
Penetration Testing mailing list archives
RE: Directory Traversal on File Upload
From: mcleano <almcer () hotmail com>
Date: Tue, 2 Aug 2011 04:24:10 -0700 (PDT)
This still gets a 502 error. Looks like it's not the server blocking a port from opening but the directory not having php execution enabled. Brett Moore-2 wrote:
Try uploading a more simple file first to test for file execution. <?php phpinfo(); ?> Is always a good start. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mcleano Sent: Tuesday, 2 August 2011 5:30 a.m. To: pen-test () securityfocus com Subject: Directory Traversal on File Upload Hi guys, I'm doing a pentest on a friends website that he made for coursework at uni and i've come to a stop. I've gained access to an administrator account and have access to a file upload facility which allows me to upload a php file as there are no checks on the file type but the php file goes into an image folder which I believe has the 'NoExec' option turned on in the Apache configuration. The reason I think that is that when I try to access the php page (which happens to be a reverse-shell) i get a 502 "server dropped connection" error message. Clarification to that would be nice if anyone knows? So my question is, is there anyway to upload to the parent directory and how might I go about doing it? Or some kind of point in the right direction? Thank you. Regards, Alan -- View this message in context: http://old.nabble.com/Directory-Traversal-on-File-Upload-tp32171687p32171687 .html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- View this message in context: http://old.nabble.com/Directory-Traversal-on-File-Upload-tp32171687p32177082.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Directory Traversal on File Upload mcleano (Aug 01)
- Re: Directory Traversal on File Upload Adam Mooz (Aug 01)
- Re: Directory Traversal on File Upload mcleano (Aug 04)
- RE: Directory Traversal on File Upload Brett Moore (Aug 01)
- RE: Directory Traversal on File Upload mcleano (Aug 04)
- Re: Directory Traversal on File Upload Adam Mooz (Aug 01)