Ok, here's another problem I have had for way too long now and I want to fix.

Here's the scenario: I have got a limited shell on a server in a lab through a web application vulnerability.

By "limited shell", I mean:
- The shell doesn't give me any output on the screen and I cannot output results of commands in a file
- I can change directory and list files (using a second ASP shell), but that's about it.
- I am able to ftp files/modify files into the web root directory (for example, I have uploaded nc.exe in C:\inetpub\wwwroot)

So for example:
C:\Windows\system32>cd ../..     (works)
C:\>cd inetpub\wwwroot    (works)
C:\inetpub\wwwroot> dir    (doesn't display anything)
C:\inetpub\wwwroot> dir > files.txt    (doesn't create a file)
C:\inetpub\wwwroot> nc.exe -lvp 4444    (doesn't work)
C:\inetpub\wwwroot> nc.exe -v 192.168.1.20 4444    (doesn't work either)

I have tried 5 or 6 different ASP shells, but couldn't get much more out of it.

So what approach should I take at this point? Write my own ASP shell code? Focus on trying to get a full shell (for example, using netcat somehow)? Maybe priv escalation (I don't think so at this point, but I could be wrong)

I really just need a direction so I can continue working on a solution...

Thanks

Are you able to run "net" commands for "net user" etc?

What shells are you trying to use? What OS and version of IIS are you using?

I've encountered instances where i can blindly execute commands, but I can't think of a time where I was using a web shell and wasn't able to receive output for non-privileged commands.

Here's another collection of shells you might want to try: http://laudanum.inguardians.com/ I'm pretty sure there is at least one ASP-based shell in there.

Methodology-wise, I'd skip the fancy shells and just see if a basic script works. Something like executing the the value of a GET variable called cmd and output it to the screen. The web service account should at least be about to output a directory listing. If not, there may be something else quirky going on.

I didn't know that.
I will play with this later today.

Thanks ajohnson

I appreciate it ajohnson. Thanks