ASP.NET / IIS远程调试 - DEBUG动词
[英]ASP.NET / IIS Remote Debugging - DEBUG verb
问题描述
I'm looking for details on the DEBUG HTTP verb. 
我正在寻找有关DEBUG HTTP动词的详细信息。
It's clear to me that this is used for remote debugging - though I'm not even sure if it's for IIS or ASP.NET... 我很清楚这用于远程调试 - 虽然我甚至不确定它是用于IIS还是ASP.NET ...
If I want to access this interface directly - ie not through Visual Studio, but sending these commands manually - what do I need to know? 如果我想直接访问此界面 - 即不是通过Visual Studio,而是手动发送这些命令 - 我需要知道什么? What are the commands for it? 有什么命令吗?
I'm also interested in misuse cases, if you have any information on that... 我也对滥用案件感兴趣,如果你有任何相关的信息......
2 个解决方案
解决方案1
5 已采纳 2010-02-17 07:25:14
Just for completeness, consolidating here the answers from what-is-the-non-standard-http-verb-debug-used-for-in-asp-net-iis : (thanks @Mark, @Jørn). 只是为了完整性,在这里整合来自非标准的http-verb-debug-used-for-asp-net-iis的答案:(感谢@Mark,@Jørn)。
http://support.microsoft.com/kb/937523 http://support.microsoft.com/kb/937523
When the client tries to automatically attach the debugger in an ASP.NET 2.0 application, the client sends a HTTP request that contains the DEBUG verb.
The DEBUG verb is used to start/stop remote debugging sessions. DEBUG谓词用于启动/停止远程调试会话。 More specifically, a DEBUG request can contain a Command header with value start-debug and stop-debug , but the actual debugging is done via an RPC protocol. 更具体地说, DEBUG请求可以包含带有值start-debug和stop-debug的Command头,但实际的调试是通过RPC协议完成的。
It uses Windows authentication, and DCOM to actually do the debugging though (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. 它使用Windows身份验证和DCOM来实际进行调试(显然,如果你允许RPC流量,那么你有更大的问题)或任何漏洞利用。 UrlScan does block it by default, though. 但是UrlScan默认会阻止它。
However, poking an ASP.NET website with the DEBUG requests can be used to reveal if the web.config has <compilation debug="true"> . 但是,使用DEBUG请求戳一个ASP.NET网站可以用来显示web.config是否有<compilation debug="true"> 。 The test can be performed with telnet, WFetch or similar, by sending a request like this: 可以使用telnet,WFetch或类似方法执行测试,方法是发送如下请求:
DEBUG /foo.aspx HTTP/1.0
Accept: */ *
Host: www.example.com
Command: stop-debug
Depending on whether debugging is enabled or not, you will get either 200 OK or 403 Forbidden . 根据是否启用调试,您将获得200 OK或403 Forbidden 。
It is generally accepted that you should never have <compilation debug="true"/> in a production environment, as it has serious implications on the performance of the website. 人们普遍认为,在生产环境中永远不应该有<compilation debug="true"/> ,因为它会对网站的性能产生严重影响。 I am not sure if having debugging enabled opens any new attack vectors, unless RPC traffic is enabled as well, in which case you have more serious problems anyway. 我不确定启用调试是否会打开任何新的攻击媒介,除非启用了RPC流量,在这种情况下,无论如何你都会遇到更严重的问题。
解决方案2
0 2009-01-07 01:31:54
If you want to do remote debugging, I would suggest utilizing debug.writeline and the tool from sysinternals DebugView . 如果你想进行远程调试,我建议使用debug.writeline和sysinternals DebugView中的工具。 This allows you to 'listen' for debug statements either on your location machine or on a remote machine, provided you have the necessary access. 这允许您在位置计算机或远程计算机上“监听”调试语句,前提是您具有必要的访问权限。
I cannot directly answer the part about DEBUG http as I am unfamiliar with it. 我不能直接回答有关DEBUG http的部分,因为我对它不熟悉。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.