1232
Joined: Dec. 2000
PostIcon Posted on: Jan. 29 2001,03:00  Skip to the next post in this topic. Ignore posts   QUOTE

Hmm... I've been assigned a project at work where I'm supposed to get the code for an asp program that's been written for a certain site. (No, I am serious)

The problem is I can't get the code, of course. I tried downloading the asp and that of course didn't work.

What I've heard of was that i had to use another protocol that wasn't http to get the file so it wasnt protected, like ftp or such. And then again ftp requires logins and passwords.

Any suggestions?

Offline
Top of Page Profile Contact Info 
 Post Number: 2
damien_s_lucifer Search for posts by this member.
Emperor of Detnet
Avatar



Group: Members
Posts: 33
Joined: Jan. 1970
PostIcon Posted on: Jan. 29 2001,07:07 Skip to the previous post in this topic. Skip to the next post in this topic. Ignore posts   QUOTE

quote:
Originally posted by solid:
Hmm... I've been assigned a project at work where I'm supposed to get the code for an asp program that's been written for a certain site

Yeah. Get a different job. Either 1. your company doesn't own the code and is trying to steal it (illegal), or 2. your company DOES own the code, but somebody lost the source and the password to get into their own server (stupid).

Either way, that co. isn't going to last long.

And finally... find a company that uses a REAL web server, i.e. Apache httpd. IIS sux0rs.

Offline
Top of Page Profile Contact Info WEB 
 Post Number: 3
solid Search for posts by this member.
Kiloposter
Avatar



Group: Members
Posts: 1232
Joined: Dec. 2000
PostIcon Posted on: Jan. 29 2001,19:15 Skip to the previous post in this topic. Skip to the next post in this topic. Ignore posts   QUOTE

thats not the case at all. jeez. its obviously so that they can secure all exploits for it, cover all the holes. my brother is the programmer of it.
Offline
Top of Page Profile Contact Info 
 Post Number: 4
fatbitch Search for posts by this member.
FNG
Avatar



Group: Members
Posts: 489
Joined: Oct. 2000
PostIcon Posted on: Jan. 29 2001,21:29 Skip to the previous post in this topic. Skip to the next post in this topic. Ignore posts   QUOTE

bahahah WHOOPS damien
Offline
Top of Page Profile Contact Info WEB 
 Post Number: 5
damien_s_lucifer Search for posts by this member.
Emperor of Detnet
Avatar



Group: Members
Posts: 33
Joined: Jan. 1970
PostIcon Posted on: Jan. 29 2001,22:02 Skip to the previous post in this topic. Skip to the next post in this topic. Ignore posts   QUOTE

my bad.

i still say asp sux0rs.

Offline
Top of Page Profile Contact Info WEB 
 Post Number: 6
solid Search for posts by this member.
Kiloposter
Avatar



Group: Members
Posts: 1232
Joined: Dec. 2000
PostIcon Posted on: Jan. 30 2001,00:42 Skip to the previous post in this topic. Skip to the next post in this topic. Ignore posts   QUOTE

id agree, but id have no idea what im talking about. my brothers the one who reffered me. i got lucky. i just wanted a job at like a fast food place or something so i couldve made some pocket money.

anyhow, i just want someone to give me a torch so i can walk through that dark tunnel, ill fix the booby traps myself.

so if you can, just tell me where i should be looking.

Offline
Top of Page Profile Contact Info 
 Post Number: 7
jim Search for posts by this member.
Asshole
Avatar



Group: Members
Posts: 1208
Joined: May 2000
PostIcon Posted on: Jan. 30 2001,01:14 Skip to the previous post in this topic. Skip to the next post in this topic. Ignore posts   QUOTE

The answer is you can't.

ASP is executed at the server, and HTML is returned to the browser. If there was a way to get the source code, don't you think everybody would be doing it? Works the same with CGI. This is why UBB members are stored with the extension .CGI

When someone trys to grab the file containing a username and password for UBB (ie jim.cgi)
Instead of getting my password returned to you, the server executes the file, which obviously produces no output, and returns to you a blank page.

It's called security for a reason.

------------------
jim
Beauty is in the eye of the Beer Holder
Brews and Cues

Offline
Top of Page Profile Contact Info WEB 
 Post Number: 8
solid Search for posts by this member.
Kiloposter
Avatar



Group: Members
Posts: 1232
Joined: Dec. 2000
PostIcon Posted on: Jan. 30 2001,22:33 Skip to the previous post in this topic. Skip to the next post in this topic. Ignore posts   QUOTE

blah.. i guess that clears some stuff up.
Offline
Top of Page Profile Contact Info 
 Post Number: 9
@$$h0l3 Search for posts by this member.
FNG
Avatar



Group: Members
Posts: 40
Joined: Dec. 2000
PostIcon Posted on: Feb. 01 2001,05:19 Skip to the previous post in this topic.  Ignore posts   QUOTE

First, a disclaimer. I work doing primarily security for a BIG corporation. This is just a bit of rambling that in no way consitutes advice. I'd do a lot of reading before you try anything mentioned below. Or ask your local $(r1p+ |<1dd13.

Here are my thoughts.

Before you do anything related to this, get a document in writing from the company you are testing for. I can't stress how important this can be. Most of the time it is a formality, but if something goes wrong, you need to CYA.

If the server is in production, get a testing window. Many of the methods for compromising servers can hang or crash the service, or the server itself. You don't want to kill a production box (especially if it is an ecommerce type of site).

From you asking about .ASP, I'm assuming they are running IIS. The list of vulnerabilities for IIS is long, and the list of working exploits for those vulnerabilities is sizeable as well.

For really old installations of IIS (that shouldn't be running at all) there are a couple of explots from the l0pht http://www.l0pht.com, but I think they were directed at IIS3.0 / very early IIS 4.0. They were things like appending .Data or $ to the end of a filename to show the code. If you want a scanning tool you can demo, try eEye, http://www.eeye.com. It will show you a list of vulnerabilities that the server has (the ColdFusion 3.0/4.0 default install was my favorite that I found on a live system).

Finally, go to the Bugtraq archives at http://www.securityfocus.com. There have been three or for IIS exploits in the last week. That should give you a place to start.

Anyway, that's just me talking. Reply if you have questions

Offline
Top of Page Profile Contact Info 
8 replies since Jan. 29 2001,03:00 < Next Oldest | Next Newest >

[ Track This Topic :: Email This Topic :: Print this topic ]


 
reply to topic new topic new poll

» Quick Reply Asp help?
iB Code Buttons
You are posting as:

Do you wish to enable your signature for this post?
Do you wish to enable emoticons for this post?
Track this topic
View All Emoticons
View iB Code