Re: Apache Tomcat 5.5.9 pen-test questions.

[David Jacoby <dj () outpost24 com>]

Hi!

What you could look for is JSP injection and not just SQL injections.
With JSP injections you can execute code and might even get a shell
depending on the configuration of the remote machine.

There are several ways to execute code under JSP, please check the
link below for more information:

http://marc.theaimsgroup.com/?l=tomcat-user&m=103177072408880&w=2

Best regards,
David Jacoby



rlvi_2001 () yahoo com wrote:
> Hi everybody. I am wondering if a server only has port 80 and 22 open. It's using jsp for design.It's running Openssh 
> on port 22. Is there anyways to penetrate this server? Also, i am able to find an injection on another site, but i am 
> not able to extract the Table name, and i couldn't do anything about it. I tried to use manual guess the table name, 
> but no goal. Could anybody tell me why this is happening? Thank you very much. This site is running with Apache 2.2. 
> Thank you very much. Your reply will be greatly appriciated. 
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------


-- 

David Jacoby
Vice President Customer Experience
http://www.outpost24.com

phone: +46-(0)455-612311
fax  : +46-(0)455-13960
email: dj () outpost24 com

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------