How to remote upload File / Folder in a 403: Forbidden / Write protected Folder

This topic contains 4 replies, has 3 voices, and was last updated by  timmedin 9 years, 11 months ago.

  • Author
    Posts
  • #3927
     Rafales 
    Participant

    Hi Friends,

    This is purely Ethical hacking and it is a test for me. so please help me in this issue. its urgent.

    I want to create / remote upload a File and Folder in the Web Server that has got vulnerabilities.

    Example host:

    http://101.120.27.21/

    Server Type: Microsoft-IIS/6.0
    Server Side: PHP/ASP
    Application Server: PHP
    Web Server: IIS, IIS6

    Note: The website / webserver has got lots of vulnerabilities like Blind SQL Injection, Cross-Site Scripting, PHP Remote File Inclusion, SQL Injection, Stored Cross-Site Scripting, Windows File Parameter Alteration, Link Injection (facilitates Cross-Site Request Forgery), Unencrypted Login Request etc….

    Exampel URL:

    http://101.120.27.21/gulli_database/

    Now I want to create a Folder and remote upload a File under the “gulli_database” directory. The “gulli_database” directory is write protected / 403: Forbidden.

    Please help me how to create a Folder and remote upload the file under “gulli_database” directory. Is there any scripts / exploits to bypass the the folder protection and write in the folder.

    The File and folder should be uploaded remotely. The gulli_database/ is Forbidden / Write Protected for any users. Only

    admins can write inside the folder. Anonymously I have to bypass it and write into that folder “gulli_database/”. Are there any commands / scripts I can execute in the URL of the browser or any tools exist to bypass the permissions of the folder and remote upload to the write protected directory.

    I tried the http put/mkcol methods but doesnt work. i can view the contents of the directory. there is a guest book “comment” field where scripts can be injected.

    I am connecting to my remote server. webdav is enable but put and mkcol method is disabled. there is also a guest book that is vulnerable to injection.

    please guide me how to go about.

    Thanks and Regards
    Rafales

  • #25089
     Ketchup 
    Participant

    This looks suspiciously like a homework assignment.  😉

    I think that you should look into the MSSQL xp_cmdshell stored procedure.  Assuming your database user has access to this procedure and can write to the directory where you would like to upload the file, it should the trick.

  • #25090
     timmedin 
    Participant

    Do you know the underlying RDMS? If you don’t send a malformed SQL injection and see what error is returned in order to determine the RDMS. If you can get sql injection you may be able to write a php file (php shell) to do your dirty work.

  • #25091
     Rafales 
    Participant

    Now I have the Admin user name and pass of http://101.120.27.21/

    Server Type: Microsoft-IIS/6.0
    Server Side: PHP/ASP
    Application Server: PHP
    Web Server: IIS, IIS6

    Now I need to upload a file from my local system C:test.txt to http://101.120.27.21/gulli_database/

    First I need to remotely login as admin to the remote webserver and then copy a text file from the local system (C:text.txt) to the remote folder http://101.120.27.21/gulli_database/

    If I don’t login as admin I get “Access Denied” Error Message when I copy a txt file to gulli_database. How to login into remote web server as admin

    What type of connection should I use. Will “Net Use” commands help or should I try thru. FTP / Telnet.

    which method will be sucessfull Net Use commands / Telnet / FTP

    please give me syntax and commands for NET USE commands / FTP / Telnet

    Step 1. Login to remote web server as admin from my Local System
    Step 2. copy C:text.txt to http://101.120.27.21/gulli_database/ and create a Folder name “Test” in http://101.120.27.21/gulli_database/

    Please guide me in this regard

    Thanks and Regards
    Rafales

  • #25092
     timmedin 
    Participant

    What is this server? This is a publicly routable ip address.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?