Entschuldigung für nicht diese früher zu beantworten.
das erste Skript ist als unten
<%@ Language="VBScript" %>
<%
' List script
'Option Explicit
%>
<%
response.ContentType="text/xml"
response.Expires = -1
Dim objCon, objCom, objRS
Dim strDNSDomain, strBase, strQuery, strFilter, strAttributes
Dim sFirstName: sFirstName = request.querystring("f")
Dim sLastName: sLastName = request.querystring("l")
Dim sSearchparam: sSearchparam = request.querystring("searchparam")
Dim strPage: strPage = request.querystring("page")
' Define the AD OU that contains our users and filter and attributes
strBase = "<LDAP://server.com/DC=server,DC=com>"
strFilter = "(&(objectCategory=person)(objectClass=user)(givenName=" & sFirstName & "*)(sn=" & sLastName & "*)(telephonenumber=*))"
strAttributes = "givenName,sn,displayName,telephonenumber,mobile,c"
' Make AD connection and run query
Set objCon = Server.CreateObject("ADODB.Connection")
objCon.provider ="ADsDSOObject"
objCon.Properties("User ID") = "DOMAIN\USERNAME"
objCon.Properties("Password") = "PASSWORD"
objCon.Properties("Encrypt Password") = TRUE
objCon.open "Active Directory Provider"
Set objCom = CreateObject("ADODB.Command")
Set objCom.ActiveConnection = objCon
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCom.CommandText = strQuery
objCom.Properties("Sort On") = "displayName"
Set objRS = objCom.Execute
''''''''''
' Loop over returned recordset and output HTML
response.write ("<CiscoIPPhoneDirectory>")
response.write ("<Title>Phone Directory</Title><Prompt>Search Results</Prompt>")
'''''
If objRS.RecordCount <=30 then
while not objRS.EOF
response.write ("<DirectoryEntry>")
response.write ("<Name>" & objRS("displayName") & " " & objRS("c") & "</Name>")
response.write ("<Telephone>" & objRS("telephonenumber") & "</Telephone>")
response.write ("</DirectoryEntry>")
objRS.MoveNext
Response.Flush
wend
response.write ("<SoftKeyItem><Name>Dial</Name><URL>SoftKey:Dial</URL><Position>1</Position></SoftKeyItem>")
response.write ("<SoftKeyItem><Name>Exit</Name><URL>SoftKey:Exit</URL><Position>4</Position></SoftKeyItem>")
Else
If strPage = "" then strPage = 1
objRS.absoluteposition = 30 * strPage - 29
For intRecord = 1 to 30
response.write ("<DirectoryEntry>")
response.write ("<Name>" & objRS("displayName") & " " & objRS("c") & "</Name>")
response.write ("<Telephone>" & objRS("telephonenumber") & "</Telephone>")
response.write ("</DirectoryEntry>")
objRS.MoveNext
Response.Flush
If objRS.EOF then exit for
next
response.write ("<SoftKeyItem><Name>Dial</Name><URL>SoftKey:Dial</URL><Position>1</Position></SoftKeyItem>")
if 30 * strPage - 29 > 1 then
response.write ("<SoftKeyItem><Name>Prev</Name><URL>http://" & request.servervariables("SERVER_NAME") & ":" & request.servervariables("SERVER_PORT") & request.servervariables("url") & "?page=" & strPage - 1 & "&f=" & sFirstName & "&l=" & sLastName & "&searchparam=" & server.urlencode(sSearchparam) & "</URL><Position>2</Position></SoftKeyItem>")
end if
if objRS.RecordCount > strPage * 30 then
response.write ("<SoftKeyItem><Name>Next</Name><URL>http://" & request.servervariables("SERVER_NAME") & ":" & request.servervariables("SERVER_PORT") & request.servervariables("url") & "?page=" & strPage + 1 & "&f=" & sFirstName & "&l=" & sLastName & "&searchparam=" & server.urlencode(sSearchparam) & "</URL><Position>3</Position></SoftKeyItem>")
end if
response.write ("<SoftKeyItem><Name>Exit</Name><URL>SoftKey:Exit</URL><Position>4</Position></SoftKeyItem>")
End If
'''''
response.write ("</CiscoIPPhoneDirectory>")
''''''''''
' Clean up
objRS.Close
objCon.Close
Set objRS = Nothing
Set objCon = Nothing
Set objCom = Nothing
%>
die ciscophonedirectory würde eine Zahl mit Leerzeichen zurückgegeben.
i hinzugefügt 2 Variablen
Dim strNumber
Dim strNumberClean
und das Skript aktualisiert, wie unten
<%@ Language="VBScript" %>
<%
' List script
'Option Explicit
%>
<%
response.ContentType="text/xml"
response.Expires = -1
Dim objCon, objCom, objRS
Dim strDNSDomain, strBase, strQuery, strFilter, strAttributes
Dim sFirstName: sFirstName = request.querystring("f")
Dim sLastName: sLastName = request.querystring("l")
Dim sSearchparam: sSearchparam = request.querystring("searchparam")
Dim strPage: strPage = request.querystring("page")
Dim strNumber
Dim strNumberClean
' Define the AD OU that contains our users and filter and attributes
strBase = "<LDAP://server.com/DC=server,DC=com>"
strFilter = "(&(objectCategory=person)(objectClass=user)(givenName=" & sFirstName & "*)(sn=" & sLastName & "*)(telephonenumber=*))"
strAttributes = "givenName,sn,displayName,telephonenumber,mobile,c"
' Make AD connection and run query
Set objCon = Server.CreateObject("ADODB.Connection")
objCon.provider ="ADsDSOObject"
objCon.Properties("User ID") = "DOMAIN\USERNAME"
objCon.Properties("Password") = "PASSWORD"
objCon.Properties("Encrypt Password") = TRUE
objCon.open "Active Directory Provider"
Set objCom = CreateObject("ADODB.Command")
Set objCom.ActiveConnection = objCon
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCom.CommandText = strQuery
objCom.Properties("Sort On") = "displayName"
Set objRS = objCom.Execute
''''''''''
' Loop over returned recordset and output HTML
response.write ("<CiscoIPPhoneDirectory>")
response.write ("<Title>Phone Directory</Title><Prompt>Search Results</Prompt>")
'''''
If objRS.RecordCount <=30 then
while not objRS.EOF
response.write ("<DirectoryEntry>")
response.write ("<Name>" & objRS("displayName") & " " & objRS("c") & "</Name>")
'Remove spaces in the Telephone Number - 20170127 Louis-Philippe Descamps
strNumber = objRS("telephonenumber")
strNumberClean = Replace(strNumber," ","",1,-1)
response.write ("<Telephone>" & strNumberClean & "</Telephone>")
response.write ("</DirectoryEntry>")
objRS.MoveNext
Response.Flush
wend
response.write ("<SoftKeyItem><Name>Dial</Name><URL>SoftKey:Dial</URL><Position>1</Position></SoftKeyItem>")
response.write ("<SoftKeyItem><Name>Exit</Name><URL>SoftKey:Exit</URL><Position>4</Position></SoftKeyItem>")
Else
If strPage = "" then strPage = 1
objRS.absoluteposition = 30 * strPage - 29
For intRecord = 1 to 30
response.write ("<DirectoryEntry>")
response.write ("<Name>" & objRS("displayName") & " " & objRS("c") & "</Name>")
'Remove spaces in the Telephone Number - 20170127 Louis-Philippe Descamps
strNumber = objRS("telephonenumber")
strNumberClean = Replace(strNumber," ","",1,-1)
response.write ("<Telephone>" & strNumberClean & "</Telephone>")
response.write ("</DirectoryEntry>")
objRS.MoveNext
Response.Flush
If objRS.EOF then exit for
next
response.write ("<SoftKeyItem><Name>Dial</Name><URL>SoftKey:Dial</URL><Position>1</Position></SoftKeyItem>")
if 30 * strPage - 29 > 1 then
response.write ("<SoftKeyItem><Name>Prev</Name><URL>http://" & request.servervariables("SERVER_NAME") & ":" & request.servervariables("SERVER_PORT") & request.servervariables("url") & "?page=" & strPage - 1 & "&f=" & sFirstName & "&l=" & sLastName & "&searchparam=" & server.urlencode(sSearchparam) & "</URL><Position>2</Position></SoftKeyItem>")
end if
if objRS.RecordCount > strPage * 30 then
response.write ("<SoftKeyItem><Name>Next</Name><URL>http://" & request.servervariables("SERVER_NAME") & ":" & request.servervariables("SERVER_PORT") & request.servervariables("url") & "?page=" & strPage + 1 & "&f=" & sFirstName & "&l=" & sLastName & "&searchparam=" & server.urlencode(sSearchparam) & "</URL><Position>3</Position></SoftKeyItem>")
end if
response.write ("<SoftKeyItem><Name>Exit</Name><URL>SoftKey:Exit</URL><Position>4</Position></SoftKeyItem>")
End If
'''''
response.write ("</CiscoIPPhoneDirectory>")
''''''''''
' Clean up
objRS.Close
objCon.Close
Set objRS = Nothing
Set objCon = Nothing
Set objCom = Nothing
%>
dies den Trick getan zu haben scheint.
Die zurückgegebene Verzeichnisnummer enthält keine Leerzeichen mehr.
** Verschlüsseln Sie keine Passwörter **, wenn der Angreifer die DB bekommt, bekommt er auch den Verschlüsselungsschlüssel. Iterate über einen HMAC mit einer zufälligen Salz für etwa 100ms Dauer und speichern Sie das Salz mit dem Hash. Verwenden Sie Funktionen wie password_hash, PBKDF2, Bcrypt und ähnliche Funktionen. Es geht darum, den Angreifer dazu zu bringen, viel Zeit mit der Suche nach Passwörtern zu verbringen. Bedenken Sie, dass die Benutzer durch eine unzureichende Kennwortbehandlung gefährdet sind. – zaph
danke für deinen Kommentar. keine Ahnung, wie das geht, aber mal schauen. Prost –
@Askut sich selbst: "Ist die Sicherheit der Benutzer es wert zu erforschen, wie Passwörter korrekt behandelt werden?" Folgendes geschieht: Ein Angreifer erhält Zugriff auf Ihren Site-Namen/Ihre Passwörter, und Sie wissen das nicht einmal. Der Angreifer verwendete diese, um auf die Benutzerkonten auf anderen Systemen zuzugreifen, da die meisten Benutzer Kennwörter wiederverwenden. Oder er aggregiert die gestohlenen Anmeldeinformationen mit anderen und verkauft sie dann auf dem dunklen Netz. – zaph