![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
Re: cmdasp.asp & unicode
From: "CT" <ct () arnet com ar>
Date: Thu, 16 Aug 2001 11:48:42 -0300
:) You are a spanish guy... I wrote some for this bug ( unicode/decode/code red II ) in spanish, how to exploit them and fix it: www.heinekenteam.com/cursos/iis Best regards CyRaNo Carpe Noctem ----- Original Message ----- From: "César González" <cesar () eureka-sistemas com> To: "Penetration Testers" <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, August 16, 2001 8:28 AM Subject: cmdasp.asp & unicode
Hello all, First of all, Thankx H.D. Moore for the reply to my last post
("Imformation
about mkilog.exe") and sorry about my poor english ;). I am finishing a pen-test to a company and my customer said to me to try
to
grab te data of the database. The machine who runs the databas soft, runs IIS too, and it ts vulnerable to an UNICODE exploit. I have uploaded the cmdasp.asp script but it seems to fail in some operations like deleting files. For example : I upload cmdasp.asp to c:\inetpub\scripts\ with the tftp trick but when i try to delete the file itself i got permision
denied.
The user under the script runs is IUSR_SIVAC. (sivac is the database and
the
name of the computer in the windows network) My questions are : ¿Why cant i delete the files i have uploaded to c:\inetpub\scripts? The user SIVAC should be allowed... if i can write in
the
directory i should be allowed to delete too, isnt it?. ¿Could I force to change the user under the cmd.asp.asp runs? Thanks in advance. César González Revilla Eureka Sistemas S.L. C/ San Fernando 16 bajo 39010 Santander
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- cmdasp.asp & unicode César González (Aug 16)
- Re: cmdasp.asp & unicode CT (Aug 16)
- <Possible follow-ups>
- cmdasp.asp & unicode Mike Ahern (Aug 16)