Re: Pentesting Webserver

From: cwright@xxxxxxxxxxxxx
Date: 29 Oct 2007 21:38:47 -0000

Have you tested to see if the FTP server is allowing uploads? Is the upload directory shared if one exists? I would not bypass FTP so soon.
Don?t forget the 2001 Apache compromise?
See Hal Pomeranz?s PPT at http://www.baylisa.org/library/slides/2002/baylisa-oct02.pdf
Regards,
Craig Wright
---In Reply to---
Hello all,
I am in the middle of a test, so far I found out ftp, amount other things allows anonymous login, but my main concern is looking for sql injection points.
I used Paros and found a point, I can enter something like anything' x' or x=x' for both the username and email filed on the form and that would allow me to login as username admin, now I would like to know how can I use this to get a full list of accounts and what not to include in my report.
I tried doing some queries of this nature from the web browser but I am not even getting an error message, ex http://test.com?email=code&password=code
Sql is a new area for me so any and all help is needed

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Follow-Ups:
- Re: Pentesting Webserver
  - From: Arian Amador
- Re: Pentesting Webserver
  - From: infolookup

Prev by Date: RE: nmap udp scan time
Next by Date: Re: Pentesting Webserver
Previous by thread: Pentesting Webserver
Next by thread: Re: Pentesting Webserver
Index(es):
- Date
- Thread

Relevant Pages

Re: Pentesting Webserver
... I the only venue of sucess I got so far was loging in to the admin management page of the site, which is where I was trying to see if I could get further. ... Have you tested to see if the FTP server is allowing uploads? ... I am in the middle of a test, so far I found out ftp, amount other things allows anonymous login, but my main concern is looking for sql injection points. ... I tried doing some queries of this nature from the web browser but I am not even getting an error message, ...
(Pen-Test)
Re: Secure FTP site
... >setting to change in your web browser under Tools, Options, Advanced, or you ... >could use a URL that contains the ID and password to access the FTP server, ... the login dialog. ... Texas Imperial Software | Try WFTPD, the Windows FTP Server. ...
(microsoft.public.inetserver.iis.security)
Re: how do i set my webpage to apper on the center of the webbrows
... GoDaddy using MS Publisher ... to each locally-published page from within a web browser, ... accompanying folder must be copied and pasted, via ftp client to your ... If you are also asking how to get the forms to work in Publisher, ...
(microsoft.public.publisher.webdesign)
Re: what is www.
... Larger systems also often have separate a separate host for ftp access, ... And you don't need to use a web browser an ftp server. ...
(comp.lang.php)
Re: Secure FTP site
... Sometimes your web browser gives you a login screen when anonymous user is ... could use a URL that contains the ID and password to access the FTP server, ... and the server, if there is one. ... >> Tip Although you could change the account that the ...
(microsoft.public.inetserver.iis.security)