Re: IIS : access to cmd.exe and multiple commands on one line
From: Alex Butcher (pentest) (pentest@cocoa.demon.co.uk)Date: 10/23/01
- Previous message: Rebecca Kastl: "Re: IIS : access to cmd.exe and multiple commands on one line"
- In reply to: Daniel Polombo: "IIS : access to cmd.exe and multiple commands on one line"
- Next in thread: Emre Yildirim: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Emre Yildirim: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Oct 2001 21:10:31 +0100 (BST) From: "Alex Butcher (pentest)" <pentest@cocoa.demon.co.uk> To: Daniel Polombo <polombo@cartel-info.fr> Subject: Re: IIS : access to cmd.exe and multiple commands on one line Message-ID: <Pine.LNX.4.33.0110232108170.9115-100000@cocoa.demon.co.uk>
On Tue, 23 Oct 2001, Daniel Polombo wrote:
> Hello,
>
> as you all know, it's possible to exploit a number of IIS bugs to gain
> access to \winnt\system32\cmd.exe and execute arbitrary commands on the
> server. I've been trying to convince it to execute several commands on one
> line (as one would separate commands with a ';' under any decent shell), with
> limited success : on a number of NT/2k boxes, the syntax :
>
> command1 & command2 (eg, cd .. & dir)
>
> works fine. On some other boxes, though, it only returns 'The parameter is
> incorrect'.
>
> It is unclear to me whether this problem happens only because of the way the
> request is made (http://path/to/cmd.exe?/c+command1&command2), or if there are
> really different versions of cmd.exe.
A suggestion: have you tried copying cmd.exe to some other filename (e.g.
foo.exe) and then use *that* to execute the multiple command line? Just
thinking that if redirection doesn't work without using a copy of cmd.exe,
maybe some other aspects don't either.
> Regards,
> Daniel
Best Regards,
Alex (no NT box to test on, for now :)
-- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
- Previous message: Rebecca Kastl: "Re: IIS : access to cmd.exe and multiple commands on one line"
- In reply to: Daniel Polombo: "IIS : access to cmd.exe and multiple commands on one line"
- Next in thread: Emre Yildirim: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Reply: Emre Yildirim: "Re: IIS : access to cmd.exe and multiple commands on one line"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
