re: Injecting commands into a mainframe through a servlet

[Andrew Cathrow <andrew () cathrow com>]

The applid certainly does sound like it's a mainframe rather
than an as/400.

The initial screen you see when you connect to a mainframe via
TN3270 usually asks for an applid which could be a CICS
region, IMS region or a TSO session. It'd be hard to suggest
where to go from here without knowing a little more of what
this servlet is doing.
What output do you get from the servlet, and what's in the
http headers? 

Is the servlet running on the mainframe ? Can you telnet to
the mainframe ?  Try a 3270 emulator like x3270 or mochasoft
from http://www.mochasoft.dk



---- Original message ----
> Date: Wed, 08 Jun 2005 14:37:49 +0200
> From: Frederic Charpentier <fcharpen () xmcopartners com>  
> Subject: Injecting commands into a mainframe through a servlet  
> To: pen-test () securityfocus com
>
> hi all,
> I'm conducting a pentest and I found a url with something
like AS400 or 
> OS390 command in a url parameter.
>
> sample :
> www.client.com/Servlet.srv?codeLogon=logon+applid+(tesre01)
>
> I saw a multiple web site that I could add command like :
> www.client.com/Servlet.srv?codeLogon=logon+applid+(tesre01)+DATA(stuff)
>
> Anyone have I idea about howx I could exploit this ? like
default 
> application, ...
>
> Fred.
>
> -- 
> Frederic Charpentier - Xmco Partners
> Security Consulting / Pentest
> web  : http://www.xmcopartners.com