1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

How to remote upload File / Folder in a 403: Forbidden / Write protected directory

Discussion in 'Ethical hacking' started by Rafales, Jun 23, 2009.

  1. Rafales

    Rafales New Member

    Hi Friends,

    This is purely Ethical hacking and it is a test for me. so please help me in this issue. its urgent.

    I want to create / remote upload a File and Folder in the Web Server that has got vulnerabilities.

    Example host:
    Code:
    h**p://101.120.27.21/
    Server Type: Microsoft-IIS/6.0
    Server Side: PHP/ASP
    Application Server: PHP
    Web Server: IIS, IIS6


    Note: The website / webserver has got lots of vulnerabilities like Blind SQL Injection, Cross-Site Scripting, PHP Remote File Inclusion, SQL Injection, Stored Cross-Site Scripting, Windows File Parameter Alteration, Link Injection (facilitates Cross-Site Request Forgery), Unencrypted Login Request etc....

    Exampel URL:
    Code:
    h**p://101.120.27.21/gulli_database/
    Now I want to create a Folder and remote upload a File under the "gulli_database" directory. The "gulli_database" directory is write protected / 403: Forbidden.

    Please help me how to create a Folder and remote upload the file under "gulli_database" directory. Is there any scripts / exploits to bypass the the folder protection and write in the folder.

    The File and folder should be uploaded remotely. The gulli_database/ is Forbidden / Write Protected for any users. Only admins can write inside the folder. Anonymously I have to bypass it and write into that folder "gulli_database/". Are there any commands / scripts I can execute in the URL of the browser or any tools exist to bypass the permissions of the folder and remote upload to the write protected directory.

    I tried the http put/mkcol methods but doesnt work. i can view the contents of the directory. there is a guest book "comment" field where scripts can be injected.

    I am connecting to my remote server. webdav is enable but put and mkcol method is disabled. there is also a guest book that is vulnerable to injection.


    please guide me how to go about.


    Thanks and Regards
    Rafales
     
  2. Hex00010

    Hex00010 New Member

    Re: How to remote upload File / Folder in a 403: Forbidden / Write protected director

    You stated

    PHP Remote File Inclusion

    Thats your number 1 bet to allow a remote file upload = RFI where

    i would show examples but unfortunately we can not even post 2 links on post

    google RFI examples/ tutuorials


    you also stated XSS if the XSS is a permenant XSS and not client side then you can setup a .js script onto a remote folder and inject the site with a xss that logs the account information
     

Share This Page