RCE Via [File Upload Control]

Hi Folks!

This is my 35th blog on web application security penetration testing. In this blog I will explain about Remote Code Execution by uploading ASP .NET Web Shell.

In my last blog, I have explained about XSS Through File Upload where “Attribute-Value” of the uploaded images are vulnerable to XSS. Hope everyone liked it. If you haven’t read it yet please follow along.

Before moving ahead, I am pretty much sure that everyone will definitely like this blog because in this blog I have explain everything about RCE like from uploading web shells to executing different commands after successful exploitation and also logging section to monitor web logs.

  1. I have written below code which basically create one File-Upload button to upload the files.

2. Below is the server side code written in Dot Net technology which will takes user uploaded file and PUT that file into ~/uploads Folder of the web application.

As Shown in below screen on the right hand side panel, I have Uploads folder in the web root directory to save uploaded files.

3. Next Step is to Host the Website on Locally (On Local IIS Server). As shown in below screen I have hosted website to IIS Server and named it as spitfire.

4. After hosting the website, I have set Default Document to Uploads.aspx so that when we run the application locally we will get Uploads.aspx web page as a default webpage.

5. Now run the web application. As shown in below screen we are getting default webpage i.e. Uploads.aspx to upload the web files.

For testing purpose I have uploaded below 3 files which is getting displayed in the Local IIS Server where website is hosted.

MU04–1.txt, csrf-json.html, test.svg.

6. Now let’s create windows web shell for Asp.net. I haven’t created it because under Kali Linux we can navigate to below file path to get all the ready web shells.

cd /usr/share/webshells

Let’s navigate to cd /usr/share/webshells/aspx/

7. I have copied it to the windows system by disabling Windows Defender Protection.

8. Now lets upload it to the web application server that is our Local IIS.

9. I have also enabled Logs on Local IIS server which will capture all the activities that end user can do with the web application. To capture the web log under IIS we can navigate to below file path.

Notice Uploaded Files are captured into the web logs.

10. Now everything is done so far, Let’s not wait and browse the uploaded file (cmdasp.aspx)from web browser to get web shell.

11. I have executed below commands to extract the information from Web server.

Command: dir [Get Directories]

Command: assoc [File Associations]

Command: Ipconfig [Configuration Info]

Command: systeminfo [Popular to get system info]

This is how, web shell works in real time. I hope everyone will enjoy this blog and will understand insight of the RCE via web shell.

Please do like, follow and comments for more reads!

Thanks!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store