Sometimes simpler is better
I gave a presentation on Essential Pentesting Methodology last night at the monthly SoCalITPro meeting. It was a last minute event, but it went very well and a lot of IT folks got a lean and mean introduction into the issues that surround a successful penetration test.
We also demonstrated an ASP code injection. We had a simple ASP app that wrote files with little input filtering so one could write their own ASP pages remotely. We were running commands and talked about how we could an ASP shell in the webpage itself (have you ever seen PHPShell?). Since we were demonstrating without a formal example, I ended up hacking together an ASP shell script and put it at http://www.bluenotch.com/resources/. I wasn't going to bother publishing it since http://aspshell.sourceforge.net exists, but after checking it out I realize it's a little more complicated than necessary and I was unable to use it for the ASP code injection demonstration I'm cooking up for Core Security's January 22nd Webcast. Thought somebody might find this one useful. -Update: Sorry, that link was originally to another webcast Core is hosting, I've corrected the link.
BTW, there is still room for a few people at the SANS Security 560 Network Penetration Testing with bootcamp. Please email me if you missed the discount code.
We also demonstrated an ASP code injection. We had a simple ASP app that wrote files with little input filtering so one could write their own ASP pages remotely. We were running commands and talked about how we could an ASP shell in the webpage itself (have you ever seen PHPShell?). Since we were demonstrating without a formal example, I ended up hacking together an ASP shell script and put it at http://www.bluenotch.com/resources/. I wasn't going to bother publishing it since http://aspshell.sourceforge.net exists, but after checking it out I realize it's a little more complicated than necessary and I was unable to use it for the ASP code injection demonstration I'm cooking up for Core Security's January 22nd Webcast. Thought somebody might find this one useful. -Update: Sorry, that link was originally to another webcast Core is hosting, I've corrected the link.
BTW, there is still room for a few people at the SANS Security 560 Network Penetration Testing with bootcamp. Please email me if you missed the discount code.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home