AW: post vulnerability scenario

[Martin Muench <mmuench () it-sec de>]

Well, this attack will never work because Wapiti is trying to include the
file boot.ini which is (as far as I know but I'm not a windows expert)
always on drive c:

The errormessage shows that the INETPUB Directory is on drive E: so 
a simple directory traversal attack won't work (at least for this file).

--cut--
This runtime error, 800A000D occurs when you execute a VBScript.  My
suggestion is that there is a VBScript statement that does not understand a
keyword you are using in your script.  Alternatively, you may not be running
the script as an ordinary user and not as an Administrator.
--cut--
Source: http://www.computerperformance.co.uk/Logon/code/code_800A000D.htm


If you have access to the system you are testing, search for a file
on drive e: (maybe a txt or asp file which is part of the application) and
modify the wapiti URL.

Or (better) look at the soucecode of toplinks-archive-courses-spas.asp

Hope that helps...

Martin

-----Ursprüngliche Nachricht-----
Von: davemitch () mailinator com [mailto:davemitch () mailinator com] 
Gesendet: Freitag, 7. März 2008 05:40
An: webappsec () securityfocus com
Betreff: post vulnerability scenario

hi list,
on using wapiti (a vulnerability scanner for web applications) on an
internal website, the output is a list of attack URLs like the one below

hxxp://***.****.***.***/pages/abstract.asp?paperid=..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2Fboot.ini

On pasting the URL in a browser, the error message is like this

____________________________________________________________________________
_______________________________
Microsoft VBScript runtime error '800a000d' 

Type mismatch: '[string: "¿'"("]' 

E:\INETPUB\VHOSTS\****.***.***\HTTPDOCS\WEBROOT\PAGES\../includes/toplinks-a
rchive-courses-spas.asp, line 1
____________________________________________________________________________
_________________________________

What needs to be done next to exploit the vulnerability detected by wapiti ?
any suggestions or ideas are welcome.

thankx

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper
today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------