[maldiablo]

This passes all data to the stored procedures so it shouldn't be possible to inject at all.
Yeah, it may be just a simple registration script on the outside, but it's probably the most advanced publically available just because of how it works.

- 100% stored procedure based, not possible to inject through input.
- uses post instead of get, not that it matters because it's stored procedure based
- Supports users with the account emu that use MD5 password encryption. Be sure to set the use_md5 setting to 0 if your server doesn't have it enabled.. If I recal, I think I left it to 1 by default so double check!

To change settings, modify config.asp
To change more stuff, modify register.asp (advanced users only)

Use of my sp_ functions are documented in register.asp.

esql.asp is free for anybody to use in your own stuff, but you need to keep the tagline code intact. The sp_ functions are designed not to work without the init and tagline statements in your code.

If you want to use them in your own stuff without the taglines, PM me.
esql.asp currently requires adovbs.asp to be in the same dir as it.

http://asb.groundtac...ablo/aspreg.rar - download


http://asb.groundtactics.com/maldiablo/registrationtest1.jpg

[peacelo]

thx , just what i'm looking for
testing.....

[maldiablo]

Please report any injection vulnerabilitys to me asap if found.

This is merely a starter project for me. If the methods I've used prove to be safe from all known injection, then I'll start building a series of tools in asp. I can essentially re-create anything in asp that's done in php. If all is well, my next peoject will be porting the roster manager to asp. Who knows? If Azndragon approves, I may even begin efforts to make a port of ROCP (Aegis only of course ^_^).

**Warning.. Opinionated editorial to follow!!
Why ASP?
Php is a great web scripting platform and all, but only really under apache on a native 'nix platform. My experience tends to prefer IIS to apache when the only available platform is win32, which is the case for a majority of the aegis server admins out there. The reason isn't necessarily performance, but security. Sure, you can harden an apache installation quite well on a 'nix system, but doing so on a win32 system leaves much to be desired. IIS is built to conform to the windows security model right out of the box and while arguably more resource intensive then apache, should likely the better choice for windows users out there. Some of you may also know that IIS can be made to support php as well, but its a nightmare to configure from what I've heard and almost never works the way you want it to. Hopefully this script sparks some interest for others to code stuff in asp. I plan to eventually encapsulate all the aegis stored procedures in easy to use functions like the ones in this script so novice and advanced scripters alike can all dive in and start creating new works with ease in no time and almost no risk of security compromise. Wouldn't it be nice to script web pages for your server as easily as scripting aegis npcs?

The only stored procedures I refuse to make wrapper functions for are any that use the exec statement, as those are known to be injectable.

[Perkka]

I would love to see a asp port for ROCP since its quite a hell to get it fully working for Aegis. as an example, my ROCP complains about things that actually does work but it gives error after it succeded to do a thing anyway. so the mssql part with php isnt that fun to work with.

[Substance]

Waa?!? Download link is open another webpage?? And this webpage has not download link?!

[peacelo]

i agree with perkka, but i prefer a simple registration ^_^
nice dow if rcop = is asp base

[Substance]

Guys download link is not work?

[r4d4]

it works, i just dl'ed the file for testing reasons <_<

[maldiablo]

Try using a different browser if you can't download from my webspace. I've got fairly strict anti-leech rules and some browsers don't play nice.

*Edit*

How many people have actually been using this? How's it been working? Anybody find a way to inject into it? It would be nice to have some feedback if you like it or if you're having problems with it.

[brokencard]

It isn't compatible with FireFox. When you go to register.asp, it shows the code and not the proper page.

[Kolkka]

It worked perfectly in my server, can create an account and see the page with IE/Firefox/Opera.

It may be some config problem in your server.

[Sumire]

Does it need MySQL or MSSQL???
What Server Emulators does it work on???
What do you mean by this lines??:

' Turn on if your database passwords are MD5
use_md5 = What this means

' The ip of your database.. (duh)
db_ip = "What i ip do i put??is it my ip or database(what database?)"

' The port your db listens for connections on (duh.. again)
db_port = What port do i put??

' your database password.
db_pass = "What password(What database)"
Did you mean in this line the MySQL's password,port,ip??

[r4d4]

1. mssql
2. no emus, its for aegis
3. if you store md5 checksum of your users passes in the database (if you dunno what it is you probably dont do...)
4. ip and port the mssql server listens on
5. password to access the database with the sa user (i think the script uses this user)

[brokencard]

What would I need to install on my system to get this to run?

[r4d4]

well i'd suggest using microsofts iis (the webserver that comes with windows) for it.
dunno how well apache performs with asp, if it can use them.

[Sumire]

thx r4d4 for the explanation

[maldiablo]

Still no injection reports?

[Yugi Moto]

ASP ??? good work !!! very good.
but i like more PHP, more stable. !!

@maldiablo
Thanks, this is a good help !!!!

[maldiablo]

I think php is more stable and reliable in a 'nix platform. On a windows platform it lacks in security though.. even with a win32 version of apache. Not to mention that PHP in IIS is just a plain nightmare.

In truth, PHP on a 'nix platform may very well blow away asp on a windows platform.

But on a windows platform, apache has had a reputation of being buggy and unstable.

Some will say that IIS sucks.. but most of those people tried to run php scripts in it.. If you want to run PHP, go right ahead, but do it right.. Run it in apache on a 'nix box... If you're going to stick with windows, then recommend you stick with asp.

That's my 3 cents.

[creamberry]

What he said ^