What about execute permissions in the directory where the web shell
was executed? It too would "execute" .. right? Not read like the other
files you uploaded.
Disclaimer: not checked :) .. just thinking logically.
Arvind
On Wed, Apr 13, 2011 at 7:07 PM, Calderon, Juan Carlos (GE, Corporate,
consultant) <juan.calderon (at) ge (dot) com [email concealed]> wrote:
>
> 3 things on top of my mind
>
> 1. Your page is doing a "unaware" redirection to a non existing page, so
> it is loaded, but then it redirects you (or transfer you, they are
> different in ASP) and you get the 404 error massage
> 2. Antivirus is detecting and removing the shell or putting it on
> quarantine (not likely if it is a web page)
> 3. IIS server is hardened and classic asp pages are "served" by 404.dll
> a dll created by MS to prevent access to pages of certain type.
>
> Hope it helps,
> Juan C Calderon
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Robin Wood
> Sent: Tuesday, April 12, 2011 12:00 PM
> To: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: .asp giving 404
>
> On a recent test I got FTP write access to a web server which had an ASP
> based site on it. I uploaded an ASP shell and tried to browse to it but
> got a 404. I uploaded it to a directory that had directory listing
> enabled and confirmed the file was there but again browsing to it gave a
> 404.
>
> I uploaded a text file and image and could browse to both of those fine.
>
> I also tried downloading an existing page and modifying that then
> re-uploading it but didn't have permission to overwrite the file.
>
> I vaguely remember something to do with file permissions having to be
> set correctly for ASP to run from years ago when I did some dev work in
> it but can't remember. Can someone tell me what was likely to have been
> going on and if there is any way around it given the access I had?
>
> Robin
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
was executed? It too would "execute" .. right? Not read like the other
files you uploaded.
Disclaimer: not checked :) .. just thinking logically.
Arvind
On Wed, Apr 13, 2011 at 7:07 PM, Calderon, Juan Carlos (GE, Corporate,
consultant) <juan.calderon (at) ge (dot) com [email concealed]> wrote:
>
> 3 things on top of my mind
>
> 1. Your page is doing a "unaware" redirection to a non existing page, so
> it is loaded, but then it redirects you (or transfer you, they are
> different in ASP) and you get the 404 error massage
> 2. Antivirus is detecting and removing the shell or putting it on
> quarantine (not likely if it is a web page)
> 3. IIS server is hardened and classic asp pages are "served" by 404.dll
> a dll created by MS to prevent access to pages of certain type.
>
> Hope it helps,
> Juan C Calderon
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Robin Wood
> Sent: Tuesday, April 12, 2011 12:00 PM
> To: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: .asp giving 404
>
> On a recent test I got FTP write access to a web server which had an ASP
> based site on it. I uploaded an ASP shell and tried to browse to it but
> got a 404. I uploaded it to a directory that had directory listing
> enabled and confirmed the file was there but again browsing to it gave a
> 404.
>
> I uploaded a text file and image and could browse to both of those fine.
>
> I also tried downloading an existing page and modifying that then
> re-uploading it but didn't have permission to overwrite the file.
>
> I vaguely remember something to do with file permissions having to be
> set correctly for ASP to run from years ago when I did some dev work in
> it but can't remember. Can someone tell me what was likely to have been
> going on and if there is any way around it given the access I had?
>
> Robin
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]