I have been following your site for the last one month, all that I can
say is: its Fantabulous!!
I have read the articles on CGI scripts cracking, but ASP (Active Server
Pages) cracking doesnt seem to have been discussed till now.
So I thought I should write something about this 'technology' from
our Micro$oft's friends...
Active Server Page reversing
By Indian Maharaja
Tools Required :
Nothing but your browser .
When M$ launched Windoze NT server, it was trying to compete against
Since Billy boy couldnt make much progress he had this idea of
software, to snare
people who thought that all the software was for 'free'.
One of the many bloatwares that were launched were SQL-Server (an
of a rdbms),
IIS (Internet Info server). Now M$ decided CGI was a worthless
(since they couldnt
control it) , so they laucnhed something called ISAPI (Internet Server
If you look, at
the documentation for IIS, it mentions full support for CGI, but you
littered with references as to why Isapi is a million times greater and
Lets prove the opposite..:-)
So what really is Asp ? Its availlable for download from the M$
IIS or PWS (personal web server installed). (Install Exe is 9Megs+ if
at its best then I am not maharaja).
Basically Asp is a wrapper on Isapi and allows server side scripting
A vey simple asp script is some thing like :
which will result in a htm =>
which is downloaded to the clients machine, so if I do a view source I
resultant HTM , and not the Asp code as this translated to HTM on the
and then sent.
So what people generally do is keep all the code for validating
hidden pages inside the Asp file , and based on some user input show
things to the user. Even if the user does a view-source he can see only
It would be very nice if we could see the Asp source...
There are very many sites using Asp and still more sites using Isapi
is a wrapper (a filter as the documentation says) on Isapi, it is
write Dlls using
VeeCee++ (ver 5.0 has an App-wizard option for that) and Mfc which can
If you find a page like this www.indianmaharaja.com/default.asp =>
this site uses
If you find a page like this
most probably it
is an Isapi dll.
So lets get down to business...
1) if you are on an Asp page do this :
You will find that either the Asp code is dispalyed in your browser
a download window pops up which allows you to download the Asp.
So much for code security.
It seems its a bug in Isapi and a fix is availlable at m$ sites.
All the micro$oft sites have run this fix :-( . But I found many-many
web sites ,
who are still running the unfixed version :-).
2) Next I checked out a site which was using an Isapi dll, I tried
(entering just the name of the dll) -- nope i got a message :
'Hackers keep off'
Too bad, so I tried the trick specified in 1)
Bingo ! I was able to download the dll.
I racked my brains as to how such a HUGE security hole could be there,
been able to figure it out. Most probably it is because of lousy
by the M$
loving bozos or it was there for some devious reason known only to M$.
3) The story doesnt end here ... my next assignment was of running Asp
for NT. M$ never provided a version of Asp (i.e.Isapi) for web
IIS. A company called ChilliSoft provides a version called ChilliAsp
Apache for NT(I dont know why anybody would want to run Asp in the 1st
ChilliAsp availlable for download from M$'s site builder network site.
Now if you have an Asp file with a long file name say :
if you type the short file name in the browser
www.indianmaharaja.com/passwo~1.asp -- unbelievably the download
up and you
can download the asp script.
I have noticed this problem only in the apache version of asp. Though
availlable now ( i am not sure), there could be many sites....
4) One more screwup -- that is most commonly done by the person who
Asp scripts ,
Sometimes when I do a view source of a .asp file in my browser I get
something like this
along with just the html :
<!--#include file = "inc/encrypt.inc"-->
<!--#include file = "inc/AdminChk.inc"-->
What the bozo who created the page has done is include some common
validation routines which are used across pages) in a .inc file .
Now if the page being viewed was :
just type in :
your browser will promptly download this file .
Open the file and you have something like this :
what you will see is the complete asp code.
Hope you find this information useful in the continuing battle against
boys at Micro$oft.
antismut CGI scripts
academy of anonymity
Is reverse engineering legal?