Penetration Testing mailing list archives
Re: Pentesting Webserver
From: infolookup () gmail com
Date: Tue, 30 Oct 2007 00:56:21 +0000
I tried doing a few commands after I telneted to it but it required more rights. I the only venue of sucess I got so far was loging in to the admin management page of the site, which is where I was trying to see if I could get further. Sent via BlackBerry from T-Mobile -----Original Message----- From: cwright () bdosyd com au Date: 29 Oct 2007 21:38:47 To:pen-test () securityfocus com Subject: Re: Pentesting Webserver Have you tested to see if the FTP server is allowing uploads? Is the upload directory shared if one exists? I would not bypass FTP so soon. Don’t forget the 2001 Apache compromise… See Hal Pomeranz’s PPT at http://www.baylisa.org/library/slides/2002/baylisa-oct02.pdf Regards, Craig Wright ---In Reply to--- Hello all, I am in the middle of a test, so far I found out ftp, amount other things allows anonymous login, but my main concern is looking for sql injection points. I used Paros and found a point, I can enter something like anything' x' or x=x' for both the username and email filed on the form and that would allow me to login as username admin, now I would like to know how can I use this to get a full list of accounts and what not to include in my report. I tried doing some queries of this nature from the web browser but I am not even getting an error message, ex http://test.com?email=code&password=code Sql is a new area for me so any and all help is needed ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pentesting Webserver sherwyn . williams (Oct 29)
- <Possible follow-ups>
- Re: Pentesting Webserver cwright (Oct 29)
- Re: Pentesting Webserver infolookup (Oct 30)
- Re: Pentesting Webserver Arian Amador (Oct 30)
- Re: Re: Pentesting Webserver cwright (Oct 30)