Penetration Testing mailing list archives

Pen on IIS with webroot not on C

From: "A. Caruso" <acaruso () houston rr com>
Date: Wed, 12 Mar 2003 03:54:30 -0600

Hi all:

I have been muking around with different file system traversal exploits for IIS and playing with some of the tools.  
Most of the tools depend on the default install of IIS with webroot on c:.  I've moved webroot to d: on my toybox and 
haven't been able to jump back to c: to get a shell (cmd).  Does anyone know of a mechanism to "jump" file systems.  I 
haven't been able to find anything after RFP said (in his unicode paper) the syntax doesn't exist to do this.  (I think 
that's where I saw it).
eg
GET /scripts/../../../%systemroot%/cmd.exe (insert appropriate unicode)

Short of jumping file systems, what about uploading a shell to webroot through the .ida vuln?  (I left those patches 
off for play).

Thanks.

-Tony




----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html

Current thread:

Pen on IIS with webroot not on C A. Caruso (Mar 12)
- Re: Pen on IIS with webroot not on C Javier Fernandez-Sanguino (Mar 13)
- Re: Pen on IIS with webroot not on C Nicolas Gregoire (Mar 13)
- <Possible follow-ups>
- Re: Pen on IIS with webroot not on C Chris McNab (Mar 13)