Re: IIS : access to cmd.exe and multiple commands on one line

From: Thor@HammerofGod.com
Date: 10/24/01


From: Thor@HammerofGod.com
To: polombo@cartel-info.fr
Message-ID: <00b801c15cb1$42c02520$af05a8c0@anchorsign.com>
Subject: Re: IIS : access to cmd.exe and multiple commands on one line
Date: Wed, 24 Oct 2001 10:28:08 -0700

Have you just tried the "+" sign instead of the "&"? That works too.
AD

----- Original Message -----
From: "Daniel Polombo" <polombo@cartel-info.fr>
To: <pen-test@securityfocus.com>
Sent: Wednesday, October 24, 2001 6:37 AM
Subject: Re: IIS : access to cmd.exe and multiple commands on one line

> Rainer Duffner wrote:
>
>
> > That may well be the case.
> > It gets changed during service-packs and hotfix updates.
> > Also, the perl-manual mentions something in the direction of "some
> > functionality crept in...".
> >
> > Anyway, as another poster mentioned, the whole commandline-tools are not
> > consistent - and thus not usable beyond simple "batch-files".
>
> Actually, I believe Ivy Lane hit the nail on the head. The '&' is
interpreted
> by IIS as a CGI parameter separator, and something in the syntax irks the
> server, which returns an invalid parameter error. This is a CGI error, and
not
> a cmd.exe error. I didn't see that immediately because I'm parsing the
errors
> to extract only certain parts of the returned HTML page.
>
> Therefore I am now trying to find a way to pass a '&' to the cmd.exe
without
> it being interpreted first by the webserver. Hex- or unicode-encoding it
is
> useless, since IIS will always expand those characters before actually
> treating the request.
>
> Is there some kind of escaping sequence for an URL? RFC 1738 (URL) only
states
> that '&' is a reserved character, and that %-encoding them should modify
the
> behaviour of the webserver (ie, that the URL would be actually interpreted
> differently with and without %-encoding for a reserved character like
'&'),
> but it doesn't appear to modify IIS' behaviour.
>
> Perhaps there are some IIS-specific niceties here as well?
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/



Relevant Pages

  • Re: IIS : access to cmd.exe and multiple commands on one line
    ... Subject: IIS: access to cmd.exe and multiple commands on one line ... that '&' is a reserved character, and that %-encoding them should modify the ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Clearing IIS logs
    ... IIS keeps the log file open, so I don't know of a way to do it without ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: IIS : access to cmd.exe and multiple commands on one line
    ... Subject: IIS: access to cmd.exe and multiple commands on one line ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Clearing IIS logs
    ... Subject: Clearing IIS logs ... while the NT Service and IIS had it open. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Clearing IIS logs
    ... The problem with this method is that IIS will not continue the existing log ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)