1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to remote upload File / Folder in a 403: Forbidden / Write protected directory

Discussion in 'Ethical hacking' started by Rafales, Jun 23, 2009.

  1. Rafales

    Rafales New Member

    Joined:
    Jun 23, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Hi Friends,

    This is purely Ethical hacking and it is a test for me. so please help me in this issue. its urgent.

    I want to create / remote upload a File and Folder in the Web Server that has got vulnerabilities.

    Example host:
    Code:
    h**p://101.120.27.21/
    Server Type: Microsoft-IIS/6.0
    Server Side: PHP/ASP
    Application Server: PHP
    Web Server: IIS, IIS6


    Note: The website / webserver has got lots of vulnerabilities like Blind SQL Injection, Cross-Site Scripting, PHP Remote File Inclusion, SQL Injection, Stored Cross-Site Scripting, Windows File Parameter Alteration, Link Injection (facilitates Cross-Site Request Forgery), Unencrypted Login Request etc....

    Exampel URL:
    Code:
    h**p://101.120.27.21/gulli_database/
    Now I want to create a Folder and remote upload a File under the "gulli_database" directory. The "gulli_database" directory is write protected / 403: Forbidden.

    Please help me how to create a Folder and remote upload the file under "gulli_database" directory. Is there any scripts / exploits to bypass the the folder protection and write in the folder.

    The File and folder should be uploaded remotely. The gulli_database/ is Forbidden / Write Protected for any users. Only admins can write inside the folder. Anonymously I have to bypass it and write into that folder "gulli_database/". Are there any commands / scripts I can execute in the URL of the browser or any tools exist to bypass the permissions of the folder and remote upload to the write protected directory.

    I tried the http put/mkcol methods but doesnt work. i can view the contents of the directory. there is a guest book "comment" field where scripts can be injected.

    I am connecting to my remote server. webdav is enable but put and mkcol method is disabled. there is also a guest book that is vulnerable to injection.


    please guide me how to go about.


    Thanks and Regards
    Rafales
     
  2. Hex00010

    Hex00010 New Member

    Joined:
    Jul 21, 2009
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    0
    Re: How to remote upload File / Folder in a 403: Forbidden / Write protected director

    You stated

    PHP Remote File Inclusion

    Thats your number 1 bet to allow a remote file upload = RFI where

    i would show examples but unfortunately we can not even post 2 links on post

    google RFI examples/ tutuorials


    you also stated XSS if the XSS is a permenant XSS and not client side then you can setup a .js script onto a remote folder and inject the site with a xss that logs the account information
     

Share This Page