EH-Net

Morning All

I work for a company who's website has been analysed by a outside company, the outside company did it off there own back and have said that my companies website is 'writable'.
I have checked the permissions and setup and can see nothing wrong, However I would like to check.

The site sits on a windows 2003 server, IIS 6, and is ASP coded.

How would I check to see if it is 'writable' from the web?... IE: Does anyone know of a script or a process to run against the site?

Many Thanks
Steve

The company ran an assessment on your company's website, yet won't tell you the directory that's vulnerable? ???  I'd do my best to get that from them as this is pretty standard when you have an assessment done.  The whole purpose is to help you secure the website, not just say "yep, it's vulnerable" and turn their backs.  I understand you said that they did it off their own backs, but that's pretty low to not tell you exactly what's vulnerable if they're not going to help you fix it as well.

Check the directories that are publicly facing via the website (could be a large task if a large website :-S).  Any directories that are used to store user uploads, forms that allow users to upload files (e.g. avatars) - could be that the form is accepting all files, not just the filetype the form was developed for.

Hi

Thank you for the quick reply... The outside company will tell us, however a few thousand pounds will have to change hands before they do!!.. Hence the asking on here first..

I have checked the dirs, and there are no user upload dirs.

Thanks
Steve

So they didn't get your company's permission first?  Your company didn't engage them?

Isn't that one of the first thing that is drilled into Pen Testers ... get full written consent in advance, along with exactly what you are, and are not, permitted to do etc.?

"Writable" is a pretty generic term and can be interpreted many different ways.  They could be referring to directories, or "writing" to your SQL DB if you have one, it may also be a file injection vuln.

What bothers me most is your comment that they did it "off their own back"... They way you originally wrote that, it seems to me that this "company" did a pen test on your site without your permission, knowledge or consent.  True?

If true, they found an issue, and are now saying "we found something on your site, but we won't tell you until you pay us something."  True again?

If true again, this would be known as extortion (maybe something lesser, but extortion is such a sexy word).  At this point, you might want to get some legal people involved.  If whoever this is had wholesome pure intentions, they'd tell you want the problem was and not demand money.  If they pen tested your site without consent, you should have full legal precedence to go after them.  You might want to start collecting logs ASAFP in case you wind up in the middle of some legal action.  (of course, this doesn't solve your issue of finding out what the flaw is.  you may get that information from legal proceedings, or you may have to hire a legit pen tester to find it for you.  Or, you could just shell out the dough to whoever this is, but they may also be scamming you.  You pay them, then you never hear from them again, or they send you on a goose chase, and they get a nice pay day.)

If this is a company you hired to perform a pen test, a full report, including technical details on any flaws should be part of the package.  If you have to pay extra for data... you need someone that writes better engagement contracts.  ;D

Hi dreams3577,

Welcome to EH-NET! Assuming you do have permission, you could utilize the auxiliary module: auxiliary/scanner/http/writable in Metasploit. Here's a guide from within Metasploit Unleashed:
http://www.offensive-security.com/metasploit-unleashed/HTTP_Writable (http://www.offensive-security.com/metasploit-unleashed/HTTP_Writable)

I hope this is what your looking for!

So another word, they hack your company website without your consent. And blackmail to your company to hand over a big lump sum of money, otherwise they will refuse to disclose to you the finding of the test (hack).

I think your company should call the Police.

I have many questions. You should ask yourself whenever you got these type of message(to protect from spam mails):
----
How they contact you? mail?
Did you check the mail address?
is it legitimate mail?
Did you search about the company in google search with
"company_name review"
or
"Company_Name fraud" or "Company_Name cheat"
...

Attackers also send these type of message and try to get confidential data(Social Engineering).

If you really want to find vulnerabilities, hire any legitimate company.

@dreams3577 I realize that your original question is how to tell whether your website is"writable." I agree with the others that the entire situation is phishy (pun fully intended).   Certain versions of IIS are vulnerable to having pages dumped into the root directory. I don't remember all the details, but if your IIS is configured to use index.htm (or index.html or default.htm or default.asp etc) as one of its preferred default pages, BUT any of those pages does not exist on the site, it is vulnerable to having someone dump their "you have been hacked" page into your IIS site. Which means someone goes to www.yoursite.com and sees "you have been hacekd" instead of "welcome to yoursite."

The solution to this is, best I understand, to clean up the default page settings from within IIS. In server 2003, open IIS manager, right click your website name, choose Properties and go to the documents tab.

HTH.

You need to contact your manager and the management team and have them speak to an attorney. I would imagine that will be a quick way to get a response from them. What they are doing now is more than unethical, it is illegal.

I believe and remember, there are different level of service and based on that they provide report, it should be provided in terms & conditions when undertaken the work by outsourced company. But it doesn't look fair not disclosing the information about vulnerability.
Mgmt should take action......

check http allowed options and see if you can HTTP PUT or use webdav to write to a directory.

Word of advice: Try running a Nessus and / or NeXpose scan against your website, you will most likely get exactly the same results as the company that reported the "bug".

Often, it is just because IIS supports the PUT method or perhaps WebDAV, but that doesn't necessarily mean that it's actually exploitable, or something an attacker can use to his advantage. After all, the webserver may support the method, but may not allow it anywhere.

I would ask the target company to place a file on the server as proof of that it is "writeable". If they can't, it's not writeable as they say.  :)

Im not sure what are you asking by writable . but if you checked permissions on files and dirs and if they are not viewer writable then I guess your fine . if they meant by hackable . use some vuln scanning tools and see if they gives your exploitable vulns . I prefer nikto ,  Acunetix WVS (spider trows big unwanted traffic but does a good job)