Home page logo

pen-test logo Penetration Testing mailing list archives

Re: IIS : access to cmd.exe and multiple commands on one line
From: "Alex Butcher (pentest)" <pentest () cocoa demon co uk>
Date: Tue, 23 Oct 2001 21:10:31 +0100 (BST)

On Tue, 23 Oct 2001, Daniel Polombo wrote:


   as you all know, it's possible to exploit a number of IIS bugs to gain
access to \winnt\system32\cmd.exe and execute arbitrary commands on the
server. I've been trying to convince it to execute several commands on one
line (as one would separate commands with a ';' under any decent shell), with
limited success : on a number of NT/2k boxes, the syntax :

    command1 & command2  (eg, cd .. & dir)

works fine. On some other boxes, though, it only returns 'The parameter is

It is unclear to me whether this problem happens only because of the way the
request is made (http://path/to/cmd.exe?/c+command1&command2), or if there are
really different versions of cmd.exe.

A suggestion: have you tried copying cmd.exe to some other filename (e.g.
foo.exe) and then use *that* to execute the multiple command line? Just
thinking that if redirection doesn't work without using a copy of cmd.exe,
maybe some other aspects don't either.


Best Regards,
Alex (no NT box to test on, for now :)
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK      Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950                      http://www.cocoa.demon.co.uk/cv/

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]