Penetration Testing mailing list archives
Re: IIS : access to cmd.exe and multiple commands on one line
From: Rebecca Kastl <rkastl () neohapsis com>
Date: Tue, 23 Oct 2001 11:50:17 -0500 (CDT)
On Tue, 23 Oct 2001, Daniel Polombo wrote:
command1 & command2 (eg, cd .. & dir) works fine. On some other boxes, though, it only returns 'The parameter is incorrect'. It is unclear to me whether this problem happens only because of the way the request is made (http://path/to/cmd.exe?/c+command1&command2), or if there are really different versions of cmd.exe. I would assume the former, but I fail to see why it would work on some boxes and not others, given the same commands and commands separator.
I can't really speak to the issue of passing commands through a URL to IIS, but I can comment on the command line behavior in general. To say that the MS command line environment is inconsistent is an understatement. I discovered years ago that the MS command line interpreters are not implemented in the shell as they are in UNIX -- instead, they are implemented in each command which causes inconsistent behavior among commands (and among versions of commands). For example: Using 'dir' to test wildcard expressions before use will have different results than the same wildcard expressions used with the 'del' command. Tough lesson to learn. --Rebecca Kastl ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- IIS : access to cmd.exe and multiple commands on one line Daniel Polombo (Oct 23)
- Re: IIS : access to cmd.exe and multiple commands on one line hellNbak (Oct 23)
- Re: IIS : access to cmd.exe and multiple commands on one line Rebecca Kastl (Oct 23)
- Re: IIS : access to cmd.exe and multiple commands on one line Alex Butcher (pentest) (Oct 23)
- Re: IIS : access to cmd.exe and multiple commands on one line Emre Yildirim (Oct 23)
- Re: IIS : access to cmd.exe and multiple commands on one line Rainer Duffner (Oct 24)
- Re: IIS : access to cmd.exe and multiple commands on one line Daniel Polombo (Oct 24)
- <Possible follow-ups>
- Re: IIS : access to cmd.exe and multiple commands on one line Garreth Jeremiah/Markham/IBM (Oct 24)
- RE: IIS : access to cmd.exe and multiple commands on one line Sam Steinmeyer (Oct 24)