Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Alert: RDS IIS vulnerability/fix
From: storm () UNIKEY COM BR (Wanderley J. Abreu Junior)
Date: Sun, 25 Jul 1999 16:20:59 -0300

  Well Query lets us run queries against an (existing) database.  And we
know we can embed our pipe-VBA-shells in queries, so Query looks good.
But this is nothing spectacular.  And there is one catch: the need for an
existing database.  We need to pass a DSN to the ActiveDataFactory to
actually run the query on.  The problem with the DSN is that:

1.  DSNs can require UIDs and passwords

    yes, but actually there's a DSN called advworks that is automatically
configured by RDS Server and don't require password (As you have mencioned
in the third part of this doc).
   And using the method bellow (showcode.asp) you can pick up some DSN UIDs
and passwords without any problems.

2.  There's no way to get a list of available DSNs
(** through RDSServer.DataFactory functions, that
I'm aware of **)

             You're right. But since Advanced Data Control  packet comes
with some more As-Designed-bug-features like
/msadc/samples/SELECTOR/showcode.asp actually there's a way to retrieve the
ODBC list wich is in  \winnt\odbc.ini.

        IIS 3 also has /scripts/tools and /scripts/samples features and
plus! If you enter some maped script extension like http://server/jerk.idc
it returns to you the exactly directory where the Web page is stored like
   c:\Inetpub\wwwroot\  even if you handled 404 error to another page. Since
NT 4.0 comes with IIS 3 there's a large number of server using this version

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]