ASP.NET / IIS 远程调试 - DEBUG 动词
我正在寻找有关 DEBUG HTTP 动词的详细信息。
我很清楚这是用于远程调试 - 尽管我什至不确定它是用于 IIS 还是 ASP.NET...
如果我想直接访问此界面 - 即不通过 Visual Studio,而是手动发送这些命令- 我需要知道什么? 它的命令是什么?
我也对滥用案例感兴趣,如果您有任何相关信息......
I'm looking for details on the DEBUG HTTP verb.
It's clear to me that this is used for remote debugging - though I'm not even sure if it's for IIS or ASP.NET...
If I want to access this interface directly - i.e. not through Visual Studio, but sending these commands manually - what do I need to know? What are the commands for it?
I'm also interested in misuse cases, if you have any information on that...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
为了完整起见,这里合并了 什么是非标准-http-verb-debug-used-for-in-asp-net-iis:(感谢@Mark,@Jørn)。
http://support.microsoft.com/kb/937523
DEBUG 动词用于启动/停止远程调试会话。 更具体地说,
DEBUG请求可以包含带有值start-debug和stop-debug的 Command 标头,但实际的调试是通过RPC 协议。它使用 Windows 身份验证和 DCOM 来实际进行调试(显然,如果您允许 RPC 流量,那么您就会遇到更大的问题)或任何漏洞利用。 不过,UrlScan 默认情况下会阻止它。
但是,使用
DEBUG请求刺探 ASP.NET 网站可用于显示 web.config 是否具有根据是否启用调试,您将得到
200 OK或403 Forbidden>。人们普遍认为,在生产环境中永远不应该使用
Just for completeness, consolidating here the answers from what-is-the-non-standard-http-verb-debug-used-for-in-asp-net-iis: (thanks @Mark, @Jørn).
http://support.microsoft.com/kb/937523
The
DEBUGverb is used to start/stop remote debugging sessions. More specifically, aDEBUGrequest can contain a Command header with valuestart-debugandstop-debug, but the actual debugging is done via an RPC protocol.It uses Windows authentication, and DCOM to actually do the debugging though (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. UrlScan does block it by default, though.
However, poking an ASP.NET website with the
DEBUGrequests can be used to reveal if the web.config has<compilation debug="true">. The test can be performed with telnet, WFetch or similar, by sending a request like this:Depending on whether debugging is enabled or not, you will get either
200 OKor403 Forbidden.It is generally accepted that you should never have
<compilation debug="true"/>in a production environment, as it has serious implications on the performance of the website. I am not sure if having debugging enabled opens any new attack vectors, unless RPC traffic is enabled as well, in which case you have more serious problems anyway.如果您想进行远程调试,我建议使用 debug.writeline 和 sysinternals 中的工具 调试视图。 这允许您在本地计算机或远程计算机上“侦听”调试语句,前提是您具有必要的访问权限。
我无法直接回答有关 DEBUG http 的部分,因为我对它不熟悉。
If you want to do remote debugging, I would suggest utilizing debug.writeline and the tool from sysinternals DebugView. This allows you to 'listen' for debug statements either on your location machine or on a remote machine, provided you have the necessary access.
I cannot directly answer the part about DEBUG http as I am unfamiliar with it.