Penetration Testing mailing list archives
Re: IIS 3.0 pen-test
From: Parth Galen <Parth_Galen () ziplip com>
Date: Thu, 5 Jul 2001 12:40:09 -0700 (PDT)
As I understand it (and I am open to correction or clarification), the \scripts folder is like the current directory and where you are getting the execute right even though you are executing cmd.exe in another folder. Unless you can find another folder with execute rights and that can traversial back to %systemroot%, you are out of luck. Below are the folders with execute rights in IIS 4, but I do not know how well this matches to IIS 3. /W3SVC/ROOT/msadc (to physical mapping) c:\program files\common\system\msadc /W3SVC/ROOT/News (to physical mapping) c:\inetpub\news /W3SVC/ROOT/Mail (to physical mapping) c:\inetpub\mail /W3SVC/ROOT/cgi-bin (to physical mapping) c:\inetpub\wwwroot\cgi-bin /W3SVC/ROOT/SCRIPTS (to physical mapping) c:\inetpub\scripts /W3SVC/ROOT/IISADMPWD (to physical mapping) c:\winnt\system32\inetsrv\iisadmpwd /W3SVC/ROOT/_vti_bin (to physical mapping) Installed with FrontPage Extensions /W3SVC/ROOT/_vti_bin/_vti_adm (to physical mapping) /W3SVC/ROOT/_vti_bin/_vti_aut (to physical mapping) Good luck! Parth
-----Original Message----- From: Alex Balayan [mailto:alex.balayan () Nettasking com] Sent: Thursday, July 05, 2001, 9:36 AM To: "'pen-test () securityfocus com'" <pen-test () securityfocus com> Cc: "'Security-basics () securityfocus com'" <Security-basics () securityfocus com> Subject: IIS 3.0 pen-test Hi all, I am conducting a penetration test for one of our clients and some of the webservers they are running are IIS 3.0. Well besides the rest of the vulnerabilites with MS IIS 3.0, I tested the servers for Unicode and it seemed they were vulnerable. ( I check using a perl script that I found on Packetstorm) it discovered that the servers were vulnerable to various forms of the unicode vulnerability. Ok, now to the meat of it. I opened my browser and attempted a directory listing using the scripts directory (which I know existed). I got an error saying "HTTP/1.0 403 Access Forbidden (Execute Access Denied -This Virtual Directory does not allow objects to be executed.)" I'm guessing that execution of commands is not allowed on that directory. I also tried with the msadc directory (which I know existed), but with the same result as above. Does anyone have any ideas on this one? I basically want to knwo if it's possible to use the uni code vulnerbaility to execute commands remotely. Thanks in advance. ------------------------------------------------------------------------------ -------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Never ascribe to malice that which can be explained by incompetence. -- Napoleon -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- IIS 3.0 pen-test Alex Balayan (Jul 05)
- <Possible follow-ups>
- RE: IIS 3.0 pen-test jerickson (Jul 05)
- Re: IIS 3.0 pen-test Parth Galen (Jul 05)