On Wed, 31 Dec 2003 18:00:06 EST, Ben Greenberg <benfallout2_at_hotmail.com> said:
> -ability to execute commands one at a time statelessly through the url, and
> with a response to the browser ESCALATE TO a netcat created port for
> connecting to a shell
>
> -also is there any document with generically applicable php, asp, server
> side include command execution/privellage escalation?
Fortunately for us, there's no *generic* way to do it. Think about the
implications if it were so. Usually, what's required is:
1) an initial break that allows commands. This probably *wont* have sufficient
leverage by itself, unless the command you can run is 'sh | netcat' ;)
2) You then need to chain on OTHER issues and take tiny baby steps towards
the goal. Not all tricks will work in all environments, so this really is a test-and-see
problem.
For one of the best "how it *really* works" in practice, see Liu Die Yu's
"Six Step IE Remote Compromise Cache Attack". No one bug is enough,
there's a lot of jumping through hoops.
- application/pgp-signature attachment: stored
Received on Jan 02 2004
Intro
