RCE Via [File Upload Control]

Mohammad Mohsin
4 min readMay 28, 2022
Remote Code Execution

Hi Folks!

This is my 35th blog on web application security penetration testing. In this blog I will explain about Remote Code Execution by uploading ASP .NET Web Shell.

In my last blog, I have explained about XSS Through File Upload where “Attribute-Value” of the uploaded images are vulnerable to XSS. Hope everyone liked it. If you haven’t read it yet please follow along.

Before moving ahead, I am pretty much sure that everyone will definitely like this blog because in this blog I have explain everything about RCE like from uploading web shells to executing different commands after successful exploitation and also logging section to monitor web logs.

  1. I have written below code which basically create one File-Upload button to upload the files.
File Upload Functionality

2. Below is the server side code written in Dot Net technology which will takes user uploaded file and PUT that file into ~/uploads Folder of the web application.

Server Side Code to Upload Web Files

As Shown in below screen on the right hand side panel, I have Uploads folder in the web root directory to save uploaded files.

Uploads Folder

3. Next Step is to Host the Website on Locally (On Local IIS Server). As shown in below screen I have hosted website to IIS Server and named it as spitfire.

Hosted Website on Local IIS

4. After hosting the website, I have set Default Document to Uploads.aspx so that when we run the application locally we will get Uploads.aspx web page as a default webpage.

Set Default Document

5. Now run the web application. As shown in below screen we are getting default webpage i.e. Uploads.aspx to upload the web files.

File Upload Features.

For testing purpose I have uploaded below 3 files which is getting displayed in the Local IIS Server where website is hosted.

MU04–1.txt, csrf-json.html, test.svg.

Uploaded Files from Local IIS.

6. Now let’s create windows web shell for Asp.net. I haven’t created it because under Kali Linux we can navigate to below file path to get all the ready web shells.

cd /usr/share/webshells

Ready Web Shells Under Kali Linux

Let’s navigate to cd /usr/share/webshells/aspx/

Web Shell for Asp .NET ready to use

7. I have copied it to the windows system by disabling Windows Defender Protection.

Copied ASPX Web Shell to Windows System

8. Now lets upload it to the web application server that is our Local IIS.

Web Shell Uploaded Successfully

9. I have also enabled Logs on Local IIS server which will capture all the activities that end user can do with the web application. To capture the web log under IIS we can navigate to below file path.

Log File Location

Notice Uploaded Files are captured into the web logs.

WEB Logs
Web Shell Upload Captured into the web logs

10. Now everything is done so far, Let’s not wait and browse the uploaded file (cmdasp.aspx)from web browser to get web shell.

Browse to Uploaded Web Shell File

11. I have executed below commands to extract the information from Web server.

Command: dir [Get Directories]

Directories Extracted Successfully

Command: assoc [File Associations]

File Associations

Command: Ipconfig [Configuration Info]

IP Configuration Information

Command: systeminfo [Popular to get system info]

System Information

This is how, web shell works in real time. I hope everyone will enjoy this blog and will understand insight of the RCE via web shell.

Please do like, follow and comments for more reads!

Thanks!

--

--

Mohammad Mohsin

Director - OLF Infotech Pvt. Ltd. Ethical Hacker, Vulnerability Assessment and Penetration Tester, Bug Hunter, Security Researcher, Optimistic, Philanthropist.