ASP.NET / IIS 远程调试 - DEBUG 动词

发布于 2024-07-11 02:50:27 字数 195 浏览 9 评论 0原文

我正在寻找有关 DEBUG HTTP 动词的详细信息。
我很清楚这是用于远程调试 - 尽管我什至不确定它是用于 IIS 还是 ASP.NET...

如果我想直接访问此界面 - 即不通过 Visual Studio,而是手动发送这些命令- 我需要知道什么? 它的命令是什么?
我也对滥用案例感兴趣,如果您有任何相关信息......

I'm looking for details on the DEBUG HTTP verb.
It's clear to me that this is used for remote debugging - though I'm not even sure if it's for IIS or ASP.NET...

If I want to access this interface directly - i.e. not through Visual Studio, but sending these commands manually - what do I need to know? What are the commands for it?
I'm also interested in misuse cases, if you have any information on that...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

蓬勃野心 2024-07-18 02:50:27

为了完整起见,这里合并了 什么是非标准-http-verb-debug-used-for-in-asp-net-iis:(感谢@Mark,@Jørn)。

http://support.microsoft.com/kb/937523

当客户端尝试自动
在 ASP.NET 2.0 中附加调试器
应用程序,客户端发送一个HTTP
包含 DEBUG 动词的请求。
此 HTTP 请求用于验证
申请的过程是
运行并选择正确的
附加过程。

DEBUG 动词用于启动/停止远程调试会话。 更具体地说,DEBUG 请求可以包含带有值 start-debugstop-debug 的 Command 标头,但实际的调试是通过RPC 协议。

它使用 Windows 身份验证和 DCOM 来实际进行调试(显然,如果您允许 RPC 流量,那么您就会遇到更大的问题)或任何漏洞利用。 不过,UrlScan 默认情况下会阻止它。

但是,使用 DEBUG 请求刺探 ASP.NET 网站可用于显示 web.config 是否具有 。 可以使用 telnet、WFetch 或类似工具执行测试,方法是发送如下请求:

DEBUG /foo.aspx HTTP/1.0
Accept: */ *
Host: www.example.com
Command: stop-debug

根据是否启用调试,您将得到 200 OK403 Forbidden >。

人们普遍认为,在生产环境中永远不应该使用 ,因为它会对网站的性能产生严重影响。 我不确定启用调试是否会打开任何新的攻击媒介,除非也启用了 RPC 流量,在这种情况下,无论如何您都会遇到更严重的问题。

Just for completeness, consolidating here the answers from what-is-the-non-standard-http-verb-debug-used-for-in-asp-net-iis: (thanks @Mark, @Jørn).

http://support.microsoft.com/kb/937523

When the client tries to automatically
attach the debugger in an ASP.NET 2.0
application, the client sends a HTTP
request that contains the DEBUG verb.
This HTTP request is used to verify
that the process of the application is
running and to select the correct
process to attach.

The DEBUG verb is used to start/stop remote debugging sessions. More specifically, a DEBUG request can contain a Command header with value start-debug and stop-debug, but the actual debugging is done via an RPC protocol.

It uses Windows authentication, and DCOM to actually do the debugging though (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. UrlScan does block it by default, though.

However, poking an ASP.NET website with the DEBUG requests can be used to reveal if the web.config has <compilation debug="true">. The test can be performed with telnet, WFetch or similar, by sending a request like this:

DEBUG /foo.aspx HTTP/1.0
Accept: */ *
Host: www.example.com
Command: stop-debug

Depending on whether debugging is enabled or not, you will get either 200 OK or 403 Forbidden.

It is generally accepted that you should never have <compilation debug="true"/> in a production environment, as it has serious implications on the performance of the website. I am not sure if having debugging enabled opens any new attack vectors, unless RPC traffic is enabled as well, in which case you have more serious problems anyway.

捂风挽笑 2024-07-18 02:50:27

如果您想进行远程调试,我建议使用 debug.writeline 和 sysinternals 中的工具 调试视图。 这允许您在本地计算机或远程计算机上“侦听”调试语句,前提是您具有必要的访问权限。

我无法直接回答有关 DEBUG http 的部分,因为我对它不熟悉。

If you want to do remote debugging, I would suggest utilizing debug.writeline and the tool from sysinternals DebugView. This allows you to 'listen' for debug statements either on your location machine or on a remote machine, provided you have the necessary access.

I cannot directly answer the part about DEBUG http as I am unfamiliar with it.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文