What are the three exploitation methods mentioned for command execution via modified web.config without valid credentials?

The article details three implementations: 1) Using ysoserial.net's `TextFormattingRunProperties` gadget with custom `--validationalg` and `--validationkey` to generate viewstate payloads sent via GET requests (e.g., to `errorFE.aspx`). 2) Using `ActivitySurrogateSelectorFromFile` from ysoserial.net-1.32 (fixed in 1.33 by zcgonvh) to load .NET assemblies for real-time command output. 3) Using shellcode-loading features in tools like zcgonvh's CVE-2020-0688 exploit. For background on Exchange backdoors, see Penetration Basics - Implementation of Exchange One-Liner Backdoor.