IIS : access to cmd.exe and multiple commands on one line
From: Daniel Polombo (polombo@cartel-info.fr)Date: 10/23/01
- Previous message: Alfred Huger: "Article on Full Disclosure"
- Next in thread: hellNbak: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: hellNbak: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Rebecca Kastl: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Alex Butcher (pentest): "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Rainer Duffner: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Garreth Jeremiah/Markham/IBM: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Sam Steinmeyer: "RE: IIS : access to cmd.exe and multiple commands on one line"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3BD53160.5060800@cartel-info.fr> Date: Tue, 23 Oct 2001 10:59:12 +0200 From: Daniel Polombo <polombo@cartel-info.fr> To: pen-test@securityfocus.com Subject: IIS : access to cmd.exe and multiple commands on one line
Hello,
as you all know, it's possible to exploit a number of IIS bugs to gain
access to \winnt\system32\cmd.exe and execute arbitrary commands on the
server. I've been trying to convince it to execute several commands on one
line (as one would separate commands with a ';' under any decent shell), with
limited success : on a number of NT/2k boxes, the syntax :
command1 & command2 (eg, cd .. & dir)
works fine. On some other boxes, though, it only returns 'The parameter is
incorrect'.
It is unclear to me whether this problem happens only because of the way the
request is made (http://path/to/cmd.exe?/c+command1&command2), or if there are
really different versions of cmd.exe.
I would assume the former, but I fail to see why it would work on some boxes
and not others, given the same commands and commands separator.
I've tried unicode-encoding the '&', with simple and double encoding (%26 and
%2526, respectively), but on the boxes which refuse plain '&', it doesn't work
either.
I'd like to get this to work in order to execute several commands on a remote
box in the same context (as opposed to several different connections), w/o
uploading anything to the box (yet :).
Any ideas would be welcome.
Regards,
Daniel
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Alfred Huger: "Article on Full Disclosure"
- Next in thread: hellNbak: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: hellNbak: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Rebecca Kastl: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Alex Butcher (pentest): "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Rainer Duffner: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Garreth Jeremiah/Markham/IBM: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Sam Steinmeyer: "RE: IIS : access to cmd.exe and multiple commands on one line"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
