Oracle padding exploit - how does it download the web.config?

Question

I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I

Answer 1

This blogpost is pretty interesting: http://www.gdssecurity.com/l/b/

also read this: How serious is this new ASP.NET security vulnerability and how can I workaround it?