Hi Reverser,

I have been following your site for the last one month, all that I can
say is: its Fantabulous!!
I have read the articles on CGI scripts cracking, but ASP (Active Server
Pages) cracking doesnt seem to have been discussed till now.   
So I thought I should write something about this 'technology' from 
our Micro$oft's friends...

Regds,
Indian Maharaja
(Indian-Maharaja(at)usa(point)net)
Active Server Page reversing

By Indian Maharaja

Tools Required :

Nothing but your browser .

When M$ launched Windoze NT server, it was trying to compete against existing Unix platforms.

Since Billy boy couldnt make much progress he had this idea of 'bundling' software, to snare people who thought that all the software was for 'free'.

One of the many bloatwares that were launched were SQL-Server (an abomination of a rdbms), IIS (Internet Info server). Now M$ decided CGI was a worthless technology (since they couldnt control it) , so they laucnhed something called ISAPI (Internet Server Api).

If you look, at the documentation for IIS, it mentions full support for CGI, but you will find the documentation littered with references as to why Isapi is a million times greater and better than CGI.

Lets prove the opposite..:-)

So what really is Asp ? Its availlable for download from the M$ website, but it requires IIS or PWS (personal web server installed). (Install Exe is 9Megs+ if this isnt bloatware at its best then I am not maharaja).

Basically Asp is a wrapper on Isapi and allows server side scripting using VeeBee Script or JavaScript (sorry JScript -- m$ version of Javascript).

A vey simple asp script is some thing like :
<HTML>
<%Response.Write("Hello")%> 
</HTML>

which will result in a htm =>  

<HTML>
Hello
</HTML>
which is downloaded to the clients machine, so if I do a view source I can see only the resultant HTM , and not the Asp code as this translated to HTM on the server and then sent.

So what people generally do is keep all the code for validating Passwords, redirecting to hidden pages inside the Asp file , and based on some user input show only the required things to the user. Even if the user does a view-source he can see only the downloaded htm. It would be very nice if we could see the Asp source...

There are very many sites using Asp and still more sites using Isapi Dlls.

Since Asp is a wrapper (a filter as the documentation says) on Isapi, it is possible to write Dlls using VeeCee++ (ver 5.0 has an App-wizard option for that) and Mfc which can provide lower level functionality.

If you find a page like this www.indianmaharaja.com/default.asp => bulls-eye this site uses Asp.

If you find a page like this www.indianmaharaja.com/validate.dll?12473636 => most probably it is an Isapi dll.

So lets get down to business...

1) if you are on an Asp page do this : www.indianmaharaja.com/default.asp::$DATA You will find that either the Asp code is dispalyed in your browser window (or) a download window pops up which allows you to download the Asp.

So much for code security. It seems its a bug in Isapi and a fix is availlable at m$ sites. All the micro$oft sites have run this fix :-( . But I found many-many other web sites , who are still running the unfixed version :-).

2) Next I checked out a site which was using an Isapi dll, I tried doing this :

www.indianmaharaja.com/validate.dll (entering just the name of the dll) -- nope i got a message : 'Hackers keep off' Too bad, so I tried the trick specified in 1) www.indianmaharaja.com/validate.dll::$DATA Bingo ! I was able to download the dll.

I racked my brains as to how such a HUGE security hole could be there, I still havent been able to figure it out. Most probably it is because of lousy coding done by the M$ loving bozos or it was there for some devious reason known only to M$.

3) The story doesnt end here ... my next assignment was of running Asp on Apache Server for NT. M$ never provided a version of Asp (i.e.Isapi) for web servers other than IIS. A company called ChilliSoft provides a version called ChilliAsp which runs on Apache for NT(I dont know why anybody would want to run Asp in the 1st place).

ChilliAsp availlable for download from M$'s site builder network site. Now if you have an Asp file with a long file name say :

www.indianmaharaja.com/passwordval.asp

if you type the short file name in the browser

www.indianmaharaja.com/passwo~1.asp -- unbelievably the download window pops up and you can download the asp script. I have noticed this problem only in the apache version of asp. Though a fix might be availlable now ( i am not sure), there could be many sites....

4) One more screwup -- that is most commonly done by the person who wrote the Asp scripts , Sometimes when I do a view source of a .asp file in my browser I get something like this along with just the html :
	<!--#include file = "inc/encrypt.inc"-->
	<!--#include file = "inc/AdminChk.inc"-->
	<HTML>
	.
	.
	Other stuff
	.
	.
	</HTML>	
	
What the bozo who created the page has done is include some common .asp code (like validation routines which are used across pages) in a .inc file . Now if the page being viewed was : www.indianmaharaja.com/login.asp

just type in : www.indianmaharaja.com/inc/encrypt.inc

your browser will promptly download this file . Open the file and you have something like this :
	<SCRIPT RUNAT=SERVER>
	Function Encrypt(theStr)	
	..
	..
	..
	End Function
	</SCRIPT> 
what you will see is the complete asp code.

Hope you find this information useful in the continuing battle against billy's boys at Micro$oft.


redhomepage redsearch_forms redlinks red+ORC redcounter measures redtools redjavascript wars
redreality cracking redacademy database redstudents' essays redantismut CGI scripts
redcocktails redacademy of anonymity redmail_fravia
redIs reverse engineering legal?