If we could download php/jsp/asp files we could have compromised 99% of the
sites running them. The purpose of jsp is to deliver html from a higher level
language,
not to give you the real source.
Cases when you can download jsp/php/asp files directly are : 1) when the server
is misconfigured instead of delivering html it will prompt you to save the
source file
2) you can try a sql injection and then through a small shell to get the
sources, but in that case the host is already partially if not all compromised
3) check tomcat, jboss in detail to better understand how to play with a poor
configuration
3) probably other ways too
----- Original Message ----
From: "victorfrankenstein@yahoo.com" <victorfrankenstein@yahoo.com>
To: pen-test@securityfocus.com
Sent: Friday, April 11, 2008 5:59:56 PM
Subject: donloading jsp for pen-test
Helo
I'm currently doing a pen-test against my company site. We have a web
application runing over tomcat - in jsp format, one of my goals is try to
conect to my datebase from internet using my webapp code. I try to download the
jsp files from web server but when i chek it the file contets is only a html
code, for this propose i do it whit linux wget, flashget, and others but all
ways whit the same result. If any one colud give me any idea about how can i
downlad the full jsp file i will appreciate a lot.
Tahnks very much.
Regards,
Victor
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
