如果你对此有情趣，跟我来...........
     当IIS启动CGI应用程序时，缺省用CreateProcessAsUser API来创建该CGI的新Process,该程序的安全上下文就由启动该CGI的用户决定。一般匿名用户都映射到IUSR_computername这个账号，当然可以由管理员改为其他的用户。或者由浏览器提供一个合法的用户。两者的用户的权限都是比较低，可能都属于guest组的成员。其实我们可以修改iis开启CGI的方式，来提高权限。我们来看iis主进程本身是运行在localsystem账号下的，所以我们就可以得到最高localsystem的权限。
     入侵web服务器后，一般都可以绑定一个cmd到一个端口来远程控制该服务器。这时可以有GUI的远程控制，比如3389，或者类telnet text方式的控制，比如rnc。nc肯定是可以用的,其实这也足够了。


1. telnet到服务器
     2. cscript.exe adsutil.vbs enum w3svc/1/root
     KeyType : (STRING) "IIsWebVirtualDir"
     AppRoot : (STRING) "/LM/W3SVC/1/ROOT"
     AppFriendlyName : (STRING) "默认应用程序"
     AppIsolated : (INTEGER) 2
     AccessRead : (BOOLEAN) True
     AccessWrite : (BOOLEAN) False
     AccessExecute : (BOOLEAN) False
     Accessscript : (BOOLEAN) True
     AccessSource : (BOOLEAN) False
     AccessNoRemoteRead : (BOOLEAN) False
     AccessNoRemoteWrite : (BOOLEAN) False
     AccessNoRemoteExecute : (BOOLEAN) False
     AccessNoRemotescript : (BOOLEAN) False
     HttpErrors : (LIST) (32 Items)
     "400,*,FILE,C:\WINNT\help\iisHelp\common\400.htm"
     "401,1,FILE,C:\WINNT\help\iisHelp\common\401-1.htm"
     "401,2,FILE,C:\WINNT\help\iisHelp\common\401-2.htm"
     "401,3,FILE,C:\WINNT\help\iisHelp\common\401-3.htm"
     "401,4,FILE,C:\WINNT\help\iisHelp\common\401-4.htm"
     "401,5,FILE,C:\WINNT\help\iisHelp\common\401-5.htm"
     "403,1,FILE,C:\WINNT\help\iisHelp\common\403-1.htm"
     "403,2,FILE,C:\WINNT\help\iisHelp\common\403-2.htm"
     "403,3,FILE,C:\WINNT\help\iisHelp\common\403-3.htm"
     "403,4,FILE,C:\WINNT\help\iisHelp\common\403-4.htm"
     "403,5,FILE,C:\WINNT\help\iisHelp\common\403-5.htm"
     "403,6,FILE,C:\WINNT\help\iisHelp\common\403-6.htm"
     "403,7,FILE,C:\WINNT\help\iisHelp\common\403-7.htm"
     "403,8,FILE,C:\WINNT\help\iisHelp\common\403-8.htm"
     "403,9,FILE,C:\WINNT\help\iisHelp\common\403-9.htm"
     "403,10,FILE,C:\WINNT\help\iisHelp\common\403-10.htm"
     "403,11,FILE,C:\WINNT\help\iisHelp\common\403-11.htm"
     "403,12,FILE,C:\WINNT\help\iisHelp\common\403-12.htm"
     "403,13,FILE,C:\WINNT\help\iisHelp\common\403-13.htm"
     "403,15,FILE,C:\WINNT\help\iisHelp\common\403-15.htm"
     "403,16,FILE,C:\WINNT\help\iisHelp\common\403-16.htm"
     "403,17,FILE,C:\WINNT\help\iisHelp\common\403-17.htm"
     "404,*,FILE,C:\WINNT\help\iisHelp\common\404b.htm"
     "405,*,FILE,C:\WINNT\help\iisHelp\common\405.htm"
     "406,*,FILE,C:\WINNT\help\iisHelp\common\406.htm"
     "407,*,FILE,C:\WINNT\help\iisHelp\common\407.htm"
     "412,*,FILE,C:\WINNT\help\iisHelp\common\412.htm"
     "414,*,FILE,C:\WINNT\help\iisHelp\common\414.htm"
     "500,12,FILE,C:\WINNT\help\iisHelp\common\500-12.htm"
     "500,13,FILE,C:\WINNT\help\iisHelp\common\500-13.htm"
     "500,15,FILE,C:\WINNT\help\iisHelp\common\500-15.htm"
     "500,100,URL,/iisHelp/common/500-100.asp"
     FrontPageWeb : (BOOLEAN) True
     Path : (STRING) "c:\inetpub\wwwroot"
     AccessFlags : (INTEGER) 513
     [/w3svc/1/root/localstart.asp]
     [/w3svc/1/root/_vti_pvt]
     [/w3svc/1/root/_vti_log]
     [/w3svc/1/root/_private]
     [/w3svc/1/root/_vti_txt]
     [/w3svc/1/root/_vti_script]
     [/w3svc/1/root/_vti_cnf]
     [/w3svc/1/root/_vti_bin]
     不要告诉我你不知道上面的输出是什么！！！！