Re: PHP Exploitation

[Danux <danuxx () gmail com>]

Yeah i have think about it, but now that i have uploaded my cmd.exe,
how could i execute it? because i cant use system, exec, etc, i
thought that may be change the PHP Path execution in order to call
first my cmd.exe instead of system32\cmd.exe but i dont know if its
possible.

Now, the second option, in order to copy the cmd.exe i need
permissions on it and i dont have because of IUSR_MACHINE user.

Do you know, how to execute my uploaded cmd.exe without using a system
or exec, passthru command?

Thanks in advance and excellent idea.

On Nov 28, 2007 3:38 AM, Paul <paul () ity cc> wrote:
> Have you tried uploading your own copy of cmd.exe (to bypass native OS
> rights/access controls).
> Or uploading a .php file which creates a local copy of cmd.exe, and then
> executes.
>
> Paul Craig
> Security-Assessment.com
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Danux
> Sent: Wednesday, 28 November 2007 7:35 a.m.
> To: Robin Wood
> Cc: pen-test () securityfocus com
> Subject: Re: PHP Exploitation
>
> Hi all, as i told you, i am not able to run system, exec, passthru,
> etc, i mean, all related to cmd.exe execution because of IIS
> IUSR_MACHINE User privileges.
>
> I have finished the assessment and i would like to share what i did at
> the final:
>
> As i told you, i was able to upload files directly to the windows
> filesystem due to another vulnerability, but i cant execute any
> command related to cmd.exe: dir, ipconfig, type, net, etc, etc, but i
> do can execute php files, then i upload a list.php script in order to
> walkthrough the filesystem, then, i was able to download all the app
> php site and after looking inside the source code, i found some MSSQL
> users and passwords with low privileges, and in other filesystem
> directories i found log files, conf files, backups, etc, i mean very
> interesting information to deal with.
>
> Maybe, i could start trying to elevate privileges on MSSQL in  order
> to execute xp_cmdshell or something like that, but i think i have what
> really matters to attackers...and what should matter to Companies...
> "INFORMATION".
>
> Thanks all for your help.
>
> On Nov 27, 2007 7:07 AM, Robin Wood <dninja () gmail com> wrote:
> > On 23/11/2007, Danux <danuxx () gmail com> wrote:
> > > Hi experts, i need your ideas,
> > >
> > > By now, i am able to upload php files to a Windows 2003 Server, so i
> > > can execute php code like phpinfo, but i cant execute passthru command
> > > because of lack of IUSR_MACHINE privileges.
> > > I have run some local php bof's without success.
> >
> > Have you tried other ways to execute commands such as system or exec?
> > If you can get one of those working you can redirect output to a file
> > in the document root then view it by browsing to it.
> >
> > Robin
>
>
>
> --
> Danux, CISSP
> Chief Information Security Officer
> Macula Security Consulting Group
> www.macula-group.com
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------



-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------