DEBUG动词

DEBUG动词

关注
发信
关注(28)粉丝(399)

ASP.NET / IIS远程调试 - DEBUG动词

本文介绍了ASP.NET / IIS远程调试 - DEBUG动词的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

限时删除!!

我正在寻找有关DEBUG HTTP动词的详细信息。

我清楚,这用于远程调试 - 尽管我甚至不确定它是用于IIS还是ASP.NET。 ..



如果我想直接访问这个界面 - 即不是通过Visual Studio,而是手动发送这些命令 - 我需要知道什么?它的命令是什么?

我也对滥用情况感兴趣,如果你有任何信息...

解决方案

只是为了完整,在这里整合来自 :(感谢@马克,@Jørn)。



DEBUG 动词用于启动/停止远程调试会话。更具体地说,一个 DEBUG 请求可以包含一个命令头,值为 start-debug stop -debug ,但是实际的调试是通过RPC协议完成的。



它使用Windows身份验证,DCOM实际上进行调试(显然,如果你允许RPC流量,那么你有更大的问题)或任何漏洞。 UrlScan默认阻止它。



但是,使用 DEBUG 请求可以戳一个ASP.NET网站用于显示web.config是否具有< compilation debug =true> 。该测试可以通过telnet,WFetch或类似的方式通过发送这样的请求来执行:

  DEBUG /foo.aspx HTTP / 1.0 
接受:* / * 
主机:www.example.com 
命令:stop-debug

根据调试是否启用,您将获得 200 OK 403禁止

一般都接受你不应该有< compilation debug =true/> 在生产环境中,因为它对网站的性能有严重的影响。我不知道是否启用了调试启用任何新的攻击向量,除非RPC流量也被启用,在这种情况下,您还会遇到更严重的问题。


I'm looking for details on the DEBUG HTTP verb.
It's clear to me that this is used for remote debugging - though I'm not even sure if it's for IIS or ASP.NET...

If I want to access this interface directly - i.e. not through Visual Studio, but sending these commands manually - what do I need to know? What are the commands for it?
I'm also interested in misuse cases, if you have any information on that...

解决方案

Just for completeness, consolidating here the answers from what-is-the-non-standard-http-verb-debug-used-for-in-asp-net-iis: (thanks @Mark, @Jørn).

http://support.microsoft.com/kb/937523

The DEBUG verb is used to start/stop remote debugging sessions. More specifically, a DEBUG request can contain a Command header with value start-debug and stop-debug, but the actual debugging is done via an RPC protocol.

It uses Windows authentication, and DCOM to actually do the debugging though (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. UrlScan does block it by default, though.

However, poking an ASP.NET website with the DEBUG requests can be used to reveal if the web.config has <compilation debug="true">. The test can be performed with telnet, WFetch or similar, by sending a request like this:

DEBUG /foo.aspx HTTP/1.0
Accept: */ *
Host: www.example.com
Command: stop-debug

Depending on whether debugging is enabled or not, you will get either 200 OK or 403 Forbidden.

It is generally accepted that you should never have <compilation debug="true"/> in a production environment, as it has serious implications on the performance of the website. I am not sure if having debugging enabled opens any new attack vectors, unless RPC traffic is enabled as well, in which case you have more serious problems anyway.

这篇关于ASP.NET / IIS远程调试 - DEBUG动词的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

1403页,肝出来的..

09-07 02:50
Powered by LMLPHP ©2024 DEBUG动词 0.035805