When Microsoft IIS receives a valid request for an executable file, the filename
is then passed onto the underlying operating system which executes the file.
In the event that IIS receives a specially formed request for an executable file
followed by operating system commands, IIS will proceed to process the entire string
rather than rejecting it. Thus, a malicious user may perform system commands through
cmd.exe under the context of the IUSR_machinename account which could possibly lead
to privilege escalation, deletion, addition, and modification of files, or full
compromise of the server.
In order to establish successful exploitation, the file requested must be an existing
.bat or .cmd file residing in a folder that the user possesses executable permissions to.