RE: Directory Transversal

From: Walsh, Leo (Leo_Walsh@jeffersonwells.com)
Date: Thu Oct 18 2007 - 08:19:36 EDT


Personally I'd take a slightly different route than trying to see if you
can use the vulnerability to upload a file.

1) Can you execute programs like cmd.exe with this vulnerability?
2) Can you grab the backup SAM file?

If I found a system that allowed either of these I'd stop testing and
notify the project customer immediately. If either of those methods are
allowed then it should be evidence enough that you could take control of
the system if you wished to spend enough time on it. Proving the severe
vulnerability and moving on shows to the client that you are wasting
their time by playing around.

If you really do wish to upload a file to the server then I'd check to
see if you can execute cmd.exe and use it to search for files like
upload.asp or even wget or ftp. There are also likely tools (I just
don't know of any off the top of my head) that will allow you to open a
reverse shell using cmd.exe on the target host.

Please keep us updated with what you find and whether or not this is a
custom web app or one that others might also see in their testing.


-Leo Walsh, GSNA
Jefferson Wells International
816-627-4222 (office)
913-484-8051 (cell)

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of jfvanmeter@comcast.net
Sent: Wednesday, October 17, 2007 12:56 PM
To: pen-test@securityfocus.com
Subject: Directory Transversal


 Hello everyone, I'm in the middle of a test on a app that the following
command works on
http://mycomputer:port#/..//..//..//..//..//..//..//windows/win.ini
and it will prompt me to save the file, if i check my packet capture I
see the contents of the file.

So far I've been unable to get a put or post command to work and was
hoping to get some ideas from you all on things to try.

I've been trying to get nc/telnet and some other tools to help me with
the put comand

Thanks in advance --John

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



******* Internet Email Confidentiality ******* The information
contained in this message may be privileged and confidential and
protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby
notified that it is strictly prohibited (a) to disseminate,
distribute or copy this communication or any of the information
contained in it, or (b) to take any action based on the information
in it. If you have received this communication in error, please
notify us immediately by replying to the message and deleting it
from your computer.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:10 EDT