Penetration Testing mailing list archives
RE: Directory Transversal
From: "Walsh, Leo" <Leo_Walsh () jeffersonwells com>
Date: Thu, 18 Oct 2007 07:19:36 -0500
Personally I'd take a slightly different route than trying to see if you can use the vulnerability to upload a file. 1) Can you execute programs like cmd.exe with this vulnerability? 2) Can you grab the backup SAM file? If I found a system that allowed either of these I'd stop testing and notify the project customer immediately. If either of those methods are allowed then it should be evidence enough that you could take control of the system if you wished to spend enough time on it. Proving the severe vulnerability and moving on shows to the client that you are wasting their time by playing around. If you really do wish to upload a file to the server then I'd check to see if you can execute cmd.exe and use it to search for files like upload.asp or even wget or ftp. There are also likely tools (I just don't know of any off the top of my head) that will allow you to open a reverse shell using cmd.exe on the target host. Please keep us updated with what you find and whether or not this is a custom web app or one that others might also see in their testing. -Leo Walsh, GSNA Jefferson Wells International 816-627-4222 (office) 913-484-8051 (cell) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jfvanmeter () comcast net Sent: Wednesday, October 17, 2007 12:56 PM To: pen-test () securityfocus com Subject: Directory Transversal Hello everyone, I'm in the middle of a test on a app that the following command works on http://mycomputer:port#/..//..//..//..//..//..//..//windows/win.ini and it will prompt me to save the file, if i check my packet capture I see the contents of the file. So far I've been unable to get a put or post command to work and was hoping to get some ideas from you all on things to try. I've been trying to get nc/telnet and some other tools to help me with the put comand Thanks in advance --John ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ******* Internet Email Confidentiality ******* The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that it is strictly prohibited (a) to disseminate, distribute or copy this communication or any of the information contained in it, or (b) to take any action based on the information in it. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Directory Transversal jfvanmeter (Oct 18)
- Re: Directory Transversal Lee Lawson (Oct 19)
- Re: Directory Transversal Zed Qyves (Oct 19)
- Re: Directory Transversal pand0ra (Oct 19)
- <Possible follow-ups>
- Re: Directory Transversal jfvanmeter (Oct 19)
- RE: Directory Transversal jfvanmeter (Oct 19)
- re: Directory Transversal Sat Jagat Singh (Oct 19)
- Re: Directory Transversal jfvanmeter (Oct 19)
- RE: Directory Transversal Walsh, Leo (Oct 19)
- Re: Directory Transversal jfvanmeter (Oct 23)
- Re: Directory Transversal Zed Qyves (Oct 24)