Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Web App Script Capture

From: Jon Kibler <Jon.Kibler () aset com>
Date: Tue, 29 Sep 2009 09:00:33 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

If you have a web app that has path traversal and null byte vulnerabilities, but
not remote command execution or file upload, is there any way to manipulate the
web server to allow remote retrieval of script source code (e.g.,php, perl, asp)
without it being executed by the web server?

TIA!!

Jon K.
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrCBPEACgkQUVxQRc85QlNCBQCeLFkVKoa+X2lgKj6waj83GK0r
mpwAnj8rwani1YKEslGoka1pNkBUCJ4X
=wcfT
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: