Penetration Testing mailing list archives
Re: Re: Pentesting Webserver
From: cwright () bdosyd com au
Date: 30 Oct 2007 23:16:26 -0000
If you can upload images, then you could try uploading scripts or other code. Vulnerable code may be used to have the mySQL server escalate you. Poorly formated uploads could also be used to try a heap or stack attack. Regards, Craig Wright (GSE-Compliance) ---in reply to --- I tried doing a few commands after I telneted to it but it required more rights. I the only venue of sucess I got so far was loging in to the admin management page of the site, which is where I was trying to see if I could get further. Sent via BlackBerry from T-Mobile -----Original Message----- From: cwright (at) bdosyd.com (dot) au [email concealed] Date: 29 Oct 2007 21:38:47 To:pen-test (at) securityfocus (dot) com [email concealed] Subject: Re: Pentesting Webserver Have you tested to see if the FTP server is allowing uploads? Is the upload directory shared if one exists? I would not bypass FTP so soon. Don?t forget the 2001 Apache compromise? See Hal Pomeranz?s PPT at http://www.baylisa.org/library/slides/2002/baylisa-oct02.pdf Regards, Craig Wright ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pentesting Webserver sherwyn . williams (Oct 29)
- <Possible follow-ups>
- Re: Pentesting Webserver cwright (Oct 29)
- Re: Pentesting Webserver infolookup (Oct 30)
- Re: Pentesting Webserver Arian Amador (Oct 30)
- Re: Re: Pentesting Webserver cwright (Oct 30)