How to remote upload File / Folder in a 403: Forbidden / Write protected directory

Discussion in 'Ethical hacking' started by Rafales, Jun 23, 2009.

  1. Rafales

    Rafales New Member

    Joined:
    Jun 23, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi Friends,

    This is purely Ethical hacking and it is a test for me. so please help me in this issue. its urgent.

    I want to create / remote upload a File and Folder in the Web Server that has got vulnerabilities.

    Example host:
    Code:
    h**p://101.120.27.21/
    Server Type: Microsoft-IIS/6.0
    Server Side: PHP/ASP
    Application Server: PHP
    Web Server: IIS, IIS6


    Note: The website / webserver has got lots of vulnerabilities like Blind SQL Injection, Cross-Site Scripting, PHP Remote File Inclusion, SQL Injection, Stored Cross-Site Scripting, Windows File Parameter Alteration, Link Injection (facilitates Cross-Site Request Forgery), Unencrypted Login Request etc....

    Exampel URL:
    Code:
    h**p://101.120.27.21/gulli_database/
    Now I want to create a Folder and remote upload a File under the "gulli_database" directory. The "gulli_database" directory is write protected / 403: Forbidden.

    Please help me how to create a Folder and remote upload the file under "gulli_database" directory. Is there any scripts / exploits to bypass the the folder protection and write in the folder.

    The File and folder should be uploaded remotely. The gulli_database/ is Forbidden / Write Protected for any users. Only admins can write inside the folder. Anonymously I have to bypass it and write into that folder "gulli_database/". Are there any commands / scripts I can execute in the URL of the browser or any tools exist to bypass the permissions of the folder and remote upload to the write protected directory.

    I tried the http put/mkcol methods but doesnt work. i can view the contents of the directory. there is a guest book "comment" field where scripts can be injected.

    I am connecting to my remote server. webdav is enable but put and mkcol method is disabled. there is also a guest book that is vulnerable to injection.


    please guide me how to go about.


    Thanks and Regards
    Rafales
     
    Rafales, Jun 23, 2009
    SHARE #1
  2. Hex00010

    Hex00010 New Member

    Joined:
    Jul 21, 2009
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Re: How to remote upload File / Folder in a 403: Forbidden / Write protected director

    You stated

    PHP Remote File Inclusion

    Thats your number 1 bet to allow a remote file upload = RFI where

    i would show examples but unfortunately we can not even post 2 links on post

    google RFI examples/ tutuorials


    you also stated XSS if the XSS is a permenant XSS and not client side then you can setup a .js script onto a remote folder and inject the site with a xss that logs the account information
     
    Hex00010, Jul 21, 2009
    SHARE #2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice