Ikonboard » Printable Version of Topic

Forum: Geek Forum
Topic: Asp help?
started by: solid

Posted by solid on Jan. 29 2001,03:00

Hmm... I've been assigned a project at work where I'm supposed to get the code for an asp program that's been written for a certain site. (No, I am serious)

The problem is I can't get the code, of course. I tried downloading the asp and that of course didn't work.

What I've heard of was that i had to use another protocol that wasn't http to get the file so it wasnt protected, like ftp or such. And then again ftp requires logins and passwords.

Any suggestions?

Posted by damien_s_lucifer on Jan. 29 2001,07:07

quote:
Originally posted by solid:
Hmm... I've been assigned a project at work where I'm supposed to get the code for an asp program that's been written for a certain site

Yeah. Get a different job. Either 1. your company doesn't own the code and is trying to steal it (illegal), or 2. your company DOES own the code, but somebody lost the source and the password to get into their own server (stupid).

Either way, that co. isn't going to last long.

And finally... find a company that uses a REAL web server, i.e. Apache httpd. IIS sux0rs.

Posted by solid on Jan. 29 2001,19:15

thats not the case at all. jeez. its obviously so that they can secure all exploits for it, cover all the holes. my brother is the programmer of it.

Posted by fatbitch on Jan. 29 2001,21:29

bahahah WHOOPS damien

Posted by damien_s_lucifer on Jan. 29 2001,22:02

my bad.

i still say asp sux0rs.

Posted by solid on Jan. 30 2001,00:42

id agree, but id have no idea what im talking about. my brothers the one who reffered me. i got lucky. i just wanted a job at like a fast food place or something so i couldve made some pocket money.

anyhow, i just want someone to give me a torch so i can walk through that dark tunnel, ill fix the booby traps myself.

so if you can, just tell me where i should be looking.

Posted by jim on Jan. 30 2001,01:14

The answer is you can't.

ASP is executed at the server, and HTML is returned to the browser. If there was a way to get the source code, don't you think everybody would be doing it? Works the same with CGI. This is why UBB members are stored with the extension .CGI

When someone trys to grab the file containing a username and password for UBB (ie jim.cgi)
Instead of getting my password returned to you, the server executes the file, which obviously produces no output, and returns to you a blank page.

It's called security for a reason.

------------------
jim
Beauty is in the eye of the Beer Holder
< Brews and Cues >

Posted by solid on Jan. 30 2001,22:33

blah.. i guess that clears some stuff up.

Posted by @$$h0l3 on Feb. 01 2001,05:19

First, a disclaimer. I work doing primarily security for a BIG corporation. This is just a bit of rambling that in no way consitutes advice. I'd do a lot of reading before you try anything mentioned below. Or ask your local $(r1p+ |<1dd13.

Here are my thoughts.

Before you do anything related to this, get a document in writing from the company you are testing for. I can't stress how important this can be. Most of the time it is a formality, but if something goes wrong, you need to CYA.

If the server is in production, get a testing window. Many of the methods for compromising servers can hang or crash the service, or the server itself. You don't want to kill a production box (especially if it is an ecommerce type of site).

From you asking about .ASP, I'm assuming they are running IIS. The list of vulnerabilities for IIS is long, and the list of working exploits for those vulnerabilities is sizeable as well.

For really old installations of IIS (that shouldn't be running at all) there are a couple of explots from the l0pht < http://www.l0pht.com, > but I think they were directed at IIS3.0 / very early IIS 4.0. They were things like appending .Data or $ to the end of a filename to show the code. If you want a scanning tool you can demo, try eEye, < http://www.eeye.com. > It will show you a list of vulnerabilities that the server has (the ColdFusion 3.0/4.0 default install was my favorite that I found on a live system).

Finally, go to the Bugtraq archives at < http://www.securityfocus.com. > There have been three or for IIS exploits in the last week. That should give you a place to start.

Anyway, that's just me talking. Reply if you have questions