Have you just tried the "+" sign instead of the "&"? That works too. AD ----- Original Message ----- From: "Daniel Polombo" <polombo@cartel-info.fr> To: <pen-testat_private> Sent: Wednesday, October 24, 2001 6:37 AM Subject: Re: IIS : access to cmd.exe and multiple commands on one line > Rainer Duffner wrote: > > > > That may well be the case. > > It gets changed during service-packs and hotfix updates. > > Also, the perl-manual mentions something in the direction of "some > > functionality crept in...". > > > > Anyway, as another poster mentioned, the whole commandline-tools are not > > consistent - and thus not usable beyond simple "batch-files". > > Actually, I believe Ivy Lane hit the nail on the head. The '&' is interpreted > by IIS as a CGI parameter separator, and something in the syntax irks the > server, which returns an invalid parameter error. This is a CGI error, and not > a cmd.exe error. I didn't see that immediately because I'm parsing the errors > to extract only certain parts of the returned HTML page. > > Therefore I am now trying to find a way to pass a '&' to the cmd.exe without > it being interpreted first by the webserver. Hex- or unicode-encoding it is > useless, since IIS will always expand those characters before actually > treating the request. > > Is there some kind of escaping sequence for an URL? RFC 1738 (URL) only states > that '&' is a reserved character, and that %-encoding them should modify the > behaviour of the webserver (ie, that the URL would be actually interpreted > differently with and without %-encoding for a reserved character like '&'), > but it doesn't appear to modify IIS' behaviour. > > Perhaps there are some IIS-specific niceties here as well? > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 14:34:15 PDT