HTTP PUT exploitation

• Previous message: H D Moore: "Re: BO2k Port?"
• Next in thread: Olasupo Lawal: "RE: HTTP PUT exploitation"
• Reply: Olasupo Lawal: "RE: HTTP PUT exploitation"
• Reply: H D Moore: "Re: HTTP PUT exploitation"
• Reply: Shawn Ingram: "Re: HTTP PUT exploitation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quick question. I have a client who has a misconfigured IIS server (that's
new) which allows anyone to do HTTP PUT commands and place files on the www
server. Is exploiting this as simple as "putting" something like netcat in
the cgi-bin directory and running it with the port listen options? What if
you cannot place files in the cgi-bin directory? How can I use PUT to get a
shell on this system? I know this is a basic question but this is the first
time I found someone has actually done this.

-Tim


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: KK Mookhey: "Re: Non-GUI intrusion"
• Previous message: H D Moore: "Re: BO2k Port?"
• Next in thread: Olasupo Lawal: "RE: HTTP PUT exploitation"
• Reply: Olasupo Lawal: "RE: HTTP PUT exploitation"
• Reply: H D Moore: "Re: HTTP PUT exploitation"
• Reply: Shawn Ingram: "Re: HTTP PUT exploitation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 29 2001 - 10:32:07 PDT