IIS 6 shell

["Ricardo Mourato" <ricardomcm () gmail com>]

hi folks, first off all sorry about my typing errors cause i am using
links at the moment :D (Gentoo installing here... :P)

i am doing a penetration test in a costumers application i have found
many bugs such as XSS and some SQL injections. All those bugs are now
corrected, but i have found another one, pay attention:

The server is Running Windows Server 2003 and IIS 6 fully patched,
only ports 80 and 443 are exposed to world wide.
in the application we have an upload form to upload pictures to the
server, this pictures will be the users avatars in the application
"forum"
the problem is that the verification of the uploaded files is made in
client side by a javascript, worse, they only check the file extension
and not the content type. As you read previously, i am using links, so
bypassing the poor javascript security was easy, since links
javascript support is also poor and the script did not run properly
and allow me to upload any file including .exe .txt .js .php .aspx
(except asp!)

yep, thats it i was not allowed to upload an .asp script cause that
verification is made at server side. dont know why... however i can
upload files such as aspx and php, but the server seems to have a
"strange" behavior.

if i upload a php script, all the files in that directory are deleted,
once again, dont know why...

if i upload an aspx script with the content <% response.write("hey
dude, asp works!") %> it runs the script
but if i create a more complex script for listing directories or copy
files or other things it gives me an "Server Error in "/" Application.
Runtime error bla bla bla.."

all the scripts are correctly written, being a Linux user at all, i
havent much asp knowlege so i just download them from one of the many
asp site tutorials found on google

another thing, it seems that the application is written in asp (not
aspnet) the page extensions are .asp and they do not allow asp uploads
remeber?

in my opinion i think that the problem is

i write an asp script with aspnet extension and the server thinks that
is a aspnet script and give me the error. however if i write a more
complex script in aspnet, includind fileSystemObject and other it
gives me the same error descbribed previously.

Any clue on get a shell?
Tnks in advice.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------