Download ASP Script?

Discussion in 'ASP General' started by Oli, Oct 12, 2003.

  1. Oli

    Oli Guest

    Alright people,
    I'll get straight to the point.... Bascially a company I do some work for
    has just gone bankrupt and is in liquidation and I want to get hold of one
    of the ASP scripts off their webserver. It is only something basic that
    takes the input of a dropdown box and takes you to the appropriate page (I
    know this can be done with Javascript but I don't like it!).

    Can someone please tell me how I can physically grab the script off their
    server (I know the filename), OR tell me how I can make a similar script?

    Many thanks in advance,
    Oli
    Oli, Oct 12, 2003
    #1
    1. Advertising

  2. Oli

    Ken Schaefer Guest

    If you want to get it off their server, go and ask them for it. You don't
    steal things.

    As for programming this yourself, it's trivial.

    <select name="cboGoThere">
    <option value="a">Value 1</option>
    <option value="b">Value 2</option>
    <option value="c">Value 3</option>
    </select>

    - - - - - - - - - -

    Select Case Request.Form("cboGoThere")
    Case "a"
    strRedirect = "pageA.asp"
    Case "b"
    strRedirect = "someOtherPage.asp"
    Case "c"
    strRedirect = "whoCares.asp"
    Case Else
    strRedirect = "/"
    End Select
    Response.Redirect(strRedirect)

    Cheers
    Ken

    "Oli" <> wrote in message
    news:bmbetm$m4m$...
    : Alright people,
    : I'll get straight to the point.... Bascially a company I do some work for
    : has just gone bankrupt and is in liquidation and I want to get hold of one
    : of the ASP scripts off their webserver. It is only something basic that
    : takes the input of a dropdown box and takes you to the appropriate page (I
    : know this can be done with Javascript but I don't like it!).
    :
    : Can someone please tell me how I can physically grab the script off their
    : server (I know the filename), OR tell me how I can make a similar script?
    :
    : Many thanks in advance,
    : Oli
    :
    :
    Ken Schaefer, Oct 12, 2003
    #2
    1. Advertising

  3. Oli

    Harag Guest

    On Sun, 12 Oct 2003 23:38:26 +1000, "Ken Schaefer"
    <> wrote:

    >If you want to get it off their server, go and ask them for it. You don't
    >steal things.

    [snip]

    Talking of getting ASP pages from a server. I'm new to the world of
    ASP vbscript and thought that its basically impossible to get asp
    files from asp servers, as typing in the filename runs the file.

    Now with you NOT saying that its "not" possible to the guy - are you
    say that it is possible in someway to get other peoples .ASP pages
    from thier sites?

    You've not got me worried as if its possible then what about all the
    sensitive info stored in them (like DB connections with user &
    passwords) etc.

    If it is possible what about the global .ASA file?

    please let me know is it or is it not possible to "steal" asp/asa
    pages from someones website.

    Thanks
    Al.
    Harag, Oct 13, 2003
    #3
  4. Oli

    Ken Schaefer Guest

    There are few old exploits that allowed you to see ASP source code. Any
    server that's patched is immune.

    However, suppose the IIS site allows Frontpage authoring. All you'd need to
    do is guess a username/password combination

    Additionally, ASP pages are just text files on the server. If you can
    somehow get access to the server (I assume that this guy knows a little
    about the company, especially since he knows it's gone bankrupt), then you
    can get access to the files.

    etc, etc

    So, the simple answer is "no" - without having something extra (eg
    username/password), it's not possible to get ASP source code (.asp, .asa ),
    however that's not to say its completely impossible.

    cheers
    Ken


    "Harag" <> wrote in message
    news:...
    : On Sun, 12 Oct 2003 23:38:26 +1000, "Ken Schaefer"
    : <> wrote:
    :
    : >If you want to get it off their server, go and ask them for it. You don't
    : >steal things.
    : [snip]
    :
    : Talking of getting ASP pages from a server. I'm new to the world of
    : ASP vbscript and thought that its basically impossible to get asp
    : files from asp servers, as typing in the filename runs the file.
    :
    : Now with you NOT saying that its "not" possible to the guy - are you
    : say that it is possible in someway to get other peoples .ASP pages
    : from thier sites?
    :
    : You've not got me worried as if its possible then what about all the
    : sensitive info stored in them (like DB connections with user &
    : passwords) etc.
    :
    : If it is possible what about the global .ASA file?
    :
    : please let me know is it or is it not possible to "steal" asp/asa
    : pages from someones website.
    :
    : Thanks
    : Al.
    :
    :
    Ken Schaefer, Oct 13, 2003
    #4
  5. Oli

    Jeff Cochran Guest

    On Mon, 13 Oct 2003 08:18:07 +0100, Harag
    <> wrote:

    >On Sun, 12 Oct 2003 23:38:26 +1000, "Ken Schaefer"
    ><> wrote:
    >
    >>If you want to get it off their server, go and ask them for it. You don't
    >>steal things.

    >[snip]
    >
    >Talking of getting ASP pages from a server. I'm new to the world of
    >ASP vbscript and thought that its basically impossible to get asp
    >files from asp servers, as typing in the filename runs the file.
    >
    >Now with you NOT saying that its "not" possible to the guy - are you
    >say that it is possible in someway to get other peoples .ASP pages
    >from thier sites?


    FTP, copy to floppy, have them email it, plenty of ways. No, you
    can't just "View Source".

    >You've not got me worried as if its possible then what about all the
    >sensitive info stored in them (like DB connections with user &
    >passwords) etc.


    Never ever store passwords or connection info where it would be
    accessible. There are/were a number of attacks on IIS/Windows systems
    that allowed viewing the files, all of which have been patched and
    which have security fixes. Make sure you've applied them and locked
    down the box.

    >please let me know is it or is it not possible to "steal" asp/asa
    >pages from someones website.


    I can always walk in the door with a gun and make you copy it to
    floppy for me, there's no "foolproof" method. Make sure you follow
    good security practices.

    Jeff
    Jeff Cochran, Oct 13, 2003
    #5
  6. Oli

    Harag Guest

    Hi

    >FTP, copy to floppy, have them email it, plenty of ways. No, you
    >can't just "View Source".


    lol. it was the latter that I was more worried about. I'm more asking
    from the point of view of a user other side of the world getting into
    the asp files.

    >Never ever store passwords or connection info where it would be
    >accessible. There are/were a number of attacks on IIS/Windows systems
    >that allowed viewing the files, all of which have been patched and
    >which have security fixes. Make sure you've applied them and locked
    >down the box.


    Hmm Where do you store the connection/password info ?

    I have 1 ASP-VBSCRIPT CLASS .asp file that handles my connection to
    the DB and even all the code for getting recordsets back in different
    formats (Recordset or array or none)

    I have my connection string set up as follows in the global.asa:

    Application("DBConnection") = "Provider=SQLOLEDB; Data Source=(local);
    Initial Catalog=dbname; User ID=[***USER***]; Password=[***PASS***];
    Persist Security Info=True"

    and in my class I replace the user & password bits with the actual
    name & password... hmm thinking about it I dont need to store the
    above in the Application object (this was from my old system before I
    wrote the class lol)

    >I can always walk in the door with a gun and make you copy it to
    >floppy for me, there's no "foolproof" method. Make sure you follow
    >good security practices.


    LOL, yea there is always that possibility :)

    Al
    Harag, Oct 14, 2003
    #6
  7. Oli

    Jeff Cochran Guest

    On Tue, 14 Oct 2003 08:52:29 +0100, Harag
    <> wrote:

    >Hi
    >
    >>FTP, copy to floppy, have them email it, plenty of ways. No, you
    >>can't just "View Source".

    >
    >lol. it was the latter that I was more worried about. I'm more asking
    >from the point of view of a user other side of the world getting into
    >the asp files.
    >
    >>Never ever store passwords or connection info where it would be
    >>accessible. There are/were a number of attacks on IIS/Windows systems
    >>that allowed viewing the files, all of which have been patched and
    >>which have security fixes. Make sure you've applied them and locked
    >>down the box.

    >
    >Hmm Where do you store the connection/password info ?


    I store them in an include, outside the IIS website heirarchy. It's
    not really *that* much safer, just that most of the hacks for
    directory traversal or other means of viewing files on systems depend
    on either a known folder structure (\\winnt\system32\etc...) or access
    to the web folders. Placing connection string includes, as well as
    databases, etc. outside the structure in a folder that isn't easily
    guessable is just one more hurdle to get by.

    >I have 1 ASP-VBSCRIPT CLASS .asp file that handles my connection to
    >the DB and even all the code for getting recordsets back in different
    >formats (Recordset or array or none)
    >
    >I have my connection string set up as follows in the global.asa:
    >
    >Application("DBConnection") = "Provider=SQLOLEDB; Data Source=(local);
    >Initial Catalog=dbname; User ID=[***USER***]; Password=[***PASS***];
    >Persist Security Info=True"


    I'm not fond of having connection strings in the global.asa, but part
    of that stems from having to access different connections depending on
    what's going on. There are arguments not to provide connection
    information between sessions, instead creating and destroying
    connections as needed, plus if you have pages that don't need a
    connection, you're creating it for the user even if you never use it.
    A lot of this depends on design considerations and has to do with
    scalability issues, so each organization is affected differently.

    >and in my class I replace the user & password bits with the actual
    >name & password... hmm thinking about it I dont need to store the
    >above in the Application object (this was from my old system before I
    >wrote the class lol)


    You don't, and it's probably not a smart programming move, though I
    don't think it would affect security.

    >>I can always walk in the door with a gun and make you copy it to
    >>floppy for me, there's no "foolproof" method. Make sure you follow
    >>good security practices.

    >
    >LOL, yea there is always that possibility :)


    Security is a matter of tradeoffs. You often trade security for
    usability, until you get a balance that works in your specific
    instance. What you need for security might not be the same as the kid
    in his high school lab creating a project that will be destroyed next
    month, or the CIA creating a system to share intelligence with other
    agencies.

    Jeff
    Jeff Cochran, Oct 14, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ryan Taylor
    Replies:
    2
    Views:
    921
    Ryan Taylor
    Nov 10, 2004
  2. Steve C. Orr [MVP, MCSD]
    Replies:
    0
    Views:
    1,588
    Steve C. Orr [MVP, MCSD]
    Mar 7, 2005
  3. Sam --
    Replies:
    2
    Views:
    594
    Sam --
    Mar 17, 2005
  4. Rafal Majda
    Replies:
    5
    Views:
    2,231
    Rafal Majda
    Apr 18, 2005
  5. Brett  Kelly
    Replies:
    1
    Views:
    663
    Steve C. Orr [MVP, MCSD]
    Jun 16, 2006
Loading...

Share This Page