EH-Net

Hi Friends,

This is purely Ethical hacking and it is a test for me. so please help me in this issue. its urgent.

I want to create / remote upload a File and Folder in the Web Server that has got vulnerabilities.

Example host:


Server Type: Microsoft-IIS/6.0
Server Side: PHP/ASP
Application Server: PHP
Web Server: IIS, IIS6


Note: The website / webserver has got lots of vulnerabilities like Blind SQL Injection, Cross-Site Scripting, PHP Remote File Inclusion, SQL Injection, Stored Cross-Site Scripting, Windows File Parameter Alteration, Link Injection (facilitates Cross-Site Request Forgery), Unencrypted Login Request etc....

Exampel URL:


Now I want to create a Folder and remote upload a File under the "gulli_database" directory. The "gulli_database" directory is write protected / 403: Forbidden.

Please help me how to create a Folder and remote upload the file under "gulli_database" directory. Is there any scripts / exploits to bypass the the folder protection and write in the folder.

The File and folder should be uploaded remotely. The gulli_database/ is Forbidden / Write Protected for any users. Only

admins can write inside the folder. Anonymously I have to bypass it and write into that folder "gulli_database/". Are there any commands / scripts I can execute in the URL of the browser or any tools exist to bypass the permissions of the folder and remote upload to the write protected directory.

I tried the http put/mkcol methods but doesnt work. i can view the contents of the directory. there is a guest book "comment" field where scripts can be injected.

I am connecting to my remote server. webdav is enable but put and mkcol method is disabled. there is also a guest book that is vulnerable to injection.


please guide me how to go about.


Thanks and Regards
Rafales

This looks suspiciously like a homework assignment.  ;)

I think that you should look into the MSSQL xp_cmdshell stored procedure.   Assuming your database user has access to this procedure and can write to the directory where you would like to upload the file, it should the trick.

Do you know the underlying RDMS? If you don't send a malformed SQL injection and see what error is returned in order to determine the RDMS. If you can get sql injection you may be able to write a php file (php shell) to do your dirty work.

Now I have the Admin user name and pass of http://101.120.27.21/

Server Type: Microsoft-IIS/6.0
Server Side: PHP/ASP
Application Server: PHP
Web Server: IIS, IIS6


Now I need to upload a file from my local system C:\test.txt to http://101.120.27.21/gulli_database/

First I need to remotely login as admin to the remote webserver and then copy a text file from the local system (C:\text.txt) to the remote folder http://101.120.27.21/gulli_database/

If I don't login as admin I get "Access Denied" Error Message when I copy a txt file to gulli_database. How to login into remote web server as admin
 
What type of connection should I use. Will "Net Use" commands help or should I try thru. FTP / Telnet.

which method will be sucessfull Net Use commands / Telnet / FTP

please give me syntax and commands for NET USE commands / FTP / Telnet

Step 1. Login to remote web server as admin from my Local System
Step 2. copy C:\text.txt to http://101.120.27.21/gulli_database/ and create a Folder name "Test" in http://101.120.27.21/gulli_database/

Please guide me in this regard

Thanks and Regards
Rafales

What is this server? This is a publicly routable ip address.