I think that this has alot to do with the various option supported by the cmd.exe executable under windows. Certain versions ( notably those in WinNT and Win2K ) have the ability to perform this function and is described int he HELP file for CMD. the actual seperators are probably affected by the parsing of IIS...... ======= Win23K cmd help ======================================= Note that multiple commands separated by the command separator '&&' are accepted for string if surrounded by quotes. Also, for compatibility reasons, /X is the same as /E:ON, /Y is the same as /E:OFF and /R is the same as /C. Any other switches are ignored. If /C or /K is specified, then the remainder of the command line after the switch is processed as a command line, where the following logic is used to process quote (") characters: 1. If all of the following conditions are met, then quote characters on the command line are preserved: - no /S switch - exactly two quote characters - no special characters between the two quote characters, where special is one of: &<>()@^| - there are one or more whitespace characters between the the two quote characters - the string between the two quote characters is the name of an executable file. 2. Otherwise, old behavior is to see if the first character is a quote character and if so, strip the leading character and remove the last quote character on the command line, preserving any text after the last quote character. ______________________________ Garreth J Jeremiah. CCSE,GCIA IT Specialist ( Security ). IBM Canada, SO Network Security. (416) 657-2907 gjeremiaat_private Emre Yildirim <emreat_private To: pen-testat_private g> cc: Subject: Re: IIS : access to cmd.exe and multiple commands on 10/23/2001 one line 06:12 PM Please respond to Emre Yildirim Alex Butcher (pentest) wrote: >>It is unclear to me whether this problem happens only because of the way the >>request is made (http://path/to/cmd.exe?/c+command1&command2), or if there are >>really different versions of cmd.exe. This is probably unrelated to this thread but After playing around with code red infected hosts, I found that http://path/to/cmd.exe?/rcommand+argument works too. For example http://path/to/cmd.exe?/rdir+c:\ displays the contents of C:\. Does anyone know what function the "r" plays in the URL? -- Emre Yildirim <emreat_private> GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 10:24:45 PDT