|
|
Penetration Testing
Directory Traversal on File Upload Aug 01 2011 05:30PM mcleano (almcer hotmail com) (2 replies) Re: Directory Traversal on File Upload Aug 02 2011 04:28AM Adam Mooz (adam mooz gmail com) (1 replies) |
|
Privacy Statement |
<?php
phpinfo();
?>
Is always a good start.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of mcleano
Sent: Tuesday, 2 August 2011 5:30 a.m.
To: pen-test (at) securityfocus (dot) com [email concealed]
Subject: Directory Traversal on File Upload
Hi guys,
I'm doing a pentest on a friends website that he made for coursework at uni
and i've come to a stop. I've gained access to an administrator account and
have access to a file upload facility which allows me to upload a php file
as there are no checks on the file type but the php file goes into an image
folder which I believe has the 'NoExec' option turned on in the Apache
configuration. The reason I think that is that when I try to access the php
page (which happens to be a reverse-shell) i get a 502 "server dropped
connection" error message. Clarification to that would be nice if anyone
knows? So my question is, is there anyway to upload to the parent directory
and how might I go about doing it? Or some kind of point in the right
direction?
Thank you. Regards,
Alan
--
View this message in context:
http://old.nabble.com/Directory-Traversal-on-File-Upload-tp32171687p3217
1687
.html
Sent from the Penetration Testing mailing list archive at Nabble.com.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]