Which technique ti use and when for web pentest (cmdasp.aspx, reverse.aspx, web.config....)

Hi everyone

I would like to know when to use a weaponized web.config or a cmdasp.aspx?
For example on the machine named B***ty, the weaponized Web.config that contains a reverse shell (calling a reverse shell), it worked

But on devel it doesn’t.
I just would like to know which hint can tell me, which technique to use and when?

I also uploaded a reverse.aspx but it generated a web.config error. So i thought “cool, let’s upload a weaponized web.config”, but no luck

That’s why I would like to know what can tell me which technique to use and when.

Thanks guys!

@tomski said:

That’s why I would like to know what can tell me which technique to use and when.

Well, a lot of the time it is just trial and error. There isn’t really a big sign saying “use this exploit”, so a lot of time is spent testing various exploits to see if they work.

I haven’t looked at devel, but I think the webshell should work - the web config error might mean something else was broken.


In fact, you should choose the right option for yourself. I think you can’t use the internet without it unless you are anonymous. Most often, a cyberattack looks quite ordinary: in the worst case, a notification appears on the user’s screen that his computer is encrypted, and a demand to pay a ransom. Often, nothing visible happens at all — many malware try to behave as quietly and imperceptibly as possible in order to have time to steal as much valuable information as possible before they are noticed. But my friend told me that I can secure my data thanks to ( Cyber-Security. How to protect yourself from cyber-attacks ) strong password generator and it really works! This site generates such unusual and cool floggings that I am delighted!