Penetration Testing mailing list archives

Help with web app pen test


From: devoid () hush com
Date: Sun, 9 Feb 2003 15:56:44 -0800


List members; 

Currently I'm performing an external pen test on two web applications. I was wondering if I could get a little 
encouragement and possibly some assistance. 

The apps are PlanWeb and PlanHR by Pyramid Digital Solutions.  The box the apps reside on is WinNT 4.0 running IIS 4 
sitting behind a firewall. The only open ports are 80 and 443. Going to port 80 gives a big fat "403.4 Forbidden: SSL 
required" page. I've hammered the site with Nikto on both port 80 and 443. The only thing I get are xss and the new xss 
trace hits from the libwhisker perl module. (Yeah, I'm using the latest LW.pm.) 

The cookie comes back as Siteserver=biglonghashedtypedealhere. I got a couple thousand of them and looked for 
similarities, or patterns better yet, but found none. (Manual process, if I had found an automated tool for looking at 
similarities perhaps my luck would have been better.) 

So far I haven't had much luck at all. Everything done in the app goes to an exe file. The url looks like this 
https://pen-test.server.com/directory/file.exe?. I've tried appending all sorts of goodness to the end of the url. No 
luck. I did manage to get into the application with a default username and password combo. I simply replaced the 
file.exe with file.ini and IIS let me download said ini file which contained a default user id and password. I'm going 
through the app trying to find any way to upload to the server. There are a host of forms in the application but none 
look will allow me to write a file. 

Part of the app is a backend sql box. I'm going to try some sql injection through the applications forms, but I'm 
confident it's going to fail. I hammered the developers with that the last test. 

Anyway, I was just curious if there was something new that I've been missing. Any suggestions would be greatly 
appreciated. 

Thanks. 

devoid 



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


Current thread: