Penetration Testing mailing list archives
RE: Injecting commands into a mainframe through a servlet
From: "Jason Muskat" <Jason () TechDude Ca>
Date: Wed, 8 Jun 2005 19:49:10 -0400
Hello, This is just a type of code injection. Treat it as such. Regards, Jason Muskat Jason () TechDude Ca PGP Key: 7B447CD9 Fingerprint: 29A2 63C5 F623 EE9D 2453 B840 2818 5CA7 7B44 7CD9 Linux Guru Since 2002 Without security there can be no privacy.
-----Original Message----- From: Frederic Charpentier [mailto:fcharpen () xmcopartners com] Sent: Wednesday, June 08, 2005 8:38 AM To: pen-test () securityfocus com Subject: Injecting commands into a mainframe through a servlet hi all, I'm conducting a pentest and I found a url with something like AS400 or OS390 command in a url parameter. sample : www.client.com/Servlet.srv?codeLogon=logon+applid+(tesre01) I saw a multiple web site that I could add command like : www.client.com/Servlet.srv?codeLogon=logon+applid+(tesre01)+DATA(stuff) Anyone have I idea about howx I could exploit this ? like default application, ... Fred. -- Frederic Charpentier - Xmco Partners Security Consulting / Pentest web : http://www.xmcopartners.com
Current thread:
- pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Hugo Vinicius Garcia Razera (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Kevin Reiter (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Aaron Oh (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Chip Andrews (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Andres Riancho (Jun 07)
- Injecting commands into a mainframe through a servlet Frederic Charpentier (Jun 08)
- RE: Injecting commands into a mainframe through a servlet Jason Muskat (Jun 08)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Leandro Reox (Jun 09)
- Injecting commands into a mainframe through a servlet Frederic Charpentier (Jun 08)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Tomasz Piotr Palarz (Jun 09)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Hugo Vinicius Garcia Razera (Jun 10)
- <Possible follow-ups>
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Geoff Varosky (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services mike king (Jun 07)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Erik Pace Birkholz (Jun 09)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services DUBRAWSKY, IDO (CALLISMA) (Jun 09)
- Message not available
- SQL injection Faisal Khan (Jun 09)
- Re: SQL injection Joel Esler (Jun 09)
- Re: SQL injection ilaiy (Jun 09)
- Message not available