问题描述
我正在寻找有关DEBUG HTTP动词的详细信息。
我清楚,这用于远程调试 - 尽管我甚至不确定它是用于IIS还是ASP.NET。 ..
如果我想直接访问这个界面 - 即不是通过Visual Studio,而是手动发送这些命令 - 我需要知道什么?它的命令是什么?
我也对滥用情况感兴趣,如果你有任何信息...
只是为了完整,在这里整合来自 :(感谢@马克,@Jørn)。
DEBUG
动词用于启动/停止远程调试会话。更具体地说,一个 DEBUG
请求可以包含一个命令头,值为 start-debug
和 stop -debug
,但是实际的调试是通过RPC协议完成的。
它使用Windows身份验证,DCOM实际上进行调试(显然,如果你允许RPC流量,那么你有更大的问题)或任何漏洞。 UrlScan默认阻止它。
但是,使用 DEBUG
请求可以戳一个ASP.NET网站用于显示web.config是否具有< compilation debug =true>
。该测试可以通过telnet,WFetch或类似的方式通过发送这样的请求来执行:
DEBUG /foo.aspx HTTP / 1.0
接受:* / *
主机:www.example.com
命令:stop-debug
根据调试是否启用,您将获得 200 OK
或 403禁止
一般都接受你不应该有< compilation debug =true/>
在生产环境中,因为它对网站的性能有严重的影响。我不知道是否启用了调试启用任何新的攻击向量,除非RPC流量也被启用,在这种情况下,您还会遇到更严重的问题。
I'm looking for details on the DEBUG HTTP verb.
It's clear to me that this is used for remote debugging - though I'm not even sure if it's for IIS or ASP.NET...
If I want to access this interface directly - i.e. not through Visual Studio, but sending these commands manually - what do I need to know? What are the commands for it?
I'm also interested in misuse cases, if you have any information on that...
Just for completeness, consolidating here the answers from what-is-the-non-standard-http-verb-debug-used-for-in-asp-net-iis: (thanks @Mark, @Jørn).
http://support.microsoft.com/kb/937523
The DEBUG
verb is used to start/stop remote debugging sessions. More specifically, a DEBUG
request can contain a Command header with value start-debug
and stop-debug
, but the actual debugging is done via an RPC protocol.
It uses Windows authentication, and DCOM to actually do the debugging though (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. UrlScan does block it by default, though.
However, poking an ASP.NET website with the DEBUG
requests can be used to reveal if the web.config has <compilation debug="true">
. The test can be performed with telnet, WFetch or similar, by sending a request like this:
DEBUG /foo.aspx HTTP/1.0
Accept: */ *
Host: www.example.com
Command: stop-debug
Depending on whether debugging is enabled or not, you will get either 200 OK
or 403 Forbidden
.
It is generally accepted that you should never have <compilation debug="true"/>
in a production environment, as it has serious implications on the performance of the website. I am not sure if having debugging enabled opens any new attack vectors, unless RPC traffic is enabled as well, in which case you have more serious problems anyway.
这篇关于ASP.NET / IIS远程调试 - DEBUG动词的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!