Re: Pentesting Webserver

Have you tested to see if the FTP server is allowing uploads? Is the upload 
directory shared if one exists? I would not bypass FTP so soon.
Don?t forget the 2001 Apache compromise?
See Hal Pomeranz?s PPT at 
http://www.baylisa.org/library/slides/2002/baylisa-oct02.pdf
Regards,
Craig Wright
---In Reply to---
Hello all,
I am in the middle of a test, so far I found out ftp, amount other things 
allows anonymous login, but my main concern is looking for sql injection points.
I used Paros and found a point, I can enter something like anything' x' or x=x' 
for both the username and email filed on the form and that would allow me to 
login as username admin, now I would like to know how can I use this to get a 
full list of accounts and what not to include in my report.
I tried doing some queries of this nature from the web browser but I am not 
even getting an error message, ex http://test.com?email=code&password=code
Sql is a new area for me so any and all help is needed

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------