|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: generic privellage escalation
Valdis.Kletnieks
vt.edu
Date: Fri Jan 02 2004 - 14:39:35 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 31 Dec 2003 18:00:06 EST, Ben Greenberg <benfallout2hotmail.com> said:
> -ability to execute commands one at a time statelessly through the url, and
> with a response to the browser ESCALATE TO a netcat created port for
> connecting to a shell
>
> -also is there any document with generically applicable php, asp, server
> side include command execution/privellage escalation?
Fortunately for us, there's no *generic* way to do it. Think about the
implications if it were so. Usually, what's required is:
1) an initial break that allows commands. This probably *wont* have sufficient
leverage by itself, unless the command you can run is 'sh | netcat' ;)
2) You then need to chain on OTHER issues and take tiny baby steps towards
the goal. Not all tricks will work in all environments, so this really is a test-and-see
problem.
For one of the best "how it *really* works" in practice, see Liu Die Yu's
"Six Step IE Remote Compromise Cache Attack". No one bug is enough,
there's a lot of jumping through hoops.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/9dcGcC3lWbTT17ARAgt2AKDwJ7AQAi644qx48QafUcCazx4mtgCgxHvk
Fi7AFN8KYdRAC90KpbgRptg=
=eTBy
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]