Web Development | cmd.exe from the server

Author	Message	Time
peofeoknight	http://quasi-ke.servebeer.com/ping.asp just thought it would be cool to try and run command prompt from the server, you could have a lot of fun with stuff like this. I coppied comd.exe into a sub dir on my c drive because I did not want to iusr read and execute permissions on that file in my windows dir.	May 1, 2004, 3:44 PM
Myndfyr	You should write an ISAPI extension so that it redirects stdout to the webpage directly, and then make it not send the content-length header so that the command streams to the browser (like webchannel works).	May 1, 2004, 6:00 PM
peofeoknight	well I could just ping from asp.net using system.net.sockets too, but this was only about 3 lines of code :P, plus its cool to execute command prompt from the internet, it just sounds awesome (and insecure :-X). Infact earlier today, I copied over ping.exe and took out the cmd /c ping ip, changed it to ping.exe /c ip, just so I do not have a fully copy of command prompt sitting in a dir with iusr permissions set.	May 2, 2004, 5:23 AM
St0rm.iD	Using cmd.exe from a web page is a BAD idea. Append \| dir to the end of hte IP	May 2, 2004, 9:27 PM
peofeoknight	[quote author=St0rm.iD link=board=22;threadid=6594;start=0#msg58140 date=1083533278] Using cmd.exe from a web page is a BAD idea. Append \| dir to the end of hte IP [/quote] Like I said in my last post, I am using ping.exe as I said now, which destroys almost all of the insecurity, I just had to disable the -l -t -n etc by replacing " " with "". Plus, I could also do this with a batch file if I wanted to. Keep in mind, this is not functional code, I would not only not use this on one of my sites, but there is no way to very well do it. I am doing a site for a chruch, who used to run the server from their biz class cable, but now moves to a host, and hosts do not allow you to upload .exe files or batch files for just this reason, so you cannot delete a butt load of critical files. Besides their would be no reason for me to use this on a church site. The only time where this would be handy is to ping a game server for a site, but like I said, if I wanted to do something like that I would write it with system.net.sockets because of not being able to upload that to a host. I aggree that it is a bad idea to use this for the real world, I just wanted to play with it. You have to aggree, it is pretty cool, you can run dos commands on a server from a web page.	May 3, 2004, 3:13 AM
Hitmen	[quote author=peofeoknight link=board=22;threadid=6594;start=0#msg58202 date=1083554004] I just had to disable the -l -t -n [/quote] That was the first thing I tried when I saw it :p	May 3, 2004, 3:20 AM
peofeoknight	[quote author=Hitmen link=board=22;threadid=6594;start=0#msg58205 date=1083554425] That was the first thing I tried when I saw it :p[/quote] yep, first thing I thought of too :D	May 3, 2004, 3:21 AM

Author

Message

Time

peofeoknight

http://quasi-ke.servebeer.com/ping.asp
just thought it would be cool to try and run command prompt from the server, you could have a lot of fun with stuff like this. I coppied comd.exe into a sub dir on my c drive because I did not want to iusr read and execute permissions on that file in my windows dir.

May 1, 2004, 3:44 PM

Myndfyr

You should write an ISAPI extension so that it redirects stdout to the webpage directly, and then make it not send the content-length header so that the command streams to the browser (like webchannel works).

May 1, 2004, 6:00 PM

peofeoknight

well I could just ping from asp.net using system.net.sockets too, but this was only about 3 lines of code :P, plus its cool to execute command prompt from the internet, it just sounds awesome (and insecure :-X). Infact earlier today, I copied over ping.exe and took out the cmd /c ping ip, changed it to ping.exe /c ip, just so I do not have a fully copy of command prompt sitting in a dir with iusr permissions set.

May 2, 2004, 5:23 AM

St0rm.iD

Using cmd.exe from a web page is a BAD idea. Append | dir to the end of hte IP

May 2, 2004, 9:27 PM

peofeoknight

[quote author=St0rm.iD link=board=22;threadid=6594;start=0#msg58140 date=1083533278]
Using cmd.exe from a web page is a BAD idea. Append | dir to the end of hte IP
[/quote] Like I said in my last post, I am using ping.exe as I said now, which destroys almost all of the insecurity, I just had to disable the -l -t -n etc by replacing " " with "". Plus, I could also do this with a batch file if I wanted to. Keep in mind, this is not functional code, I would not only not use this on one of my sites, but there is no way to very well do it. I am doing a site for a chruch, who used to run the server from their biz class cable, but now moves to a host, and hosts do not allow you to upload .exe files or batch files for just this reason, so you cannot delete a butt load of critical files. Besides their would be no reason for me to use this on a church site. The only time where this would be handy is to ping a game server for a site, but like I said, if I wanted to do something like that I would write it with system.net.sockets because of not being able to upload that to a host. I aggree that it is a bad idea to use this for the real world, I just wanted to play with it. You have to aggree, it is pretty cool, you can run dos commands on a server from a web page.

May 3, 2004, 3:13 AM

Hitmen

[quote author=peofeoknight link=board=22;threadid=6594;start=0#msg58202 date=1083554004]
I just had to disable the -l -t -n
[/quote]
That was the first thing I tried when I saw it :p

May 3, 2004, 3:20 AM

peofeoknight

[quote author=Hitmen link=board=22;threadid=6594;start=0#msg58205 date=1083554425]

That was the first thing I tried when I saw it :p[/quote] yep, first thing I thought of too :D

May 3, 2004, 3:21 AM

Valhalla Legends Forums Archive | Web Development | cmd.exe from the server