Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Injecting commands into a mainframe through a servlet

From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Wed, 08 Jun 2005 14:37:49 +0200
hi all,
I'm conducting a pentest and I found a url with something like AS400 or OS390 command in a url parameter. 

sample :
www.client.com/Servlet.srv?codeLogon=logon+applid+(tesre01)

I saw a multiple web site that I could add command like :
www.client.com/Servlet.srv?codeLogon=logon+applid+(tesre01)+DATA(stuff)
Anyone have I idea about howx I could exploit this ? like default application, ... 

Fred.

--
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com
Previous By Date Next
Previous By Thread Next

Current thread: